First 10 Minutes: Security¶

Use this checklist when the main symptom is 403, authorization mismatch, SAS rejection, or identity-policy confusion.

mermaid flowchart TD A[Security or auth failure] --> B{Using SAS?} B -->|Yes| C[Check token fields and clock] B -->|No| D{Using Azure AD/RBAC?} D -->|Yes| E[Check data-plane role and scope] D -->|No| F[Check shared key policy and auth mode]

Checklist¶

1. Capture the exact error code, auth method, target resource, and timestamp.
2. Determine whether the request uses Azure AD, SAS, or shared key.
3. If using Azure AD, verify data-plane role, scope, tenant, and token freshness.
4. If using SAS, inspect st, se, sp, spr, sip, and resource scope.
5. Confirm account policy: shared key allowed or disabled, public access settings, and any network rules that can masquerade as auth failures.
6. Re-test after only one change at a time.

Route to playbooks¶

• RBAC, Azure AD, shared-key policy, or scope mismatch → Authorization Failures
• SAS time, permission, scope, or IP restriction issue → SAS and Token Issues

See Also¶

• Playbooks: Security
• Evidence Map
• Access Models

Sources¶

• Authorize access to data in Azure Storage
• Shared Access Signatures overview
• Troubleshoot storage client application errors