StorageIntermediate52 min read

What Does Shared access signature Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

A shared access signature is a special link or token that lets someone access a specific file or folder in cloud storage for a limited time. You create it so others can upload, download, or list files without needing your main storage password. It’s like giving a hotel key card that only works for one room and expires after checkout.

Common Commands & Configuration

az storage blob generate-sas --account-name mystorageaccount --container-name mycontainer --name myblob.txt --permissions r --expiry 2025-12-31T23:59:00Z --https-only

Generates a service SAS token for a single blob with read-only permission, expiring at the end of 2025, restricted to HTTPS.

Tests understanding of generate-sas command, permission codes, expiry format (ISO 8601), and the --https-only flag which is required for security compliance.

az storage container generate-sas --account-name mystorageaccount --name mycontainer --permissions rl --expiry 2025-06-01T00:00:00Z --start 2025-05-01T00:00:00Z --auth-mode key

Generates a service SAS for a container with read and list permissions, valid for one month, starting May 1st, using the storage account key.

Tests the concept of start and expiry times to limit access window, and the --auth-mode parameter. The 'rl' code is common for download scenarios.

az storage account generate-sas --account-name mystorageaccount --services bfqt --resource-types sco --permissions rwdlacup --expiry 2025-01-01T00:00:00Z --https-only

Generates an account SAS that applies to blobs, files, queues, and tables for service and container-level resources, with all permissions, expiring Jan 1, 2025.

Tests account SAS scope (services and resource types) and the long permission string. Validates understanding that account SAS can do operations like 'get service stats'.

az storage container policy create --account-name mystorageaccount --container-name mycontainer --name MyPolicy --permissions rwl --expiry 2026-01-01T00:00:00Z

Creates a stored access policy named MyPolicy on a container, with read, write, and list permissions, expiring in 2026.

Tests creation of a stored access policy (SAP) which is used to centrally manage SAS tokens. The ability to revoke all SAS linked to this policy is a key exam concept.

az storage blob generate-sas --account-name mystorageaccount --container-name mycontainer --name myblob.txt --permissions r --expiry 2025-12-31T23:59:00Z --policy-name MyPolicy

Generates a service SAS that references an existing stored access policy (MyPolicy) for authorization, rather than inline expiry and permissions.

Tests the use of --policy-name to link a SAS to a stored access policy. The effective permissions are the intersection of the SAS and the policy. Exams often ask about this intersection.

New-AzStorageBlobSASToken -Container 'mycontainer' -Blob 'myblob.txt' -Permission 'r,d' -ExpiryTime (Get-Date).AddHours(1) -Protocol HttpsOnly -FullUri

PowerShell cmdlet to generate a SAS token for a blob with read and delete permissions, expiring in 1 hour, only HTTPS, and outputting the full URI.

Tests PowerShell syntax for SAS. The 'r,d' string uses comma-separated permissions. The -FullUri parameter is good for direct use. Exam may ask about timezone handling with Get-Date.

Shared access signature appears directly in 13exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA CySA+. Practise them →

Must Know for Exams

Shared access signatures appear in multiple certification exams, each with a different emphasis. In the Microsoft Azure AZ-104 exam, SAS is a core topic under 'Manage Azure storage.' You are expected to know the types of SAS (service, account, user delegation), how to configure them in the portal, and how to regenerate them using PowerShell or CLI. Exam questions often present a scenario where an organization needs to grant temporary access to a blob container for a partner. You must choose the correct SAS type and configure the appropriate permissions and expiration. They also ask about stored access policies as a way to centrally manage and revoke SAS tokens. Expect multiple-choice questions and case studies.

The SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) exam covers SAS at a conceptual level. You should understand that SAS is a way to provide secure delegated access to storage resources and that it differs from Azure AD authentication. Questions may ask which authentication method to use for external partners who do not have Azure AD credentials. The correct answer is often SAS. You might also see a question about the security advantage of SAS over sharing the storage account key.

In the CompTIA Security+ (SY0-601) exam, SAS falls under the domain of 'Technologies and Tools' related to cloud security and access control. You should know that a SAS token is a type of bearer token that grants time-limited access. Questions may compare SAS to other access control mechanisms like access keys or OAuth tokens. The exam expects you to recognize the risks of improperly configured SAS tokens, such as overly broad permissions or long expiration windows, and to know that SAS should always be transmitted over HTTPS.

The CISSP exam (ISC2) covers SAS under the 'Identity and Access Management' and 'Security Assessment and Testing' domains. The exam focuses on the principles behind SAS: least privilege, need-to-know, and separation of duties. You might be asked about the risks of delegating access using SAS and how to audit SAS token usage. The exam does not test specific Azure portal steps but rather the conceptual understanding of how SAS tokens work, how they are signed, and how they can be revoked.

The AWS SAA exam does not use the term 'shared access signature' because it is an Azure-specific feature. However, AWS has an equivalent called pre-signed URLs for S3. Some cross-platform questions might compare the two, but generally, SAS is an Azure-only concept. If you are taking AWS exams, focus on pre-signed URLs instead. For Azure-specific exams, SAS is a must-know.

In the MD-102 (Microsoft 365 Endpoint Administrator) and MS-102 (Microsoft 365 Administrator) exams, SAS appears in the context of mobile device management and file sharing. You might need to generate a SAS URL for an endpoint to upload diagnostics or configuration files to Azure Storage. Understanding the permissions and expiration settings is important for these scenarios.

Overall, exam questions on SAS test your ability to apply the concept in practical scenarios. They rarely ask for the exact syntax of a SAS token. Instead, they present a business need and ask you to select the correct approach. You should know the difference between service and account SAS, when to use a user delegation SAS, how stored access policies affect revocation, and the security best practices. Memorize the key parameters: permissions, expiration, allowed IPs, and protocol. Practice generating SAS tokens in the Azure portal to solidify your understanding.

Simple Meaning

Imagine you own a large apartment building with hundreds of storage lockers in the basement. The master key for the building can open every locker, and you never want to give that key to anyone because it would be too dangerous. But sometimes a friend needs to drop off a package in your locker, or a delivery person needs to leave a box in the building's common area. You can’t give them the master key, but you also don’t want to be there in person every time.

