User-Bound User Delegation SAS in Azure Storage: How It Works with Microsoft Entra ID
Azure Storage adds identity-bound SAS tokens to strengthen delegated access control and improve auditability across tenants.
Key Takeaways:
- SAS tokens can now be bound to a specific Microsoft Entra ID identity for tighter access control.
- The feature improves traceability and reduces unintended or token misuse risks.
- Available in public preview across Azure regions at no extra cost.
Microsoft is taking a major leap in tightening cloud security with the public preview of user‑bound User Delegation (SAS). This new feature is designed to ensure that SAS tokens can only be used by a specifically authorized Microsoft Entra ID identity.
User delegation SAS tokens are time‑limited access tokens for Azure Storage that are created using a user delegation key tied to a specific Microsoft Entra ID identity. These tokens let a user or service delegate a subset of their own permissions to clients. It helps to ensure that access is both traceable and limited to what the delegator is allowed to perform, while offering stronger security and identity‑based control compared to traditional SAS methods.
What is user-bound user delegation SAS?
According to Microsoft, traditional SAS tokens provide time‑limited access to storage without exposing account keys. Azure Storage previously improved this by introducing user delegation SAS (UD SAS) support, which ties token creation to an Entra‑authenticated user. This new user‑bound UD SAS adds another layer by binding the use of the token to a designated Microsoft Entra ID identity.
“User-bound UD SAS is an extension of user delegation (UD) SAS, which allows users to create a more secure SAS token by restricting the usage of the SAS token to an end user identity. The delegator specifies the Entra identity (security principal) of the end user in the SAS token and the end user needs to authenticate to Entra ID to use the token. The end user can either be in the same tenant or a different tenant as the delegator,” Microsoft explained.
The user-bound user delegation SAS reduces unintended access and improves traceability while retaining the flexibility that SAS tokens offer to organizations. These tokens can only be valid for up to 7 days and are always linked back to the delegator’s identity.
Prerequisites and RBAC Requirements
To get started with user‑bound user delegation SAS, administrators will first need to ensure that the delegator has the correct Azure role‑based access control (RBAC) assignments (such as the Storage Data Contributor and Storage Delegator roles), which are required to create a user delegation key.
If the SAS token will be used by an identity in a different tenant, administrators must enable the allowCrossTenantDelegationSas setting on the storage account. Once these prerequisites are in place, IT admins can simply follow the user delegation SAS creation workflow to generate and use the user‑bound SAS token.
Microsoft mentioned that this new feature is available at no additional cost to commercial customers. It’s available in all public Azure regions through REST APIs, SDKs, CLI, and PowerShell, and requires a GPv2 storage account.
Rabia has a master's degree in Software Engineering and she has years of experience writing professionally about Microsoft products and other technologies. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on t...
