Public Preview: Restrict usage of user delegation SAS to an Entra ID identity

We’re excited to announce the addition of enhanced secure authentication in Azure Storage that combines the flexibility of user-delegation shared access signature (SAS) with the user-bound access of Entra ID. User-bound user delegation SAS is now in preview for all regions. User delegation SAS is an existing feature that allows users to create secure SAS tokens that are tied to the delegator, meaning the delegator must verify their identity with Entra to create the token. The resulting token can be traced to the delegator and can only be valid for up to 7 days. This feature is an extension of user delegation (UD) SAS, which is already generally available for Azure Blobs and in public preview for Azure Files, Azure Tables, and Azure Queues. User-bound user delegation SAS allows users to create a more secure SAS token than account SAS, service SAS, or normal user delegation SAS by restricting the usage of the SAS token to an end user identity. This will help enforce that the user delegated SAS can only be used by intended users. There is no additional cost to use user-bound user delegation SAS. Pricing is based on the standard read/write transaction costs for your storage account type. To learn more, please see [Azure Storage Pricing.](https://azure.microsoft.com/pricing/details/storage/blobs/?ef%5Fid=%5Fk%5F7e4097eb867a1805e1bafef4c5f13a6b%5Fk%5F&OCID=AIDcmm5edswduu%5FSEM%5F%5Fk%5F7e4097eb867a1805e1bafef4c5f13a6b%5Fk%5F&msclkid=7e4097eb867a1805e1bafef4c5f13a6b) This preview is available in all public regions. [Learn more.](https://learn.microsoft.com/rest/api/storageservices/create-user-delegation-sas)