A shared access signature (SAS) is like giving someone a special key card that works only for one specific locker and only during certain hours. They can use that key card to open that locker, put something inside, or take something out. After the time runs out, the key card stops working. You don’t have to change the locks or worry about them copying the master key because the SAS token is self-contained and has strict permissions built right into it.

In the cloud storage world, your storage account has a master key that gives full control over everything in that account. When you create a SAS, you generate a token that includes the specific permissions you want to grant, the resource you are granting access to, and an expiration time. The person who receives the SAS URL can use it to access that resource until the token expires. The SAS is cryptographically signed with your account key, so it cannot be tampered with. If someone tries to change the expiration date or the permissions, the signature becomes invalid and the cloud service rejects the request.

There are different types of SAS depending on what you need to share. A service SAS lets someone access a specific blob, file, queue, or table. An account SAS gives broader permissions, like listing all containers or creating new ones, but still within a time limit. A user delegation SAS uses Azure Active Directory instead of the storage account key for signing, which is more secure. There is also a stored access policy, which is like a template for SAS tokens that you can manage centrally.

SAS tokens are very common in real-world applications. For example, a photo sharing app might generate a SAS URL for each photo so that only the intended recipients can view it. A backup service might use a SAS to let a server write backup files to a storage container without needing the full account key. A web application might let users upload profile pictures by giving them a SAS URL that allows writing to a specific folder.

The security of a SAS depends on how carefully you set the permissions and expiration. If you give too many permissions or set a very long expiration, you increase the risk. A best practice is to use the shortest expiration time that makes sense for your scenario and to grant only the minimum permissions needed. Also, always use HTTPS to protect the SAS token in transit. If a SAS token is leaked, it can be used by anyone until it expires, so you should have a way to revoke it by changing the storage account key or by using a stored access policy.

Full Technical Definition

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. It is a token appended to the query string of a storage service URL, consisting of a series of parameters that specify the permissions, time constraints, and cryptographic signature. The SAS is signed using either the storage account key or a user delegation key derived from Azure Active Directory credentials. This signing process ensures that any modification to the SAS parameters invalidates the token, as the signature is computed over them.

The most common form is the service SAS, which delegates access to a specific resource within a storage account, such as a single blob, file share, queue message, or table entity. An account SAS, introduced with Azure Storage REST API version 2015-04-05, extends this to the account level, allowing operations like listing containers, creating containers, and setting service properties. A user delegation SAS is signed with Azure AD credentials and can only be used to access blob storage. It provides an additional layer of security by decoupling access from the storage account key.

A SAS URL typically includes the following parameters: `sv` (storage service version), `se` (expiry time), `sr` (resource type, e.g., blob, container, file, share), `sp` (permissions, e.g., read, write, delete, list), `spr` (protocol, e.g., HTTPS only), `sig` (the HMAC signature), and possibly `sip` (allowed IP addresses or ranges). The exact set of parameters depends on the SAS type and version. The service parses these parameters, validates the signature, and enforces the specified constraints before processing the request.

The cryptographic signature is generated using HMAC-SHA256. For a service SAS, the signing key is either the storage account key (key1 or key2) or a stored access policy key. For a user delegation SAS, the signing key is obtained from Azure AD via the `Get User Delegation Key` operation, which requires the caller to have the `Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action` permission. The signed string includes the canonicalized resource path and all the SAS parameters in a fixed order.

Stored access policies provide an additional management layer. A stored access policy is defined on a container, file share, queue, or table. It specifies one or more permissions and a start/expiry time. A SAS can reference a stored access policy by including the `signedidentifier` parameter (`si`). If a stored access policy is modified or deleted, all SAS tokens that reference it are affected. This allows administrators to revoke access en masse without regenerating storage account keys. However, if a SAS does not reference a stored access policy, the only way to revoke it is to rotate the storage account key.

From a networking perspective, SAS tokens are transmitted over HTTPS to prevent interception. The `spr` parameter can enforce that the SAS is only usable over HTTPS. The `sip` parameter restricts the token to specific IP addresses or CIDR ranges, adding a network-level security boundary. The `sddc` parameter (SupportedAzureStorageDataPlaneContext) is used internally by Microsoft to scope the SAS to specific data plane capabilities.

In practice, SAS tokens are generated programmatically using Azure Storage SDKs, REST APIs, Azure CLI, PowerShell, or the Azure portal. For example, in a .NET application, you can use the `BlobSasBuilder` class to set permissions, expiration, and resource identifiers, then call `GenerateSasUri()` to produce the full URL. The token is typically short-lived, with expiration times measured in minutes or hours, not days. For long-lived delegation, Azure AD authentication is preferred over SAS.

SAS tokens are also used in hybrid scenarios. On-premises applications can use a SAS to upload data directly to Azure Storage without exposing the account key. Similarly, a SAS can be generated by a middleware service that then distributes it to downstream clients, enabling a secure, scalable architecture where the middleware controls access. The SAS token is essentially a bearer token: anyone who possesses it can use it within its constraints. Therefore, it must be protected as if it were a password.

Several security considerations are critical. First, always use HTTPS to prevent token interception. Second, set the shortest reasonable expiration window to limit the window of opportunity if a token is compromised. Third, grant the minimum permissions needed (principle of least privilege). Fourth, consider using a stored access policy to allow centralized revocation. Fifth, monitor SAS token usage through Azure Storage analytics logs to detect anomalous activity. Sixth, avoid embedding SAS tokens in client-side code where they can be inspected. Instead, generate them server-side and pass them to clients via secure channels.

SAS tokens are not the only way to secure Azure Storage. Azure AD authentication and managed identities are recommended for many scenarios, especially for applications running inside Azure. However, SAS remains essential for scenarios where the client cannot use Azure AD, such as external partners, mobile apps, or browser-based file uploads. Understanding when to use SAS versus other authentication methods is a key skill assessed in Microsoft Azure exams and other certification exams that cover cloud security.

Finally, SAS tokens have a size limit. A complete SAS URL can be quite long, sometimes exceeding 4 KB. This can be an issue when the token is passed in a query string that is already long, or when used with certain proxies or CDNs that have length restrictions. Some services, like Azure Functions, may have query string length limits. In such cases, using an account SAS with a stored access policy can reduce the token length because some parameters are moved into the policy.

