![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 31%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAT%3C/text%3E%3C/svg%3E)
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,350 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 69%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Hi Amit Thore,
Lets follow below points to securely access Azure Storage blobs and queues without using a connection string.
1.To use Managed Identity, your backend must be hosted on an Azure service that supports it, Start by enabling System Assigned Managed Identity in the Azure Portal under your resource’s Identity settings. Then, assign the necessary roles to this Managed Identity on your Storage Account: "Storage Blob Data Contributor for accessing blobs" and "Storage Queue Data Contributor for working with queues".
In your .NET Core application, use 'DefaultAzureCredential' from the Azure Identity SDK, which automatically uses Managed Identity when running in Azure. This lets you access blobs and queues securely without needing connection strings. Locally, it uses your Azure CLI login for authentication, making development seamless.
2.For frontend access, User Delegation SAS is recommended as it provides temporary, limited access to storage resources. This approach avoids exposing sensitive keys in frontend code.
In the backend, generate the SAS token using .NET Core by obtaining a User Delegation Key from Azure Storage. This key is specific to the authenticated user and respects their Azure AD permissions. After generating the SAS URL, return it to the React frontend via a secured API endpoint.
In React, use the SAS URL to access blobs, ensuring secure access with temporary and least-privileged permissions. This allows users to download or view blobs without revealing storage account keys.
3.To maintain strong security: Generate SAS tokens only in the backend to protect against exposure in the frontend. Limit SAS token permissions (e.g., read-only) and set short expiration times for added security. Secure your backend API using Azure AD authentication to ensure only authorized users can request SAS tokens. Always use HTTPS to protect SAS tokens from interception.
For Reference please refer,
https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
If you have any further assistant, do let me know.
If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.