This chapter covers Shared Access Signatures (SAS) and lifecycle management policies in Azure Storage, two critical security and data management features. For the AZ-204 exam, questions on SAS tokens appear in roughly 10-15% of security-related items, and lifecycle policies are tested in about 5-8% of storage-focused questions. You must understand how to generate and secure SAS tokens, the difference between account-level and service-level SAS, and how to configure lifecycle rules to automate tiering and deletion of blobs. Mastering these topics is essential for developing secure, cost-optimized Azure applications.
Jump to a section
Imagine you own a secure storage facility with many lockers. You have a master key that opens every locker and a security guard who checks IDs. You want to allow a temporary delivery person to deposit a package into Locker 42, but only between 2 PM and 3 PM, and only once. Instead of giving them your master key (which would be insecure), you create a special valet key that only works for Locker 42, only during that time window, and self-destructs after one use. You encode these restrictions into a small token that the delivery person carries. When they arrive, they present the token to the guard, who decodes it, verifies the permissions (locker number, time window, single-use flag), and allows access exactly to Locker 42. The guard also logs the token's usage to ensure it cannot be reused. If the delivery person tries to use the token at a different time or for a different locker, the guard rejects it. The token itself is cryptographically signed by the facility's secret key, so it cannot be tampered with or forged. This is exactly how Shared Access Signatures (SAS) work in Azure Storage: you create a token with specific permissions, expiry, and optional constraints, and the Azure Storage service validates the token before granting access, without ever revealing the storage account key.
What is a Shared Access Signature (SAS)?
A Shared Access Signature (SAS) is a URI that grants restricted access rights to Azure Storage resources (blobs, files, queues, tables) without exposing the storage account key. It is a token appended to the storage service URL that includes authentication information and permissions. The SAS token is signed using either the storage account key (for account-level and service-level SAS) or a user delegation key (for user delegation SAS).
SAS tokens are essential for scenarios where you need to grant temporary, scoped access to storage resources—for example, allowing a client to upload a file directly to a blob container without giving them the full account key. The exam expects you to know the three types of SAS:
Service-level SAS: Grants access to a specific resource (e.g., a single blob, container, queue, or table). It is created using the storage account key and can be scoped to a container, blob, queue, or table.
Account-level SAS: Grants access to multiple storage services (blob, file, queue, table) and can also allow operations like listing service properties or creating containers. It is also signed with the storage account key.
User delegation SAS: Applies only to Blob Storage (including ADLS Gen2) and is signed with Azure AD credentials rather than the storage account key. It provides finer-grained control and is recommended when using Azure AD authentication.
How SAS Tokens Work Internally
When you create a SAS token, you specify the following parameters:
Resource URI: The URL of the resource (e.g., https://mystorageaccount.blob.core.windows.net/mycontainer/myblob.txt).
Permissions: A string of allowed operations, such as r (read), w (write), d (delete), l (list), a (add), c (create), u (update), p (process). For example, sp=r means read permission.
Start time (optional): The date/time when the SAS becomes valid. If omitted, it is valid immediately.
Expiry time: The date/time when the SAS expires. This is required for service-level SAS but optional for account-level SAS (though strongly recommended).
IP address or range (optional): Restricts access to requests originating from specific IP addresses.
Protocol (optional): Restricts the protocol used (HTTPS only or HTTP/HTTPS). The default is HTTPS only.
Signed identifier (optional): A reference to a stored access policy on the container, which centralizes management of SAS parameters.
Signature: An HMAC-SHA256 hash of the string-to-sign, which includes all the above parameters plus the storage account key (or user delegation key).
The token is appended to the resource URI as query parameters. For example:
https://mystorageaccount.blob.core.windows.net/mycontainer/myblob.txt?sv=2018-03-28&ss=b&srt=sco&sp=rwdlac&se=2019-05-05T14:00:00Z&st=2019-05-04T14:00:00Z&spr=https&sig=...When a request arrives with a SAS token, the Azure Storage service reconstructs the string-to-sign using the same parameters, computes the HMAC-SHA256 hash, and compares it to the provided signature. If they match and the token's constraints (time, IP, protocol) are satisfied, the request is allowed. If the signature does not match or any constraint is violated, the request is denied with a 403 (Forbidden) error.
