Share via

SAS authentication to Third party Azure storage container

Michael Penney 5 Reputation points
2026-02-20T18:27:31.9866667+00:00

Using Azure Virtual desktop and doing Shared Access Signature SAS authentication does not work to a 3rd party Azure storage container. IP is whitelisted. It originally was working but stopped.

Error getting from Azure storage explorer: "This request is not authorized to perform this operation." Getting the same error from AZ CLI.

Azure Storage
Azure Storage

Globally unique resources that provide access to data management services and serve as the parent namespace for the services.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael Penney 5 Reputation points
    2026-03-03T01:31:23.02+00:00

    We setup a Private Link this resolved the issue.   Since our VDI is in Azure reaching the blob of another subscription as still showing the private IP address, so the public IP whitelisting did not work.

    1 person found this answer helpful.
    0 comments
  2. Q&A Assist
    2026-02-20T18:27:42.2666667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    It seems that you are encountering an authorization issue when trying to access a third-party Azure storage container using a Shared Access Signature (SAS). The error message "This request is not authorized to perform this operation" indicates that there may be a problem with the SAS token or its permissions.

    Here are some common causes and solutions for this issue:

    1. Expired Token: Ensure that the SAS token has not expired. If it has, generate a new SAS token with a future expiration time.
    2. Missing Permissions: Check if the SAS token includes all the necessary permissions for the operation you are trying to perform. If permissions are missing, you will need to regenerate the SAS token with the correct permissions.
    3. SAS Token Format: If you are manually constructing the SAS token, verify that it is well-formed and includes all required fields. Using official Azure SDKs or tools like Azure Storage Explorer can help avoid formatting errors.
    4. Service vs Account SAS: Make sure you are using the appropriate type of SAS for your operation. For account-level operations, an Account SAS is required, while a Service SAS is needed for specific blob/container operations.
    5. IP Address Whitelisting: Although you mentioned that the IP is whitelisted, double-check that the IP address from which you are making the request matches the whitelisted IP address in the storage account settings.
    6. User Delegation SAS: If you are using a User Delegation SAS, ensure that the necessary fields and permissions are correctly set up.

    If none of these solutions resolve the issue, consider reviewing the comprehensive diagnostic checklist for troubleshooting authorization errors in Azure Blob Storage.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.