How to Use Shared Access Signatures (SAS) to Limit Azure Storage Account Access

In a hospital setting, sensitive medical images and documents must be shared with patients in a way that is both secure and convenient. Azure Shared Access Signatures (SAS) make this possible by granting time‑limited, permission‑controlled access to files stored in a Blob container, without exposing the hospital’s storage account keys.

In this workflow, the hospital uploads patient scans into a dedicated container, generates a SAS token with restricted read permissions, and appends it to a secure link. That link is then converted into a QR code, printed, and handed directly to the patient. By scanning the QR code, the patient can safely view their medical images within the defined access window, ensuring compliance with privacy requirements while keeping the process simple and patient friendly. This tutorial is a simplified demo of how SAS works.
In real hospital apps, these steps are automated. The steps below illustrate how SAS works behind the scenes, purely for educational purposes.

1. First step would be to create the storage account under which “Blob containers” will be located.

Azure portal screenshot of the Storage center for Blob accounts, highlighting the '+ Create' button for starting the process of creating a new storage account.

2. In a pop-up window, fulfil requested information like Resource group, Storage account name, region... and click on Review + Create.

Azure portal create storage account page displaying project details and instance details sections.

3. Upon creating storage account, next step would be creating Blob storage where the patient’s data will be stored. We’ll accomplish this by clicking on Storage browser – Blob containers – Add container and name the container as shown in print screen below.

Azure portal screenshot showing the steps to create a new Blob container: navigating to 'Storage browser', selecting 'Blob containers', clicking 'Add container', and entering the container name.

Notice that upon creating it will be immediately shown under Blob containers.

4. Now, go back to container, click on the container you just created hannah-schreiber and upload files. For this case scenario it will be patient scans.

Azure portal upload dialog showing the steps to add files to a Blob container: clicking 'Upload', selecting files, and confirming upload.

5. Next step is actually creating html file that will contain images we just uploaded. As this page will show only images, we can write simple html in notepad with some css included just for positioning text and images.

Show HTML Snippet


<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Hannah Schreiber - Medical Images</title>
    <style>
        body {
            font-family: Arial, sans-serif;
            margin: 0;
            padding: 20px;
            background-color: #f5f5f5;
            color: #333;
        }
        .container {
            max-width: 800px;
            margin: 0 auto;
            background-color: white;
            padding: 30px;
            border-radius: 8px;
            box-shadow: 0 2px 10px rgba(0,0,0,0.1);
        }
        h1 {
            color: #0078d4;
            text-align: center;
            margin-bottom: 10px;
        }
        .subtitle {
            text-align: center;
            color: #666;
            margin-bottom: 30px;
        }
        .image-container {
            margin: 30px 0;
            text-align: center;
        }
        img {
            max-width: 100%;
            height: auto;
            border: 2px solid #e0e0e0;
            border-radius: 4px;
            box-shadow: 0 2px 8px rgba(0,0,0,0.1);
        }
        .image-label {
            font-weight: bold;
            margin-bottom: 15px;
            color: #0078d4;
            font-size: 18px;
        }
        .footer {
            margin-top: 40px;
            padding: 20px;
            background-color: #f8f9fa;
            border-radius: 4px;
            font-size: 14px;
            color: #666;
        }
        .footer strong {
            color: #333;
        }
    </style>
</head>
<body>
    <div class="container">
        <h1>Hannah Schreiber</h1>
        <p class="subtitle">X-Ray Imaging Results</p>
       
        <div class="image-container">
            <div class="image-label">X-Ray 1</div>
            <img src="xray_1.jpg?sp=rl&st=2025-10-06T18:11:31Z&se=2025-10-07T02:26:31Z&spr=https&sv=2024-11-04&sr=c&sig=Oxh3cptSB8fgfEfNCzr%2FN5BQX%2BwXWk8T3TRW7j1qOU4%3D" alt="X-Ray Image 1">
        </div>
       