Stored Access Policies
A stored access policy is a JSON object stored on a container (blob), queue, table, or share that defines the start time, expiry time, and permissions for a SAS. By referencing a stored access policy via the signedidentifier parameter in the SAS token, you can revoke or modify the SAS without recreating the token—simply change the policy on the server side. This is a key security feature: if a SAS token is compromised, you can revoke it by deleting or modifying the stored access policy. Without a stored access policy, the only way to revoke a SAS is to regenerate the storage account key, which invalidates all SAS tokens signed with that key.
The stored access policy has an identifier (a unique string up to 64 characters) and the following fields:
start: Start time (optional)
expiry: Expiry time (optional)
permission: Permission string (e.g., rwdl)
Example of a stored access policy via REST API:
{
"Id": "policy1",
"Policy": {
"Start": "2025-01-01T00:00:00Z",
"Expiry": "2025-12-31T23:59:59Z",
"Permission": "rw"
}
}SAS Token Generation (Code Examples)
In .NET, using the Azure.Storage.Blobs library:
BlobServiceClient blobServiceClient = new BlobServiceClient(connectionString);
BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient("mycontainer");
BlobClient blobClient = containerClient.GetBlobClient("myblob.txt");
// Generate service-level SAS for a blob
BlobSasBuilder sasBuilder = new BlobSasBuilder()
{
BlobContainerName = "mycontainer",
BlobName = "myblob.txt",
Resource = "b", // b for blob, c for container
ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)
};
sasBuilder.SetPermissions(BlobSasPermissions.Read);
Uri sasUri = blobClient.GenerateSasUri(sasBuilder);
Console.WriteLine($"SAS URI: {sasUri}");In Python, using the Azure Storage Blob SDK:
from datetime import datetime, timedelta
from azure.storage.blob import BlobServiceClient, generate_blob_sas, BlobSasPermissions
connection_string = "..."
blob_service_client = BlobServiceClient.from_connection_string(connection_string)
container_client = blob_service_client.get_container_client("mycontainer")
blob_client = container_client.get_blob_client("myblob.txt")
sas_token = generate_blob_sas(
account_name=blob_client.account_name,
container_name=blob_client.container_name,
blob_name=blob_client.blob_name,
account_key=blob_service_client.credential.account_key,
permission=BlobSasPermissions(read=True),
expiry=datetime.utcnow() + timedelta(hours=1)
)
sas_url = f"{blob_client.url}?{sas_token}"
print(f"SAS URL: {sas_url}")Lifecycle Management Policies
Azure Storage lifecycle management allows you to define rules that automatically move blobs to cooler storage tiers (hot, cool, cold, archive) or delete them based on age or last modification time. This reduces storage costs and automates data retention policies. Lifecycle policies apply to blobs in Blob Storage and Azure Data Lake Storage Gen2 (hierarchical namespace enabled).
A lifecycle policy is a JSON document that contains one or more rules. Each rule has:
name: A unique name for the rule.
enabled: Boolean to enable or disable the rule.
type: Must be Lifecycle.
definition: Contains a filters object and an actions object.
Filters: Define which blobs the rule applies to. You can filter by:
- blobTypes: An array of blob types (e.g., ["blockBlob"]).
- prefixMatch: An array of path prefixes (e.g., ["logs/", "backup/"]).
- blobIndexMatch (optional): An array of key-value pairs for blob index tags.
Actions: Define what to do. Actions include:
- baseBlob: Actions for the base blob (not snapshots or versions). Possible sub-actions:
- tierToCool: Move to cool tier after a number of days.
- tierToCold: Move to cold tier (preview).
- tierToArchive: Move to archive tier.
- delete: Delete the blob.
- snapshot: Actions for snapshots (similar sub-actions).
- version: Actions for previous versions (similar sub-actions).
Each action has a daysAfterModificationGreaterThan property (for base blobs) or daysAfterCreationGreaterThan (for snapshots/versions) that specifies the number of days after the blob was last modified or created.