Real-Life Example

Think of a shared access signature like a valet parking ticket. You drive your car to a restaurant and hand the keys to the valet. You trust that valet will park your car safely and return it when you are done. But you do not want the valet to be able to use your car to run personal errands, pick up other people, or drive across the country. So you give the valet a special, limited key card that starts the engine but does not open the glovebox or the trunk. You also tell the restaurant that the valet is only allowed to park between 7 PM and 10 PM. If the valet tries to use the key after 10 PM, the car will not start. If they try to open the trunk, the key card will not work.

This is exactly how a SAS token works. The storage account key is like the full set of car keys: it can do anything, and you never want to give it away. The SAS token is the limited key card. You create it with specific permissions: maybe only read access to a single file, or only write access to a specific folder. You set an expiration time. The SAS token is signed with your car's security system (the storage account key) so that the valet cannot modify the permissions or the expiration time without breaking the signature.

Now imagine you are a concert organizer. You have a shared folder (container) for backstage passes. The band manager needs to upload a guest list. The security team needs to read the list. The caterer needs to upload a menu. Instead of giving all of them your master password, you generate three different SAS URLs. One allows write-only access to the 'guestlist' blob until 5 PM. Another allows read-only access to the same blob until 8 PM. The third allows write-only access to a 'menu' blob in a different folder. Each SAS is a self-contained, time-limited key. If the security team's link is leaked on social media, it becomes useless after 8 PM. You do not need to change the master key. This is the power of SAS: granular, time-bound, revocable delegation without sharing the root credential.

In the cloud world, a service like Dropbox uses SAS-like tokens when you share a file link. The link includes a token that authenticates the request. That token has permissions (view, download) and an expiration (never, 7 days, 1 year). The difference is that Dropbox manages those tokens centrally. In Azure Storage, you generate the SAS yourself and you control every parameter. You can even generate a SAS that allows only read access over HTTPS from a specific IP address range, for a specific blob, lasting exactly one hour. That is an incredibly fine-grained security control.

Why This Term Matters

Shared access signatures are a cornerstone of secure cloud storage management because they allow you to grant external access without exposing your account keys. In any organization that uses Azure Storage, there will be scenarios where you need to share data with partners, customers, or internal services that do not have direct Azure AD integration. SAS provides that bridge securely.

From an operational perspective, SAS enables scalable architectures. Instead of routing all file uploads or downloads through a central server (which becomes a bottleneck and a single point of failure), you can generate SAS tokens on the server and distribute them to clients, who then interact directly with Azure Storage. This pattern offloads bandwidth and processing from your application servers and reduces latency for users. It is the same pattern used by large-scale services like GitHub for storing user-uploaded images.

Security professionals care about SAS because it enforces the principle of least privilege. You can set permissions as narrow as 'read access to one blob for one hour from one IP range.' If that token is compromised, the blast radius is minimal and the window of exposure is small. Compare that to storing an account key in a configuration file that grants full access forever. SAS token management is a key part of Azure security best practices.

For compliance and auditing, SAS tokens generate logs in Azure Storage analytics. You can see which token accessed which resource, from which IP, at what time. If a breach occurs, you can identify which token was used and revoke it by rotating the account key or modifying the associated stored access policy. This traceability is crucial for meeting regulatory requirements like GDPR, HIPAA, or SOC 2.

Finally, understanding SAS is critical for passing cloud certification exams. Microsoft exams like AZ-104, AZ-305, and SC-900 directly test your ability to choose between SAS, Azure AD authentication, and account keys. Security exams like CompTIA Security+ and CISSP cover SAS as a method of access control in cloud environments. You need to know when to use a service SAS versus an account SAS, how to generate one programmatically, and how to secure it properly.

How It Appears in Exam Questions

In certification exams, questions about shared access signatures typically fall into three categories: scenario-based, configuration-based, and troubleshooting.

Scenario-based questions present a business need. For example: 'A company has a storage account with sensitive financial data in blob containers. They need to allow an external auditor to view specific blobs for 48 hours. The auditor does not have an Azure AD account. Which solution should they use?' The correct answer involves generating a service SAS with read-only permissions and a 48-hour expiration. Distractors might include sharing the account key (too permissive), creating a new Azure AD user (overkill), or generating a SAS without an expiration (insecure).

Configuration questions ask about specific steps or parameters. For example: 'You need to generate a SAS token that allows a user to upload files to a container but not download or list existing files. Which permissions should you set?' The correct answer is 'Write' alone (no Read, List, or Delete). Another example: 'You want to ensure that a SAS token can only be used from your corporate network's IP range 10.0.0.0/8. Which parameter do you set?' The answer is the 'Allowed IP addresses' field (sip).

Troubleshooting questions present a failed scenario. For instance: 'A user reports that a SAS URL they received yesterday is not working today. The URL was generated with a 7-day expiration. What is the likely cause?' Possible answers could be 'The storage account key was rotated,' 'The stored access policy was modified,' or 'The SAS token was revoked by the administrator.' Each option tests your understanding of how SAS revocation works. Another troubleshooting scenario: 'A customer uploads files using a SAS URL, but the files are empty. What is the issue?' The answer might be that the SAS only has Read permissions, not Write, or that the expiration time passed before the upload completed.

Some questions compare SAS to other authentication methods. For example: 'When should you use a user delegation SAS instead of a service SAS?' The correct answer is when you want to delegate access using Azure AD credentials for improved security and auditability. Another question: 'Which of the following is a disadvantage of using a SAS without a stored access policy?' The answer is that revocation requires regenerating the storage account key, which disrupts other services.

Finally, expect questions on SAS limitations. For instance: 'A developer notices that a SAS URL is over 8 KB long and is causing HTTP 400 errors. What is the most likely reason?' The answer is that the URL is too long for some clients or proxies. The resolution is to use a stored access policy to shorten the token or use a different SAS type.

To prepare, practice generating SAS tokens in the Azure portal and via PowerShell. Understand each parameter in the SAS URI. Review the difference between service and account SAS, especially the scope of permissions allowed. Also study stored access policies and how they affect revocation. Use Azure documentation for exact syntax but focus on the concepts for exams.

Practise Shared access signature Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are an IT administrator at a company called Contoso. The marketing team needs to regularly share large video files with an external video production company. The files are stored in an Azure Blob Storage container named 'raw-footage'. Historically, the team shared the storage account key, which gave the production company full control over all the storage accounts. This is a security risk.

