Unable to replicate the SasSignature SHA256 in Azure Blob diagnostic audit logs for DelegationSas tokenHash

Question

Unable to replicate the SasSignature SHA256 in Azure Blob diagnostic audit logs for DelegationSas tokenHash

Richard Hauer 1

I have a solution that dynamically creates SAS tokens for a storage container by API. The API (Azure Fn) uses a Managed Identity to access the storage account. Thus, we use the "DelegationSas" authentication to generate the SAS token and return that to the user, who then uses the token to access the storage account.

This all works fine.

We have diagnostic audit logs on the storage account, connected to Event Grid so that we can record user activity. The events that are recorded include some Json specifying the tokenHash data for the identity used to access the Storage resource.

The relevant part looks like this:

{
    ... 
    "identity": {
        ...
        "tokenHash": "user-delegation([64-hex-chars]),SasSignature([64-hex-chars])",
        ...
    },
    ...
}

Now, according to the information in MS Docs here, the SasSignature value should be an "SHA 256 hash of the SAS token", but I am unable to replicate this value given the original SasToken generated for the user. I have captured this token verbatim for experimentation purposes and have tried many permutations to try and match this audit value, including:

Convert.ToHexString( SHA256.HashData( Encoding.UTF8.GetBytes( "sasToken incl sig" ) ) )
Convert.ToHexString( SHA256.HashData( Encoding.UTF8.GetBytes( "?sasToken incl sig" ) ) )
Convert.ToHexString( SHA256.HashData( Encoding.UTF8.GetBytes( "complete uri incl sasToken" ) ) )
Convert.ToHexString( SHA256.HashData( Encoding.UTF8.GetBytes( HttpUtility.UrlDecode( "sasToken incl sig" ) ) ) )
Convert.ToHexString( SHA256.HashData( Convert.FromBase64String( HttpUtility.UrlDecode( "sasToken just the sig" ) ) ) )

None of these are a match.

Does anyone have any information on how the value in the audit log is actually generated?

Hari Babu Vattepally 3,345 Reputation points Microsoft External Staff Moderator

2025-03-19T13:01:01.8+00:00
Hi @Richard Hauer,

I understand that the issue you are facing in reproducing the SasSignature SHA256 value within Azure Blob diagnostic audit logs for a DelegationSas token is probably due to the unique method Azure uses to compute the Hash for the Sas Signature.

The SasSignature recorded in the audit logs is an SHA256 hash derived from the complete SAS token. However, Azure might implement certain encoding or transformations prior to the hashing process. Which includes as below:

Standardizing the SAS token (for instance, arranging query parameters in a specific order).

Encoding or decoding particular segments of the token.

Using a designated character set or format for the hashing process.

Please follow the below recommended steps to replicate the SasSignature.

Make sure that the token is in its standard form and matches the exact structure used for Azure's hash computation. Example as below:

string normalizedToken = NormalizeSasToken(sasToken);

Apply the SHA256 hashing algorithm to the normalized token. Make sure to hash the entire token, including the ? prefix if it is part of the token. For example:

using System.Security.Cryptography; using System.Text; string sasToken = "<your-sas-token>"; byte[] tokenBytes = Encoding.UTF8.GetBytes(sasToken); byte[] hashBytes = SHA256.HashData(tokenBytes); string hashHex = Convert.ToHexString(hashBytes);

If the SAS token includes URL-encoded characters (such as %2F for /), hash both the encoded and decoded versions to determine which one matches. Also, please Verify the computed hash against the SasSignature value in the audit log. If they still do not match, move on to the next step.

I hope by following the above helps in resolving the issue.

Please let us know in the comments below, if the issue is resolved or still persists. We will be glad to assist you closely.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Richard Hauer 1 Reputation point

2025-03-19T19:49:27.2266667+00:00

Thanks Hari,

You must have been writing this while I was posting my update, as it seems to have come in after mine by 45 minutes?

You’ll note that I actually tried exactly what you’ve suggested and it does not work. The critical part was to hash the string version of the sig parameter (the Hmac part of the token), and not the whole SasToken.

The documentation is also wrong, or at best misleading, in this case unfortunately.
Hari Babu Vattepally 3,345 Reputation points Microsoft External Staff Moderator

2025-03-20T11:18:47.0566667+00:00

Hi @Richard Hauer,

We are glad to know that the issue has resolved by hashing the Base64 String version of the SasToken's sig(nature) parameter.

Thanks for sharing your solution here with forum community which worked for you. This will help for other community members who are facing the similar issue.

I would also request you to contribute your support to the community by "Accepting" Answer because original posters help the community find the Answers faster by identifying the correct Answer.

Please consider accepting the answer below to help increase visibility of this question for other members of the Microsoft Q&A community. If you have any questions, please let us know in the comments. Thank you for helping to improve Microsoft Q&A!

2 answers

Your answer

Richard Hauer 1 Reputation point

2025-03-19T19:49:27.2266667+00:00

Thanks Hari,

You must have been writing this while I was posting my update, as it seems to have come in after mine by 45 minutes?

You’ll note that I actually tried exactly what you’ve suggested and it does not work. The critical part was to hash the string version of the sig parameter (the Hmac part of the token), and not the whole SasToken.

The documentation is also wrong, or at best misleading, in this case unfortunately.
Hari Babu Vattepally 3,345 Reputation points Microsoft External Staff Moderator

2025-03-20T11:18:47.0566667+00:00

Hi @Richard Hauer,

We are glad to know that the issue has resolved by hashing the Base64 String version of the SasToken's sig(nature) parameter.

Thanks for sharing your solution here with forum community which worked for you. This will help for other community members who are facing the similar issue.

I would also request you to contribute your support to the community by "Accepting" Answer because original posters help the community find the Answers faster by identifying the correct Answer.

Please consider accepting the answer below to help increase visibility of this question for other members of the Microsoft Q&A community. If you have any questions, please let us know in the comments. Thank you for helping to improve Microsoft Q&A!

Answer 1

After MANY additional permutations, I did actually find the answer!

Convert.ToHexString( 
  SHA256.HashData( 
    Encoding.UTF8.GetBytes( 
      "[url-decoded SasToken sig parameter]"
    )
  )
)

The trick is we're hashing the Base64 String version of the SasToken's sig(nature) parameter, not turning the sig back into a byte[] and hashing that.

I thought it was odd that Azure is hashing an HMAC (which is already a hash) but that's fine, as long as I can match the SAS back to the original user for audit purposes.

Answer 2

Hi @Richard Hauer,

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this.

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept" the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

Issue: Unable to replicate the SasSignature SHA256 in Azure Blob diagnostic audit logs for DelegationSas tokenHash

Solution: As you mentioned above that the key point is that you're hashing the Base64 String version of the SasToken's sig(nature) parameter, rather than converting the signature back into a byte[] and hashing that and you found it unusual that Azure is hashing an HMAC (which is already a hash), but it's acceptable as long as you can trace the SAS back to the original user for audit purposes.

Convert.ToHexString( 
  SHA256.HashData( 
    Encoding.UTF8.GetBytes( 
      "[url-decoded SasToken sig parameter]"
    )
  )
)

If your issue remains unresolved or have further questions, please let us know in the comments how we can assist. We are here to help you and strive to make your experience better and greatly value your feedback.

Please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

User's image

Hari Babu Vattepally 3,345 Reputation points Microsoft External Staff Moderator

2025-03-21T11:29:46.2133333+00:00

Hi @Richard Hauer,

Your contribution is highly appreciated. Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Unable to replicate the SasSignature SHA256 in Azure Blob diagnostic audit logs for DelegationSas tokenHash

2 answers

Your answer