Azure SAS, or Shared Access Signature, is a security token that provides restricted access to specific resources in Microsoft Azure, such as Azure Storage, Azure Blob Storage, Azure Table Storage, and Azure Queues, without exposing the account keys. SAS tokens are useful for delegating limited access to resources to clients or services while maintaining control over permissions and expiration.

Here are the key components and aspects of Azure SAS tokens:

1. Resource URI: A SAS token is associated with a specific resource, identified by its URI. This URI typically includes the resource endpoint, such as a blob container or a table, and may also include additional parameters to specify the resource and its location.

2. Expiration: You can set an expiration date and time for a SAS token, after which it becomes invalid. This allows you to grant temporary access to resources.

3. Permissions: SAS tokens define the permissions granted to the holder of the token. There are several types of permissions, including:

   • Read: Allows reading or retrieving data from the resource.
   • Write: Allows creating, updating, or deleting data in the resource.
   • List: Permits listing the contents of the resource (e.g., list blobs in a container).
   • Delete: Allows deleting the resource or its data.
   • Add: Permits adding data to the resource (e.g., adding messages to a queue).
   • Process: Used for processing messages in Azure Queues.

4. Service-Specific Parameters: Depending on the Azure service and resource type, SAS tokens may include service-specific parameters, such as container or table names, file paths, or queue names, to specify the exact resource being accessed.

5. Signature: A signature is generated using the account key or a shared access key and other parameters. This signature is included in the SAS token and is used to verify the authenticity and integrity of the token.

6. Protocols and IP Ranges: You can further restrict access by specifying which IP addresses or IP ranges are allowed to use the SAS token and by choosing whether HTTP or HTTPS is required for communication.

7. Delegation: SAS tokens can be created to delegate access to resources without exposing the primary account key. This enhances security and allows third-party clients or services to access specific resources with limited privileges.