You decide to implement a shared access signature solution. First, you identify the specific blobs that need to be shared for a particular project. You create a new container called 'project-alpha' and upload the relevant video files. Then you generate a service SAS for this container with the following settings: permissions set to Read and List, expiration set to 14 days from now, allowed protocol set to HTTPS only, and allowed IP addresses set to the production company's public IP range.

You test the SAS URL by opening it in a private browser window. You are able to see the list of blobs and download individual files. You then share the SAS URL via a secure email to the production company contact. The contact can now download the files directly from Azure Storage without needing any other credentials.

After two weeks, the project is complete. You confirm that the SAS URL has expired and is no longer valid. The production company cannot access the files anymore. You have maintained full control over the access without ever exposing the account key. This scenario shows the real-world value of SAS: granular, time-limited, secure delegation.

Common Mistakes

Setting the SAS expiration date too far in the future, or never expiring.

A long-lived SAS token increases the window of opportunity if it is leaked. If the token is compromised, an attacker can access your storage resource for weeks, months, or indefinitely. This violates the security best practice of minimizing exposure.

Always set the shortest practical expiration time for your use case. For example, if a partner only needs access for 24 hours, set the expiration to 24 hours from now. Use stored access policies if you need a way to revoke tokens before they expire.

Granting more permissions than necessary (e.g., giving Read, Write, and Delete when Read only is needed).

Overly permissive tokens violate the principle of least privilege. If the token is exposed, the attacker can do more damage than intended. It also increases the risk of accidental deletion or modification by the authorized user.

Before generating the SAS, identify exactly which operations the recipient needs to perform. Use the minimum set of permissions required. For a download-only scenario, grant only Read permission and not Write or Delete.

Using an account SAS when a service SAS would suffice.

An account SAS grants permissions at the account level, potentially allowing the recipient to list all containers or create new ones. This is broader than needed and increases risk. A service SAS limits access to a specific resource (blob, container, queue, table, file share) and is more secure.

Use a service SAS when the recipient only needs access to a specific resource, such as a single container or blob. Reserve account SAS for scenarios where you need to allow account-level operations, like creating containers programmatically.

Sharing the SAS token over an insecure channel like plain HTTP or email without encryption.

If a SAS token is transmitted over clear text, it can be intercepted by a man-in-the-middle attack. The attacker can then use the token to access your storage resource. Email is not inherently encrypted, so the token could be read by anyone who gains access to the email account.

Always use HTTPS when generating or using a SAS URL. Share the token via a secure channel, such as an encrypted message service or a secure file transfer. When generating the SAS, set the allowed protocol to HTTPS only (spr=https).

Not using a stored access policy, making revocation difficult.

Without a stored access policy, the only way to revoke a SAS before its expiration is to regenerate the storage account key. This invalidates all SAS tokens signed with that key and can disrupt other services that rely on the same key. It is a heavy-handed approach.

Define a stored access policy on the container or resource. Generate the SAS token with a reference to that policy. If you need to revoke access, you can modify or delete the policy, which immediately invalidates all SAS tokens that use it. This gives you fine-grained revocation control.

Hardcoding a SAS token inside application code or exposing it in client-side scripts.

If a SAS token is hardcoded in source code, it can be extracted from version control history or compromised if the code repository is breached. If it is exposed in client-side JavaScript, anyone can view it. This defeats the purpose of security.

Generate SAS tokens server-side (on the backend) and deliver them to the client through a secure API call. Never embed them in static code. Use short-lived tokens that are generated on-demand.

Exam Trap — Don't Get Fooled

{"trap":"A learner sees a question asking for a way to allow an external partner to upload files to Azure Blob Storage for one week. They immediately choose 'Generate a SAS token with full permissions and a 1-week expiration' because that seems correct.","why_learners_choose_it":"Learners assume that since the partner needs to upload, they need 'Write' permission, and the duration is one week.

They may not consider that the partner might also need 'List' to see the uploaded files, or they might over-permission by including 'Read' and 'Delete' as well. They also might forget to set the expiration correctly or forget to use a stored access policy.","how_to_avoid_it":"Always read the question carefully to identify the exact permissions required.

If the partner only needs to upload, only grant 'Write' and optionally 'List' to see existing files, but not 'Read' or 'Delete'. Set the expiration to exactly one week from the moment of generation, not from the exam's hypothetical date. Consider if a stored access policy is needed for central management.

Also, ensure the protocol is set to HTTPS. In the exam, look for the answer that provides the most secure yet functional configuration."

Commonly Confused With

Shared access signaturevsStorage account key

The storage account key is a secret that grants full administrative access to all resources in a storage account. A shared access signature (SAS) is a token that grants limited, time-bound access to specific resources. You should never share the account key with external parties; instead, generate a SAS for them. The account key is like a master key, while SAS is like a hotel key card limited to one room.

If you need to let a developer read a log file, you generate a SAS token with read permission and share that URL. Sharing the account key would give that developer the ability to delete or modify all your storage account's content.

Shared access signaturevsAzure AD authentication

Azure AD authentication uses Azure Active Directory to grant access to storage resources based on user or application identities. SAS tokens are bearer tokens that do not require the user to be authenticated in Azure AD. Azure AD is more secure and manageable for internal users, while SAS is better for external parties who do not have Azure AD accounts. You can also use a user delegation SAS that is signed with Azure AD instead of the account key.

An employee logging into the Azure portal accesses blobs via Azure AD RBAC roles. An external partner uploading files to a container receives a SAS URL that does not require any login.

Shared access signaturevsPre-signed URL (AWS S3)

A pre-signed URL in AWS S3 is very similar to a SAS token. Both provide time-limited, permission-restricted access to a specific resource. The main difference is that SAS is an Azure feature while pre-signed URLs are AWS-specific. The underlying concept is identical: sign the URL with a secret key to delegate access. Exam questions will be specific to the cloud platform being tested.

In Azure, you generate a SAS for a blob. In AWS, you generate a pre-signed URL for an S3 object. The user clicks the link and performs the allowed operation without needing AWS credentials.

Shared access signaturevsAccess key (Azure Cognitive Search or Cosmos DB)

Access keys in other Azure services (like Cosmos DB or Cognitive Search) are similar to storage account keys: they grant full access to the service. SAS is specific to Azure Storage (blobs, files, queues, tables). Other Azure services use different authentication mechanisms like managed identities or Azure AD tokens. Do not confuse SAS with service-specific keys.