Example lifecycle policy that moves blobs in the "logs/" prefix to cool tier after 30 days and deletes them after 90 days:
{
"rules": [
{
"name": "logRetention",
"enabled": true,
"type": "Lifecycle",
"definition": {
"filters": {
"blobTypes": ["blockBlob"],
"prefixMatch": ["logs/"]
},
"actions": {
"baseBlob": {
"tierToCool": {
"daysAfterModificationGreaterThan": 30
},
"delete": {
"daysAfterModificationGreaterThan": 90
}
}
}
}
}
]
}How Lifecycle Policies Work Internally
Azure Storage runs the lifecycle policy evaluation once per day. It scans all blobs in the storage account that match the rule filters and checks the last modification time (or creation time for snapshots/versions). If the condition is met, it performs the action. For tiering actions, the blob is moved to the target tier; for delete actions, the blob is permanently deleted. There is no charge for the policy evaluation itself, but you pay for the storage operations (change tier, delete) at standard rates.
Important considerations:
Blob type: Only block blobs and append blobs are supported. Page blobs are not supported.
Tier transitions: You can move from hot to cool to cold to archive, but not backwards (except by manually copying). You cannot move from archive directly to hot/cool without rehydration (which can take hours).
Replication: Lifecycle policies work with all replication types (LRS, GRS, RA-GRS, etc.).
Minimum retention: For blobs to be moved to cool tier, they must have been in hot tier for at least 7 days. For archive, they must have been in cool or cold for at least 30 days (or hot for 30 days). These are enforced by the service.
Hierarchical namespace: When using ADLS Gen2, lifecycle policies work with directory paths as prefixes.
Interaction with SAS and Lifecycle Policies
SAS tokens can be used to grant access to blobs that are subject to lifecycle policies. For example, you can generate a SAS token that allows read access to a container, and lifecycle policies will still automatically tier or delete blobs in that container. The SAS token does not affect lifecycle operations. However, if a blob is deleted by a lifecycle policy, any existing SAS tokens for that blob become invalid (the blob no longer exists).
Security Best Practices for SAS
Use stored access policies whenever possible to allow revocation.
Use short expiry times (minutes to hours) for temporary access.
Use HTTPS only (spr=https).
Restrict IP addresses if possible.
Use user delegation SAS when using Azure AD authentication.
Do not hardcode SAS tokens in client code; generate them on the server side and distribute securely.
Regenerate storage account keys periodically to invalidate old SAS tokens.
Exam-Relevant Defaults and Limits
SAS token maximum expiry: 1 year from creation (if no stored access policy). With a stored access policy, the policy's expiry is used.
Stored access policy maximum: 5 policies per container/queue/table/share.
Lifecycle policy maximum: 100 rules per storage account.
Lifecycle policy evaluation frequency: Once per day.
Minimum days for cool tier: 7 days after creation/modification.
Minimum days for archive from cool/cold: 30 days.
SAS signature algorithm: HMAC-SHA256.
SAS string-to-sign format: documented in Azure documentation, includes version, resource, permissions, start, expiry, etc.
Identify Storage Resource and Permissions
First, determine the target resource (container, blob, queue, table, or file share) and the required permissions (read, write, delete, list, etc.). For example, you want to allow a client to upload a file to a specific container but not delete or list. This step involves understanding the application's security requirements. You must also decide whether to use a service-level SAS (scoped to one resource) or an account-level SAS (scoped to multiple services). The choice impacts the token's scope and the stored access policy options. Service-level SAS is more granular and recommended for most scenarios.
Choose SAS Type and Signing Method
Select the SAS type: service-level, account-level, or user delegation. For user delegation SAS, you must have Azure AD credentials and the storage account must support Azure AD authentication. For service-level and account-level SAS, you need the storage account key. The signing method determines how the token is generated and what key is used. User delegation SAS is more secure because it does not expose the account key. On the exam, you may be asked to choose the appropriate SAS type for a given scenario, such as providing temporary access to a blob without using the account key.
Define Token Parameters and Constraints
Set the start time (optional), expiry time (required for service-level), permissions, allowed IP addresses, allowed protocol (HTTPS by default), and optionally a signed identifier referencing a stored access policy. The expiry time is critical: if too long, the token is a security risk; if too short, the client may need to request a new token frequently. Best practice is to use short-lived tokens (e.g., 1 hour) and regenerate them as needed. The IP restriction narrows the token's use to trusted networks. The protocol restriction should always be HTTPS to prevent interception.
