Managed Identities vs Shared Access Signatures
Azure gives you two ways to let code reach a resource without a password in plaintext. One rotates itself and never hands you a secret to leak. The other hands you a string and prays you don't paste it into a log. The pick isn't close.
The short answer
Managed Identities over Shared Access Signatures for most cases. A Managed Identity has no credential you can lose, leak, or forget to rotate — Azure mints and rotates the token under your service.
- Pick Managed Identities if your workload runs inside Azure (App Service, Functions, AKS, VMs, Container Apps) and the target supports Entra auth — which is nearly everything modern
- Pick Shared Access Signatures if must grant a non-Azure client, a browser upload, or a third party scoped, time-boxed access to a specific blob or container — the one job MI genuinely can't do
- Also consider: User-delegation SAS, which signs the SAS with a Managed Identity instead of the account key. It's the bridge: MI's identity model plus SAS's hand-off-a-URL ergonomics, with no account key in play.
— Nice Pick, opinionated tool recommendations
What they actually are
A Managed Identity is an Entra service principal Azure creates and babysits for your resource. Your code calls DefaultAzureCredential, gets a short-lived token, and reaches Storage, Key Vault, SQL, Service Bus — anything wired to Entra RBAC. No secret ever touches your config. A Shared Access Signature is a signed query string appended to a resource URL: a permission set, a start and expiry time, and an HMAC signature over the account key or a user-delegation key. Whoever holds the string has exactly those rights until expiry. Managed Identity answers 'who is this caller'; SAS answers 'here is a capability, go use it.' That is the whole philosophical split. One is identity-based and revocable by removing a role; the other is a bearer token you cannot un-issue without rotating the signing key. Keep that distinction and every other tradeoff falls out of it cleanly.
Where Managed Identities win
Credential management, which is the entire ballgame. There is no string to store in App Settings, no secret to rotate on a calendar reminder you'll ignore, nothing to accidentally commit to a public repo or print into Application Insights. Access is governed by RBAC role assignments you can revoke in one click, and every call is auditable to a named principal in Entra sign-in logs — not an anonymous signature you can't trace. Token lifetime is minutes and rotation is automatic, so the blast radius of a compromised host is tiny and self-healing. It works across far more than Storage: Key Vault, Azure SQL, Cosmos, Service Bus, Event Hubs all speak Entra. The cost is zero and the operational overhead after setup is also zero. For any workload that lives inside Azure, this isn't the better option — it's the only one a competent reviewer should sign off on.
Where SAS earns its keep
The handoff. Managed Identity assumes the caller is an Azure resource that can fetch a token. The moment your caller isn't — a browser doing a direct-to-blob upload, a partner's on-prem batch job, a mobile client, a CDN origin pull — Entra RBAC has nobody to assign a role to. SAS is the answer: mint a URL scoped to one container, read-only, expiring in fifteen minutes, hand it over, walk away. No client SDK, no token dance, no identity provisioning on the other end. It's also granular in ways RBAC isn't — you can scope to a single blob with a stored access policy you can revoke. But generate it with a user-delegation key signed by a Managed Identity, never the account key. An account-key SAS is a skeleton key to your whole storage account wearing a fake mustache.
The honest tradeoff
SAS's strength and its sin are the same thing: it's a bearer token. Anyone who intercepts the URL — from a log, a referrer header, a screenshot, a proxy — is you, with full granted rights, for the full lifetime, and you will not know. Revocation means rotating the signing key, which nukes every other live SAS at the same time. People paper over this with long expiries because short ones are annoying, and a one-year account-key SAS in a config file is the single most common Azure storage breach pattern in existence. Managed Identity has none of this: nothing to intercept, revocation is a role removal, tokens die in minutes. The only thing SAS does that MI can't is reach a non-Azure caller — and user-delegation SAS closes even that gap. So this isn't a balanced scorecard. SAS is a specialized tool for one job; treating it as your default auth is how audits become incidents.
Quick Comparison
| Factor | Managed Identities | Shared Access Signatures |
|---|---|---|
| Secret to store/leak | None — Azure mints short-lived tokens | A bearer string anyone holding can use |
| Revocation | Remove an RBAC role assignment, instant | Rotate signing key, kills all live SAS at once |
| Auditability | Named principal in Entra sign-in logs | Anonymous signature, hard to trace to a caller |
| Non-Azure / browser callers | No principal to assign a role to — can't | Hand over a scoped, time-boxed URL, done |
| Service coverage | Storage, Key Vault, SQL, Cosmos, Service Bus, Event Hubs | Storage (and a few service-specific variants) |
The Verdict
Use Managed Identities if: Your workload runs inside Azure (App Service, Functions, AKS, VMs, Container Apps) and the target supports Entra auth — which is nearly everything modern.
Use Shared Access Signatures if: You must grant a non-Azure client, a browser upload, or a third party scoped, time-boxed access to a specific blob or container — the one job MI genuinely can't do.
Consider: User-delegation SAS, which signs the SAS with a Managed Identity instead of the account key. It's the bridge: MI's identity model plus SAS's hand-off-a-URL ergonomics, with no account key in play.
A Managed Identity has no credential you can lose, leak, or forget to rotate — Azure mints and rotates the token under your service. A SAS is a bearer string: anyone holding it is you, until it expires or the key it was signed with rotates. That single architectural difference decides everything downstream.
Related Comparisons
Disagree? nice@nicepick.dev