To connect to a Cosmos DB account, you use a primary or secondary key. To access a blob, you use a SAS token or the storage account key. They are different authentication models for different services.

Step-by-Step Breakdown

1

Identify the resource and permissions needed

First, determine which Azure Storage resource you want to delegate access to: a blob, a container, a file share, a queue, or a table. Then decide exactly what operations the recipient needs: Read, Write, Delete, List, Add, Create, Update, Process (for queues). This step is critical because it defines the scope of the SAS token and limits potential damage if the token is compromised.

2

Choose the SAS type

Based on the scope, choose between a service SAS (grants access to a specific resource) or an account SAS (grants access to account-level operations). If you want to use Azure AD for signing, choose a user delegation SAS (blob storage only). Each type has different capabilities and security implications. For most scenarios, a service SAS is the correct choice.

3

Set the expiration time and start time (optional)

Specify an expiry date and time for the SAS token. Always use the shortest practical expiration window (e.g., hours or days, not months). You can also optionally set a start time to delay the validity. The expiration time is enforced by the storage service; any request after that time is rejected.

4

Configure allowed IP addresses and protocol

To further restrict the SAS, you can specify a list of allowed IP addresses or CIDR ranges. This ensures the token can only be used from certain network locations. Also, set allowed protocols to HTTPS only to prevent token interception over unencrypted connections. These optional parameters add an extra layer of security.

5

Define or reference a stored access policy (recommended)

A stored access policy is a reusable policy defined on the resource (container, file share, queue, or table). It contains permissions and start/expiry times. When you create a SAS, you can reference this policy using the `signedidentifier` parameter. The advantage is that you can revoke or modify policies centrally, which invalidates all related SAS tokens.

6

Generate the SAS token

Using the Azure portal, Azure CLI, PowerShell, REST API, or SDK, generate the SAS token. The system cryptographically signs the token with the storage account key or the user delegation key. The output is a full URI that includes the resource URL and the token parameters appended as query strings.

7

Test the SAS URL

Before distributing the SAS URL, test it in a browser or tool that supports the intended operation. For example, if it is a read-only SAS for a blob, paste the URL into a browser and verify you can download the blob. If it is a write SAS, use a tool like AzCopy or a small script to attempt an upload. Testing catches misconfigured permissions or expiration times before production use.

8

Distribute the SAS URL securely

Share the SAS URL with the intended recipient through a secure channel, such as an encrypted email, a secure web portal, or an API response. Advise the recipient to treat the URL as sensitive data because anyone with the URL can use it within the token's constraints. Never post a SAS URL publicly.

9

Monitor and revoke if necessary

Enable Azure Storage analytics logging to track SAS token usage. If you suspect the token is compromised or is no longer needed, revoke it immediately. If the SAS references a stored access policy, modify or delete the policy. If it does not, rotate the storage account key (which invalidates all tokens signed with that key). Monitor for unexpected access patterns.

Practical Mini-Lesson

Let's walk through a real-world scenario to solidify your understanding of shared access signatures.

Imagine you are a developer for a company that runs a large e-commerce platform. The platform allows customers to upload product images. These images are stored in Azure Blob Storage. The website runs on Azure App Service. The architecture should be secure, scalable, and efficient.

Step one: Design the storage layout. You create a storage account with a container called 'product-images'. Inside that container, each customer gets a subfolder named by their unique customer ID. For example, blobs might be named '12345/image1.jpg', '12345/image2.jpg'. This helps organize data and later let you scope SAS tokens to a specific folder.

Step two: The user upload flow. When a customer logs in and wants to upload an image, the web app calls a server-side API endpoint. The server verifies the customer's identity (perhaps using Azure AD or session tokens). Once authenticated, the server then generates a service SAS token specifically for the folder corresponding to that customer. The SAS token has Write permission (and optionally List to show other images) and expires in one hour. The SAS URL is returned to the web app.

Step three: The client uploads directly to Azure Storage. The web app uses JavaScript to upload the file directly to the SAS URL. This bypasses the web server entirely. The upload goes directly from the customer's browser to Azure Storage, which is much more efficient and reduces load on your application servers. Azure Storage returns a success message to the browser.

Step four: The user views images. When a customer wants to view their images, the web app again calls a server-side API. The server generates a separate SAS token for each image with Read permission and a short expiration (maybe 10 minutes). The browser receives a list of SAS URLs and displays the images. If someone intercepts those URLs, they can only view the images for ten minutes, and only for that specific customer's folder.

Step five: Security considerations. You set the SAS token's allowed protocol to HTTPS only. You also set allowed IP addresses to the Azure App Service's outbound IP range to prevent token reuse from arbitrary locations, though for the upload case, you might need to allow any IP because customers connect from anywhere. In that case, you rely on the short expiration and minimal permissions.

Step six: Revocation and management. You also create stored access policies on the 'product-images' container. The SAS tokens reference this policy. If a customer's account is terminated, you can modify the stored access policy to deny all access from their folder, immediately revoking all outstanding tokens. This is much cleaner than rotating the storage account key.

What can go wrong? One common issue is clock skew. The SAS token's expiration time is based on UTC. If the server's clock is off by a few minutes, the token might be considered expired immediately. Always synchronize clocks using NTP. Another issue is the SAS URL being too long. Some proxies or CDNs have query string length limits. If your SAS URL exceeds that, the request will fail. Using a stored access policy can reduce the URL length. Also, if a customer uploads a file that is larger than the SAS allows? No, the SAS does not limit file size; that is managed by the storage account settings. But the SAS token's permissions (Write) do not include delete, so the user cannot delete files. That's by design.

Finally, consider performance. When millions of users upload images, you generate millions of SAS tokens per day. This is fine because token generation is a simple server-side operation; it does not call Azure except when you sign the token. The signing uses the account key locally. So the server can generate thousands of tokens per second. The actual storage I/O is handled directly between the client and Azure Storage, so your server is not a bottleneck.

In a professional environment, you might also use a user delegation SAS when the server runs under a managed identity. This eliminates the need to store the account key on the server at all. The server obtains a user delegation key from Azure AD and uses that to sign SAS tokens. This adds an extra layer of security and is considered a best practice for applications running in Azure.