Generate SAS Token on the Server Side
Use the Azure Storage SDK (e.g., .NET, Python, Node.js) to generate the SAS token. The SDK constructs the string-to-sign, computes the HMAC-SHA256 signature using the account key or user delegation key, and appends the token as query parameters to the resource URI. For example, in C# you use the BlobSasBuilder class. The generated SAS URI is then returned to the client application securely (e.g., via a REST API response). Never generate SAS tokens on the client side because that would expose the account key or signing credentials.
Distribute SAS URI to Client and Monitor Usage
The client application receives the SAS URI and uses it to access the storage resource directly. The client can perform allowed operations (e.g., upload a blob) using the URI. The Azure Storage service validates the token on each request. You should monitor SAS usage via Azure Monitor or storage analytics logs to detect any anomalous access patterns. If a token is compromised, you can revoke it by regenerating the storage account key (for account/service-level SAS) or by deleting/modifying the stored access policy (if used). Regularly audit SAS tokens and rotate account keys.
Enterprise Scenario 1: Secure File Uploads for a Web Application
A SaaS company allows customers to upload profile pictures and documents. Instead of sending files through the web server (which would consume bandwidth and CPU), the web app generates a service-level SAS token with write-only permissions to a specific container, expiring in 5 minutes. The client uploads directly to Azure Blob Storage using the SAS URI. This offloads traffic from the web server, reduces latency, and avoids exposing the storage account key. The company uses stored access policies on the container to centrally manage permissions and quickly revoke access if needed. They also restrict the SAS to HTTPS and to the client's IP range (if known). Misconfiguration: If the SAS token has too broad permissions (e.g., delete) or a long expiry, a malicious user could delete other blobs. They learned this the hard way when a customer's token was leaked and an attacker deleted files. Now they use short-lived tokens and stored access policies.
Enterprise Scenario 2: Automated Data Tiering for Logs
A financial services firm generates gigabytes of log files daily. They store logs in hot tier for the first 30 days (for active analysis), then move to cool tier for 60 days (for compliance), then to archive tier for 7 years (for regulatory retention), and finally delete. They implement a lifecycle policy with three rules: (1) after 30 days, tier to cool; (2) after 90 days (30+60), tier to archive; (3) after 7 years, delete. The policy uses prefix filters like logs/app1/ and logs/app2/. This automation saves 70% on storage costs compared to keeping everything in hot tier. Performance consideration: When logs are in archive tier, retrieval takes hours (rehydration). The firm ensures that any automated processes that need to access archived logs are designed to handle this delay. Misconfiguration: Initially, they set the archive transition too early (e.g., 30 days), causing frequent rehydration costs and user complaints. They adjusted the rules based on access patterns.
Enterprise Scenario 3: Shared Access for Collaborative Data Science
A research team uses Azure Data Lake Storage Gen2 for large datasets. They need to grant temporary access to external collaborators for specific folders. They generate user delegation SAS tokens (signed with Azure AD) for read-only access to a directory prefix, expiring in 24 hours. The tokens are distributed via a secure portal. User delegation SAS is preferred because it does not require sharing the storage account key and integrates with Azure AD RBAC. The team also uses stored access policies on the container to quickly revoke access if a collaborator's credentials are compromised. Scaling: With thousands of collaborators, they automate SAS generation via Azure Functions triggered by an approval workflow. Misconfiguration: They once forgot to set an expiry, creating a token that lasted indefinitely until they noticed excessive read requests. Now they enforce a maximum 24-hour expiry and use Azure Policy to audit SAS tokens.
Common Pitfalls and Lessons Learned
Overly permissive SAS: Including delete or list permissions when only read/write is needed. Always use the principle of least privilege.
No stored access policy: Without it, the only way to revoke a SAS is to regenerate the account key, which breaks all applications using that key.
Lifecycle policy applied to the wrong blobs: Using broad prefixes (e.g., "") can unintentionally delete critical data. Always test with a small set first.
Ignoring the 7-day minimum for cool tier: Attempting to move a blob to cool tier after 1 day fails silently; the blob remains in hot tier. The policy does not generate an error, so monitoring is essential.
