As a security best practice, you must disable the Blob public access key and storage account key.
 |
| Disable blob public access & Storage account key |
Hold on.. This will disable existing shared access signatures. so make sure things are well informed before your perform disable activity.
To secure SAS, please setup Stored access policy as once you setup and share SAS then entire Azure configuration and data are shared with user.
 |
| Best practices for Shared access tokens |
So its always advisable to setup Access policy first with permission and then share access tokens.
Once setup, select access policy and setup access token to have control once you share with user.
Talking about Identifity based access - Delegation SAS
A user delegation SAS is just like a normal SAS, however it is associated with an Azure AD identity, instead of being created with a storage account access key.
Below is a standard architecture where service SAS is accessed using an access key and do not have any link with an active user.
To improve this we can integrate identity-centric security. We can provide SAS access using Azure AD.
For SMB access to Azure Files shares, Azure AD identities can be used for authentication and authorization. This type of access control is for SMB access from domain-joined devices.
select AD "onprem" or "ADDS" whatever suits your need and it will configure identity-based SAS access.