Security Models and Scope of Shared Access Signatures

Shared Access Signatures (SAS) are a critical security construct in Azure Storage, enabling delegated access to storage resources without exposing the storage account key. There are three primary types of SAS tokens: service SAS, account SAS, and user delegation SAS. A service SAS delegates access to a specific resource, such as a blob container, table, queue, or file share.

It operates at the resource level and allows fine-grained permissions like read, write, delete, list, add, create, update, and process. An account SAS, in contrast, delegates access to one or more storage services and allows operations that a service SAS cannot, such as get or set service properties, get service stats, and perform operations on multiple resources simultaneously. The user delegation SAS is secured with Azure AD credentials and is the most secure option because it avoids storing the account key in the application.

When creating a SAS, you must define a start time, expiry time, allowed IP addresses, allowed protocols (HTTPS only or HTTPS and HTTP), and the signed permissions string. The permissions string is constructed using single-character codes (r=read, w=write, d=delete, l=list, a=add, c=create, u=update, p=process). For example, a SAS granting read and list permissions on a container would have the permission string 'rl'.

The signed resource type for a service SAS must be specified as 'b' for blob, 'c' for container, 'q' for queue, 't' for table, 's' for file share, or 'f' for file. The signed version (sv) parameter indicates the storage service version used to authorize the request. The most recent versions offer enhanced security features such as encryption scope support and IP ACLs.

In AWS S3, the equivalent is a presigned URL, but the SAS model is more granular because it allows account-wide delegation. Storage Access Policies (SAP) can be attached to a container or file share to centralize policy management. When a SAS is created with a stored access policy, you can revoke all SAS tokens linked to that policy by updating or deleting the policy.

This is a key difference from a SAS without a policy, which can only be invalidated by regenerating the storage account key. Understanding the distinction between ad-hoc SAS and SAS with stored access policies is essential for the AZ-104 and SC-900 exams. The user delegation SAS is important for the security-plus and cissp exams because it aligns with the principle of least privilege and avoids long-lived account keys.

The lifetime of a SAS should be as short as possible. By default, the maximum lifetime for a service SAS is 1 hour, but this can be extended when using a stored access policy. For account SAS, the maximum lifetime is 7 days unless a policy is used.

The csaf-1 (Customer Storage Account Firewall) and network ACLs also affect SAS usability because the SAS must originate from an allowed IP range. The time validation is performed by the storage service based on the signed start and expiry fields, and any clock skew between the client and server can cause authentication failures. The SAS token is appended to the URL as a query string parameter, including the signature, which is an HMAC-SHA256 hash of the string-to-sign.

This string-to-sign includes the resource URI, permissions, start/expiry times, and other constraints. If any part of the string-to-sign is modified, the signature validation fails, and the request is denied. This makes SAS tokens tamper-proof.

For the cysa-plus exam, understanding how SAS tokens can be intercepted in transit is important. If the token is sent over HTTP instead of HTTPS, an attacker could capture the token and reuse it until expiry. Therefore, always require HTTPS for SAS tokens.

The security-plus exam tests this concept as part of secure communication protocols. Finally, the MD-102 and MS-102 exams for Microsoft Endpoint Manager may test how managed applications use SAS to deploy scripts or access storage from Intune. The security model of SAS is layered: account key, access policy, SAS type, permissions, time limits, IP restrictions, and protocol restrictions.

Cost and Quota Implications of Using Shared Access Signatures

Shared Access Signatures can influence storage costs in several ways, primarily through transaction costs and data egress. When a client uses a SAS token to access storage, each API call incurs a transaction cost. This includes read, write, delete, list, and metadata operations.

Even if the SAS token allows only read access, each GET request from the client is billable. The number of transactions can accumulate rapidly if the SAS is widely distributed, for example, when a SAS URL is embedded in a public web page or mobile app. For the AZ-104 exam, you should be aware that using a SAS with a large number of short-lived clients can increase the transaction count unexpectedly.

The cost of transactions varies by storage account kind (BlobStorage, StorageV2, FileStorage) and by redundancy tier (LRS, GRS, RA-GRS, ZRS). For instance, read operations on RA-GRS are more expensive than on LRS because they involve reading from the secondary region. Therefore, a SAS token that points to a RA-GRS account will incur higher per-operation costs.

Data egress charges apply when data is accessed from outside the Azure region. If a SAS URL is shared with users in different geographic regions, egress costs can become significant. The cissp exam tests risk management and financial controls, including how to avoid cost overruns by limiting SAS permissions and expiry.

A common scenario is an admin creating a SAS with full control (rwd) on a container and then emailing it to a large team. Each team member downloading the same large blob results in multiple egress charges. The cost can be mitigated by using Azure CDN or by caching the blob at the edge.

Another cost consideration is the storage account capacity. SAS tokens themselves are cheap (a few bytes), but the storage consumption of the blobs they access is billable. For example, if a SAS grants write access to a container, users could upload large files, increasing capacity costs.

Therefore, it is important to set quotas on the container or use lifecycle management policies. The md-102 and ms-102 exams for Microsoft Intune and endpoint management may test how mobile device management policies can use SAS to limit the size of uploaded files to Azure File shares. The storage analytics logs (including capacity metrics) can be used to monitor the volume of data accessed via SAS.

For the sc-900 exam, the focus is on governance and compliance. Using a SAS without an expiry date (or with a very long expiry) violates the principle of least privilege and could lead to uncontrolled cost growth. The solution is to enforce SAS expiry policies at the Azure Policy level, such as requiring that all SAS tokens have an expiry less than 24 hours.

This is a typical exam scenario for AZ-500 or security-plus. The cysa-plus exam might include questions about detecting unusual transaction volume from a SAS token. For instance, a sudden spike in list and read operations from a single IP could indicate a data scraping attack.

Monitoring tools like Azure Monitor and Storage Insights can track these patterns. The cost also includes the potential for unwanted API calls from malicious actors who have intercepted the SAS URL. Even if the SAS has only limited permissions, an attacker could repeatedly call the API, creating many transactions and driving up costs.

This is called a "SAS abuse" scenario. Protection mechanisms include IP ACLs and requiring HTTPS, but these do not prevent repeated calls from the same authenticated source. The only way to stop such an attack is to invalidate the SAS by changing the storage account key or deleting the stored access policy.