What AZ-204 Tests on SAS and Lifecycle Policies (Objective 3.2)
The exam objective "Develop solutions that use Azure Storage security" includes implementing shared access signatures and lifecycle policies. Specifically, you should be able to:
Create a SAS token with appropriate permissions, expiry, and constraints.
Differentiate between service-level, account-level, and user delegation SAS.
Use stored access policies to manage SAS tokens.
Configure lifecycle management rules to tier and delete blobs.
Understand the interaction between SAS and lifecycle policies.
Common Wrong Answers and Why Candidates Choose Them
"A SAS token can be revoked at any time by deleting the token itself." Wrong. A SAS token is a client-held token; deleting it from the server does nothing because the server does not store it. You must either regenerate the storage account key or update/delete the stored access policy. Candidates confuse stored access policies with the token.
"Lifecycle policies can move blobs from archive to cool tier automatically." Wrong. Lifecycle policies only move blobs to cooler tiers (hot->cool->cold->archive). Moving from archive to any other tier requires manual rehydration (Set Blob Tier or Copy Blob). Candidates forget that archive is a one-way street.
"Account-level SAS can be scoped to a single blob." Wrong. Account-level SAS applies to one or more services (blob, queue, table, file) and can include service-level operations (list containers, create containers), but it cannot be scoped to a single blob. That is the domain of service-level SAS. Candidates often mix up the scopes.
"User delegation SAS requires the storage account key." Wrong. User delegation SAS is signed with Azure AD credentials, not the account key. This is a common misconception because other SAS types use the account key.
Specific Numbers, Values, and Terms That Appear on the Exam
Maximum SAS expiry without stored access policy: 1 year.
Maximum stored access policies per container: 5.
Lifecycle policy rules per storage account: 100.
Lifecycle evaluation frequency: Once per day.
Minimum days in hot tier before moving to cool: 7.
Minimum days in cool/cold before moving to archive: 30.
SAS signature algorithm: HMAC-SHA256.
Permissions string format: sp=rwdlacup (read, write, delete, list, add, create, update, process).
Resource types in account-level SAS: srt=sco (service, container, object).
Protocol parameter: spr=https (HTTPS only) or spr=https,http.
Edge Cases and Exceptions the Exam Loves to Test
SAS and firewall rules: If the storage account has a firewall that blocks public access, a SAS token will not work unless the request comes from an allowed IP or VNet. The SAS token's IP restriction is independent of the firewall; both must allow the request.
SAS with hierarchical namespace: When using ADLS Gen2, service-level SAS can be created for directories and files. The permissions map to POSIX ACLs.
Lifecycle policy and blob snapshots: You can configure separate actions for snapshots (e.g., delete snapshots older than 30 days). This is tested as a scenario where you need to manage versions.
SAS and Azure AD integration: User delegation SAS can be used alongside RBAC. The exam may ask which SAS type to use when you want to avoid using account keys.
How to Eliminate Wrong Answers
If the question mentions revoking a SAS without regenerating the key, look for "stored access policy" in the answer.
If the question involves moving blobs from archive to hot, the answer cannot involve a lifecycle policy; it must involve rehydration.
If the question says "temporary access for a client to upload a file," the correct SAS type is service-level SAS (not account-level) because it scopes to a specific container.
If the question mentions "Azure AD authentication," the answer is user delegation SAS.
Trap: "SAS token with start time in the future"
The exam may present a scenario where a SAS token has a start time that is 10 minutes in the future. The token is valid, but requests before the start time will be denied. Candidates may think the token is invalid entirely, but it is just not yet active.
SAS tokens are client-held credentials that grant restricted access to Azure Storage resources without exposing the account key.
Three SAS types: service-level (scoped to a resource), account-level (scoped to services), user delegation (signed with Azure AD).
Always use stored access policies to enable revocation without regenerating the account key; max 5 policies per container.
Lifecycle policies automate blob tiering (hot->cool->cold->archive) and deletion based on age; evaluation runs once per day.
Lifecycle rules have a minimum 7-day wait before moving to cool, and 30-day wait before moving to archive from cool/cold.
SAS token maximum expiry without stored access policy is 1 year; always set a short expiry (minutes to hours) for temporary access.
Lifecycle policies support up to 100 rules per storage account; filters use blob type, prefix, and blob index tags.