        <div class="image-container">
            <div class="image-label">X-Ray 2</div>
            <img src="xray_2.png?sp=rl&st=2025-10-06T18:11:31Z&se=2025-10-07T02:26:31Z&spr=https&sv=2024-11-04&sr=c&sig=Oxh3cptSB8fgfEfNCzr%2FN5BQX%2BwXWk8T3TRW7j1qOU4%3D" alt="X-Ray Image 2">
        </div>
       
        <div class="footer">
            <strong>Important Information:</strong><br>
            • These images are confidential medical records<br>
            • Do not share this link with anyone<br>
            • This link will expire on October 7, 2025 at 02:26 UTC<br>
            • If you have questions, please contact your healthcare provider
        </div>
    </div>
</body>
</html>

6. Once written, we will upload the html file into the patient container the same way we did with images in step 4.

7. Next is generating Shared Access Signatures (SAS) from the container itself by clicking on the three dots at the end of the file row. Azure portal screenshot showing the Storage browser for the 'clementinest' storage account. The selected 'hannah-schreiber' blob container has its options menu open, with the 'Generate SAS' action highlighted, indicating how to start creating a Shared Access Signature for secure access control.

8. In the new window we shall configure properties like permissions and time frame during which access will be allowed. For this case, we’ll select only read and list permissions and copy Blob SAS URL which we’ll need later for accessing files we upload. Azure portal screenshot showing the 'Generate SAS' dialog for a storage container. The image highlights the selection of 'Read' and 'List' permissions in the dropdown, the blue button to generate SAS token and URL, and the output fields displaying the Blob SAS token and Blob SAS URL for securing blob access.

9. Generated SAS needs to be converted into a patient link. This is done by copying the container SAS URL, for example: https://clementinest.blob.core.windows.net/hannah-schreiber Multiple Copy Blocks

SAS Query String

?sp=rl
&st=2025-10-06T18:11:31Z
&se=2025-10-07T02:26:31Z
&spr=https
&sv=2024-11-04
&sr=c
&sig=Oxh3cptSB8fgfEfNCzr%2FN5BQX%2BwXWk8T3TRW7j1qOU4%3D

10. Append /index.html and the same SAS query string to point to the HTML page: Copy SAS URL Example

SAS URL

https://clementinest.blob.core.windows.net/hannah-schreiber/index.html?
sp=rl
&st=2025-10-06T18:11:31Z
&se=2025-10-07T02:26:31Z
&spr=https
&sv=2024-11-04
&sr=c
&sig=Oxh3cptSB8fgfEfNCzr%2FN5BQX%2BwXWk8T3TRW7j1qOU4%3D

This full URL is our patient access link.

11. Last step is to create a PowerShell script that will generate a QR code from a URL for convenient access.
Open PowerShell and install the QRCodeGenerator module:

PowerShell Command

Install-Module QRCodeGenerator -Scope CurrentUser -Force

Then create the QR code image (replace the URL with your actual HTML SAS URL):

PowerShell QR Code Command

$qrUrl = "https://clementinest.blob.core.windows.net/hannah-schreiber/index.html?sp=rl&st=2025-10-06T18:11:31Z&se=2025-10-07T02:26:31Z&spr=https&sv=2024-11-04&sr=c&sig=Oxh3cptSB8fgfEfNCzr%2FN5BQX%2BwXWk8T3TRW7j1qOU4%3D"
$pngPath = "$env:USERPROFILE\Desktop\Scans\hannah-schreiber_QR.png"
New-PSOneQRCodeText -Text $qrUrl -OutPath $pngPath -Width 400

12. Once the file location is checked, a visible QR code will appear. This QR code can then be inserted into a template for printing and handed to the patient as a physical copy. Windows File Explorer window open to the 'Scans' folder, displaying a single QR code image file named 'hannah-schreiber_QR' with a QR code thumbnail.

This walkthrough is a simplified showcase of how Shared Access Signatures (SAS) can be used to protect patient data in Azure. In practice, hospitals do not manually generate SAS tokens per patient. Instead, backend systems automatically create short‑lived SAS tokens when a patient logs into a secure portal or app. This tutorial demonstrates the concept so you can understand what happens behind the scenes.