For the exam, remember that revoking a SAS without a stored access policy requires regenerating the storage account key, which invalidates all resources using that account. This is disruptive, so always attach a stored access policy to important SAS tokens. The mini-quiz questions will test your ability to match cost scenarios with the appropriate mitigation strategy.

SAS cost management is about controlling access scope, duration, and geographic distribution, and monitoring for anomalies.

SAS Token Expiry, Revocation, and States

A Shared Access Signature token has a defined lifecycle that includes creation, active use, and expiration or revocation. The precise understanding of these states is essential for the AZ-104, SC-900, and security-plus exams. The primary states are: valid, expired, revoked, and invalid.

A SAS token is valid when the current time is between the signed start time (st) and signed expiry time (se), all permission constraints are met, and the signature is correct. An expired SAS is one where the current time is after the se parameter. Once expired, the token cannot be used for any request, even if the resource itself is still accessible via other means.

The storage service will return a 403 (Forbidden) error with the message 'Signature not valid in the specified time frame'. The exam often tests the scenario where the clock skew between client and server causes premature expiration. Azure allows up to 15 minutes of clock skew for the start time, but the expiry time is strictly enforced at the server's time.

Therefore, using "now" as the start time (without a small buffer) can cause failures if the client's clock is ahead. This is a common troubleshooting scenario in the md-102 and ms-102 exams for managed devices. The second state is revocation.

A SAS token can be revoked in two ways: by deleting or modifying the stored access policy (if one is attached), or by regenerating the storage account key (if no policy is used). When a stored access policy is modified, the SAS token linked to that policy becomes invalid for future requests because the policy's permissions or expiry have changed. The token's signature is tied to the policy identifier, not the policy content.

Therefore, even if the old token is still within its original expiry window, the server will reject it because the policy it references no longer matches. This is a powerful revocation mechanism. Without a stored access policy, the only way to revoke a SAS is to regenerate the primary or secondary key of the storage account.

This invalidates all SAS tokens that were signed with that key, including those that are still within their expiry window. This is a disruptive operation because it also invalidates any other applications using the account key. For the cissp exam, this is a classic example of the trade-off between security and availability.

The third state is actual invalidity, which can occur if the SAS token URL is tampered with. Since the signature is an HMAC, any change to the URI, permissions, or timing parameters will cause the server to compute a different signature and reject the request. This is a fundamental security property.

The exam may present a scenario where a user accidentally modifies a SAS URL (e.g., changes a letter in the blob name) and gets a 403 error; the correct answer is that the signature became invalid.

Another state is the partial revocation scenario. For example, if a stored access policy is updated to reduce permissions from 'read, write' to 'read', tokens that were issued before the change will still work for read operations but will fail for write operations. This is because the SAS request includes the permissions string (signed with the original policy key), but the server checks both the signed permissions and the policy's current permissions and applies the intersection of both.

This concept, called "permission intersection," is a common exam pitfall. The az-104 exam often includes questions about the precedence: the permissions in the SAS token must be a subset of the permissions in the stored access policy. If the token has 'rw' and the policy has 'r', the effective permission is 'r' (more restrictive).

The cysa-plus exam might test forensic analysis of SAS token logs. When a token is used after its start time but before expiry, and then the account key is regenerated, the token immediately stops working. However, any in-flight requests that were already in progress (e.

g., an upload that started before regeneration) will still complete because the request had already been authenticated. This is a nuance for data consistency. The mini-quiz will include questions about the timing of revocation and the effect on ongoing operations.

For the sc-900 exam, the compliance aspect is highlighted: SAS tokens must be stored securely and rotated regularly. A SAS token stored in a configuration file or in the source code is a security risk because it can be discovered. The state of being "exposed" but not yet used is a vulnerability that attacks can exploit.

The different states of a SAS token-valid, expired, revoked (by policy or key), and invalid (by tampering)-are crucial for exam scenarios.

Performance Impact of SAS on Azure Storage Operations

Using Shared Access Signatures can affect the performance of Azure Storage operations in several ways, particularly regarding latency, throughput, and resource utilization. When a client makes a request using a SAS token, the Azure Storage front-end must validate the token's signature. This involves parsing the query string parameters (sv, se, sr, sp, sig, etc.

) and recomputing the HMAC-SHA256 hash using the storage account key. This additional validation step adds a small amount of latency compared to using the account key directly (via Authorization header). In most scenarios, this overhead is negligible (on the order of a few milliseconds).

However, for very high-throughput scenarios (tens of thousands of requests per second), the cumulative CPU time on the storage front-end nodes can become noticeable. The az-104 exam may ask about choosing between account key authentication and SAS for performance-critical applications. The correct answer is that SAS is slightly slower due to the signature verification, but the difference is usually acceptable.

A more significant performance impact comes from the network round trip. Since SAS tokens are usually sent as query parameters, the full URL including the token is sent with each request. For large tokens (e.

g., with many permissions or a long signature), the URL may exceed the maximum URL length (typically around 2048 characters for most browsers and 8 KB for some Azure APIs). If the URL is too long, the request may be truncated or fail.

This is a common issue when the SAS token is appended to a blob name that is already long. In the md-102 and ms-102 exams, this scenario is tested for Intune deployments where scripts or packages are accessed via SAS. A typical troubleshooting step is to shorten the blob name or use a stored access policy to reduce the token size.

Another performance factor is the use of SAS with Azure CDN or Azure Front Door. If you generate a SAS URL for a blob and then distribute it through CDN, the CDN edge nodes will cache the content. After the initial origin fetch (which validates the SAS), subsequent requests from the same edge server will serve the cached content without contacting Azure Storage.

This greatly improves performance for repeated access. However, the SAS token must have a long enough expiry to cover the entire period of distribution. For the cissp exam, performance and security are balanced: long-lived SAS tokens are less secure but more performant for caching scenarios.

The sc-900 exam may test the concept of SAS token reauthentication for ongoing operations. When a client is downloading a large blob (e.g., a 100 GB file), the SAS token is validated once at the start of the download.

If the token expires during the download, the operation will fail with a 403 error. To avoid this, the client must use a SAS with an expiry that covers the entire expected download time, or use an account key for very large transfers. The Azure Storage SDKs handle this by providing the option to automatically refresh SAS tokens when using managed identities, but for custom-built apps, this is a design consideration.