User delegation SAS is the most secure option for Blob Storage because it uses Azure AD instead of account keys.
These come up on the exam all the time. Here's how to tell them apart.
Service-level SAS
Scoped to a single resource (container, blob, queue, table, share).
Cannot perform service-level operations like list containers or create containers.
Requires expiry time; start time optional.
Signed with storage account key or user delegation key.
Supports stored access policies for revocation.
Account-level SAS
Scoped to one or more storage services (blob, queue, table, file).
Can perform service-level operations (list containers, create containers, set service properties).
Expiry optional; if omitted, token valid until key regeneration.
Signed only with storage account key (not user delegation).
Does not support stored access policies; revocation requires key regeneration.
Mistake
SAS tokens are stored on the server and can be deleted to revoke access.
Correct
SAS tokens are client-held tokens. The server does not store them. Revocation requires either regenerating the storage account key (which invalidates all SAS tokens signed with that key) or changing/deleting the stored access policy referenced by the token.
Mistake
Lifecycle policies can move blobs from archive to cool tier automatically.
Correct
Lifecycle policies only move blobs to cooler tiers (hot->cool->cold->archive). Moving from archive to any other tier requires manual rehydration using Set Blob Tier or Copy Blob, which can take hours.
Mistake
Account-level SAS can be scoped to a single blob.
Correct
Account-level SAS applies to one or more storage services (blob, queue, table, file) and can include operations like list containers or create containers, but it cannot be scoped to a single blob. Service-level SAS is used for per-blob scoping.
Mistake
User delegation SAS requires the storage account key.
Correct
User delegation SAS is signed using Azure AD credentials (user delegation key), not the storage account key. It is more secure because the account key is not exposed.
Mistake
A SAS token with no expiry set will never expire.
Correct
For service-level SAS, an expiry is required. For account-level SAS, if no expiry is set, the token is valid indefinitely (until the account key is regenerated). However, best practice is to always set an expiry. The maximum allowed expiry is 1 year from creation if no stored access policy is used.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Service-level SAS is scoped to a single resource (e.g., a specific blob or container) and cannot perform service-level operations like listing containers. Account-level SAS can be scoped to one or more services (blob, queue, table, file) and can perform operations like creating containers or setting service properties. Account-level SAS also does not support stored access policies, so revocation requires regenerating the account key. Service-level SAS is more granular and is the recommended choice for most scenarios.
Use a stored access policy. Create a stored access policy on the container (or other resource) with the desired permissions and expiry, and reference it in the SAS token via the `signedidentifier` parameter. To revoke the token, modify or delete the stored access policy. The service will then reject any SAS tokens that reference the old policy. Without a stored access policy, the only way to revoke is to regenerate the account key, which invalidates all SAS tokens signed with that key.
No. Lifecycle policies only move blobs to cooler tiers (hot -> cool -> cold -> archive). Moving from archive to any other tier requires a manual operation called rehydration, which you can perform via the Set Blob Tier API or by copying the blob. Rehydration can take up to 15 hours for archive blobs, depending on the priority set. Lifecycle policies cannot automate this reverse transition.
Each container, queue, table, or file share can have up to 5 stored access policies. This is a hard limit. If you need more granular control, consider using multiple containers or using user delegation SAS with Azure AD RBAC.
You can define separate actions for base blobs, snapshots, and versions. For example, you can delete snapshots older than 30 days while keeping the base blob. The actions use `daysAfterModificationGreaterThan` for base blobs and `daysAfterCreationGreaterThan` for snapshots/versions. This allows fine-grained lifecycle management for versioned blobs.
The SAS token is valid, but requests made before the start time will be denied with a 403 error. The token becomes active at the specified start time. This is useful for scheduling access. On the exam, you might see a scenario where a token is created with a future start time and the client tries to use it immediately—that request will fail.
Yes, but the request must also satisfy the firewall rules. The SAS token provides authentication, but the firewall controls network access. If the firewall blocks all public access, the SAS token will not work unless the request comes from an allowed IP address or VNet. The SAS token's IP restriction is independent and additional.
You've just covered Shared Access Signatures and Lifecycle Policies — now see how well it sticks with free AZ-204 practice questions. Full explanations included, no account needed.
Done with this chapter?