Security & Governance

Security fundamentals

BlobBridge renders Azure Blob Storage inside SharePoint without copying data. Users interact with your storage account directly while SharePoint provides familiar navigation.

• Encryption: Enforce HTTPS-only storage accounts. Azure Storage encrypts data at rest by default; enable customer-managed keys if mandated.
• CORS control: Restrict allowed origins to your SharePoint tenant domains so only trusted pages can call the storage account.
• Networking: Combine firewalls, Private Endpoints or service endpoints to confine blob access to corporate networks when required.

Identity & access

• Authorization boundary: SharePoint governs page access; Azure Storage governs file access. Use container-scoped SAS tokens or Azure RBAC to determine operations.
• Least privilege: Match SAS permissions to the scenario (read/list for publishing, add write/create/delete for contributors). Apply IP restrictions where possible.
• Managed identities: Reserve Storage Blob Data Owner roles for break-glass access. Grant automation identities the Storage Blob Data Owner role for day-to-day operations.

Monitoring & compliance

• Enable storage diagnostics and stream logs to Log Analytics or Microsoft Sentinel.
• Map SharePoint pages to blob containers in your configuration documentation for quicker incident response.
• Use Microsoft Purview to apply classification and retention policies to Azure Storage data.

Automating SAS Token Renewal for BlobBridge

Overview

Azure Storage SAS tokens expire for good reason. In production, rotate them automatically and update associated BlobBridge web parts before expiry so users never see an authentication error.

Recommended approach

1. Azure automation with Logic Apps or Azure Functions

Combine automation services to create, distribute and monitor tokens.

Reference architecture

• Azure Key Vault — stores the active SAS token with version history.
• Azure Function or Logic App — scheduled engine that generates new tokens.
• SharePoint REST or PnP API — updates BlobBridge web-part settings across pages.
• Azure Monitor — alerts when generation or updates fail.

2. Token lifecycle strategy

Design overlapping validity windows.

• Generate tokens valid for 90 days.
• Renew tokens 30 days before they expire.
• Maintain a 60-day overlap so you can roll back instantly if required.

Implementation options

Option A: Azure Function with managed identity (recommended)

Fully automated approach without stored credentials.

Requirements

• Function App with a system- or user-assigned managed identity.
• Managed identity granted the Storage Blob Data Owner role on the storage account.
• Managed identity with SharePoint permissions to update BlobBridge web parts (Site Collection Admin or delegated Graph permissions).
• Key Vault access policy allowing secret set/get operations.

High-level process

1. Timer trigger runs monthly.
2. Function requests a user delegation key and generates a 90-day container SAS.
3. SAS is stored in Key Vault as a new version.
4. SharePoint pages using BlobBridge are identified and updated via REST or PnP.
5. Results are logged and notifications are sent through Azure Monitor.

Benefits

• No credential storage or rotation.
• Scales across multiple containers and tenants.
• Produces an auditable history in Key Vault and Application Insights.
• Easily extended with ITSM or Teams notifications.

Option B: PowerShell script with Service Principal

Ideal for teams with existing automation runners.

# Connect to Azure
Connect-AzAccount -ServicePrincipal -Tenant $tenantId -Credential $credential

# Generate new SAS token
$context = New-AzStorageContext -StorageAccountName $storageAccount
$sasToken = New-AzStorageContainerSASToken `
    -Name $containerName `
    -Context $context `
    -Permission rl `
    -ExpiryTime (Get-Date).AddDays(90) `
    -Protocol HttpsOnly

# Connect to SharePoint
Connect-PnPOnline -Url $siteUrl -ClientId $clientId -ClientSecret $clientSecret

# Find and update web parts
$pages = Get-PnPListItem -List "Site Pages"
foreach ($page in $pages) {
    $webParts = Get-PnPPageComponent -Page $page.FieldValues.FileLeafRef
    foreach ($wp in $webParts) {
        if ($wp.WebPartId -eq "YOUR-BLOBBRIDGE-WEBPART-ID") {
            Set-PnPPageComponent -Page $page.FieldValues.FileLeafRef `
                -InstanceId $wp.InstanceId `
                -PropertiesJson "{`"sasToken`":`"$sasToken`"}"
        }
    }
}

Deployment

• Schedule via Azure Automation, GitHub Actions, or on-prem Task Scheduler.
• Store credentials securely (Automation credential assets, Azure Key Vault, etc.).
• Run monthly and send confirmation emails/Teams posts.

Option C: Manual renewal with notifications

Useful for pilots or very small environments.

1. Set calendar reminders 30 days prior to token expiry.
2. Create a new SAS token in the Azure portal and save it securely.
3. Edit each SharePoint page, update the BlobBridge web-part SAS field, then publish.
4. Record the change and the next renewal date in your ops log.

SAS token generation best practices

• Grant only the permissions the scenario needs (read/list for publishing, add write/create/delete for collaboration).
• Enforce HTTPS-only and constrain IP ranges to corporate networks if feasible.
• Store SAS secrets exclusively in secure vaults; never commit them to source control.

Token expiration strategy example

Token 1: Valid Jan 1 - Mar 31 (90 days)
Token 2: Generated Feb 1, Valid Feb 1 - May 1 (90 days)
Token 3: Generated Mar 1, Valid Mar 1 - May 31 (90 days)

SharePoint web-part property updates

BlobBridge stores settings as JSON inside the page canvas. Automation should update only the SAS token value.

Web-part properties schema (example)

{
  "storageAccount": "mystorageaccount",
  "containerName": "mycontainer",
  "sasToken": "?sv=2021-06-08&ss=b&srt=sco&sp=rl..."
}

Updating via PnP PowerShell

$properties = @{
    sasToken = $newSasToken
}
Set-PnPPageComponent -Page "Home.aspx" `
    -InstanceId $webPartId `
    -PropertiesJson (ConvertTo-Json $properties)

Updating via SharePoint REST API

// Get web part data
const endpoint = `${siteUrl}/_api/web/getfilebyserverrelativeurl('${pageUrl}')/ListItemAllFields`;

// Update properties
const update = {
  CanvasContent1: updatedCanvasContent // Modified JSON with new SAS token
};

Monitoring and alerts

• Alert 30 days before token expiry.
• Track automation runs and SharePoint updates; retry on transient failures.
• Log and alert on storage access errors referencing expired or malformed SAS tokens.

AzureDiagnostics
| where ResourceType == "STORAGEACCOUNTS"
| where StatusCode >= 400
| where Message contains "SAS token"

Security considerations

1. Never embed SAS tokens in code repositories, wiki pages, or configuration files.
2. Restrict automation identities to the containers they manage.
3. Audit storage account activity and SharePoint changes for anomaly detection.
4. Rotate tokens immediately following staff departures or vendor offboarding.

Troubleshooting

• Web part shows authentication error — confirm the SAS token is valid, includes Read/List, and enforces HTTPS-only.
• Automation fails to update pages — verify SharePoint permissions, ensure the page is not checked out, and confirm the web part ID is correct.
• Token generation fails — check storage RBAC assignments, firewall settings, and network integration for the automation host.

Next steps

1. Select the automation option that suits your operational maturity.
2. Test the workflow in a development tenant before enabling production schedules.
3. Document the implementation, monitoring, and manual fallback playbook.
4. Enable ongoing monitoring and rehearse manual interventions.

Additional resources

• Azure Storage SAS token documentation
• PnP PowerShell documentation
• SharePoint Framework web part properties

Last updated: 22 Oct 2025