For the cysa-plus exam, performance monitoring with Azure Monitor can detect SAS-related issues. For instance, a sudden increase in 403 errors might indicate a SAS token that has expired but is still being used by a misconfigured client. Alternatively, it could indicate a brute-force attempt to guess blob names with invalid SAS tokens.

The troubleshooting_clues section will cover these. Another performance angle is the effect of SAS on the storage account's scalability targets. Each storage account has limits on ingress, egress, and request rates.

If a SAS token is shared with many clients (e.g., in a public listing), the combined traffic may exceed these limits, resulting in throttling (HTTP 503 errors). This is a common exam scenario for the az-104: choosing SAS over account key does not exempt the request from account-level limits.

The limits apply regardless of authentication method. The mini-quiz will have questions about the interplay between SAS and throttling. Finally, the use of SAS with Azure File shares can be slower because the file share protocol (SMB) does not natively support SAS tokens.

Access to Azure Files via SAS is done through the REST API, which can be slower than native SMB. Therefore, for performance-critical file share operations, the exam recommends using private endpoints or trusted cloud services. SAS performance considerations include signature validation overhead, URL length limitations, caching via CDN, download timeout management, and account-level throttling.

Troubleshooting Clues

SAS token returns 403 Forbidden (Signature mismatch)

Symptom: Client receives HTTP 403 error when using the SAS URL, with message 'Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly'. The signature field in the URL appears correct.

The signature computed by the server does not match the one in the URL. This usually happens because the string-to-sign has changed. Common causes include: the blob name was modified (e.g., a trailing slash), the permissions string was reordered, the expiry time was changed without recomputing the signature, or the SAS was generated for one resource but used for another (e.g., container SAS used for a blob).

Exam clue: Exams often give a URL with a modified resource name, and ask why a 403 error occurs. The correct answer is 'signature validation failure due to resource mismatch'.

SAS token expired but the client's clock is behind or ahead

Symptom: Client reports access failure with error 'Signature not valid in the specified time frame' even though the expiry time is correctly set. The client's system time is different from server's time.

Azure Storage uses UTC time to validate the start and expiry fields. If the client's local clock is skewed by more than 15 minutes, the start time may be considered invalid, or the expiry may be prematurely triggered. The server uses its own clock, so a client sending requests with a time stamp outside the valid window will be rejected.

Exam clue: Exam questions might ask why a SAS works on one machine but not another. The answer is clock skew. The correct mitigation is to use a start time of 'now minus 15 minutes' to accommodate skew.

SAS token grants read permission but client gets Access Denied

Symptom: Client has a SAS token with 'r' permission on a container, but when trying to list blobs, they receive a 403 error. Listing blobs should work with 'l' permission.

The permission code 'r' allows reading the content of blobs and their properties, but listing the blobs in a container requires the 'l' (list) permission. The SAS token must include both 'r' and 'l' to be able to list and read blobs. This is a common permission scope confusion.

Exam clue: Exams often test the granularity of SAS permissions: read (r) vs list (l). A scenario where a user can download a blob but cannot see the list of blobs is typical.

SAS URL too long and being truncated

Symptom: Client receives a 414 URI Too Long error, or the request is silently truncated, causing failure to access the resource. The URL includes the SAS token and a long blob path.

Azure requests have a maximum URL length (typically 8 KB for REST API, 2048 chars for browsers). A SAS token can be up to 200 characters, and when combined with a long blob name (e.g., 500 characters), the URL can exceed the limit. Using a stored access policy can reduce the URL size because the policy identifier is shorter than the full permission string.

Exam clue: Exam questions might present a scenario where a SAS URL is manually copied and pasted but gets truncated. The solution is either to shorten the blob name or use a stored access policy (SAP).

SAS with stored access policy fails after policy update

Symptom: After modifying the stored access policy (e.g., changing permissions from read/write to read-only), existing SAS tokens that were valid before the change now fail with a 403 error, even though the tokens were still within their original expiry window.

When a stored access policy is updated, the server checks the policy's current permissions during request authorization. The effective permissions are the intersection of the SAS token's permissions and the policy's permissions. If the policy reduces privileges, the token's signed permissions become over-privileged, and the server denies the request.

Exam clue: This is a classic exam topic: how revocation works. The answer is that the stored access policy change invalidates all linked SAS tokens because the server enforces the policy's current state.

SAS token works from some IP addresses but not others

Symptom: Client reports that the SAS token works from their office network but fails from a coffee shop or cloud service, with 403 error. The error message mentions IP address not allowed.

When generating the SAS token, you can specify an allowed IP range using the 'signedip' (sip) parameter. If the token has an IP restriction (e.g., from 192.168.1.0/24), requests from other IPs will be rejected even if the token is valid. This is a security feature.

Exam clue: Exams test the concept of IP ACLs on SAS tokens. A typical question: 'A SAS token works from the company VPN but not from a home network. What is the most likely cause?' The answer is the signed IP restriction.

SAS token for Azure File share fails with SMB access

Symptom: User tries to mount an Azure File share using a SAS token via SMB protocol, but receives an authentication failure. The SAS token works fine when accessing the share via REST API.

Azure File shares require either storage account key authentication or Azure AD authentication for SMB access. SAS tokens are not supported for the SMB protocol. SAS is only valid for REST API operations on file shares (like listing directories or reading/writing files via HTTP).

Exam clue: This is a common trick question. The exam might ask: 'Can you use a SAS token to mount a file share?' The answer is no, because SMB does not understand SAS.

Memory Tip

SAS = Shared Access Signature: 'Shared, Access, Signed', Shared with specific permissions, Access limited in time, Signed with your key (so it cannot be forged).

Learn This Topic Fully

This glossary page explains what Shared access signature means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Quick Knowledge Check

1.A developer creates a service SAS with permission string 'r' for a container. Which operations can the SAS token perform?

2.An administrator needs to revoke all SAS tokens that were generated for a specific container without disrupting other storage operations. What is the recommended approach?

3.A client receives a 403 error when using a SAS token, even though the token is within the expiry window. The error message says 'Signature not valid in the specified time frame'. The client's system clock is 20 minutes ahead. What is the most likely cause?

4.Which of the following parameters is REQUIRED for all SAS tokens to ensure secure transmission?

5.A SAS token is created for a blob with read and write permissions. The blob's container has a stored access policy that only allows read permissions. What is the effective permission of the SAS token?