Issue with SAS URL Format for Output Container in Azure Document Redaction API

Question

Issue with SAS URL Format for Output Container in Azure Document Redaction API

Swapnil Singh 0

I'm encountering a 403 AuthorizationFailure error when using Azure's Document Redaction API, specifically when trying to save the redacted output to a Blob Storage container using a SAS URL. While the SAS URL for the source blob works as expected, the output container SAS URL results in an authorization error, even though it was generated at the container level with write and list (sp=wl) permissions. I also attempted to add restype=container to the URL but still faced the same issue. I’m unsure if the problem is due to incorrect SAS token permissions, an improperly structured URL, or a missing parameter. I need clarification on the correct SAS URL format and permissions required to enable successful writing of redacted documents to a container.

I am trying to use the Azure Language Service API to perform PII redaction on a document stored in Azure Blob Storage. Below is the request payload I’m using:

{
  "displayName": "Document PII Redaction example",
  "analysisInput": {
    "documents": [
      {
        "language": "en-US",
        "id": "Output-1",
        "source": {
          "location": "<source-blob-SAS-URL>"
        },
        "target": {
          "location": "<output-container-SAS-URL>"
        }
      }
    ]
  },
  "tasks": [
    {
      "kind": "PiiEntityRecognition",
      "taskName": "Redact PII Task 1",
      "parameters": {
        "redactionPolicy": {
          "policyKind": "entityMask"
        },
        "piiCategories": ["Person", "Organization"],
        "excludeExtractionData": false
      }
    }
  ]
}

I’m calling this endpoint: POST https://<your-language-resource>.cognitiveservices.azure.com/language/analyze-documents/jobs?api-version=2024-11-15-preview

Issue:

The source blob SAS URL works correctly when tested in a browser.

However, the redaction job fails due to a 403 error when writing to the output container.

Here's the error message I receive in the job status response:
"Unauthorized to access the blob. This request is not authorized to perform this operation." Status: 403 (AuthorizationFailure) ErrorCode: AuthorizationFailure Example Output SAS URL : https://<your-storage-account>.blob.core.windows.net/targetcontainer?sp=wl&st=2025-07-31T07:05:37Z&se=2025-08-02T15:20:37Z&sip=0.0.0.0-255.255.255.255&sv=2024-11-04&sr=c&sig=<signature>

Nandamuri Pranay Teja 4,445 Reputation points Microsoft External Staff Moderator

2025-07-31T18:11:36.02+00:00
Hello Swapnil Singh

Thank you for your question!

To investigate further could you please confirm on the below questions.

Can you confirm the exact permissions set on the SAS token for the output container? Is there any specific IP address restriction in your SAS token?

Have you tested the SAS URL directly in a different environment (like a browser or curl) to see if it works outside of the API?

Awaiting for your response!
Swapnil Singh 0 Reputation points

2025-08-01T07:16:23.8266667+00:00

Hello @Nandamuri Pranay Teja ,

Thank you for your response.

To answer your queries:

The SAS token I used has the permissions sp=wl, which provides write and list access. I have also tried with extended permissions sp=racwdli, but unfortunately, the issue still persists.

For IP restrictions, I have specified sip=0.0.0.0-255.255.255.255 to allow access from all IP ranges.

I also tested the SAS URL in other environments like a browser and using curl, but it did not work in either case for the container.

Please let me know if you need any more details to assist further.
Swapnil Singh 0 Reputation points

2025-08-01T07:20:16.9+00:00

1 answer

Your answer

Nandamuri Pranay Teja 4,445 Reputation points Microsoft External Staff Moderator

2025-07-31T18:11:36.02+00:00

Hello Swapnil Singh

Thank you for your question!

To investigate further could you please confirm on the below questions.

Can you confirm the exact permissions set on the SAS token for the output container? Is there any specific IP address restriction in your SAS token?

Have you tested the SAS URL directly in a different environment (like a browser or curl) to see if it works outside of the API?

Awaiting for your response!
Swapnil Singh 0 Reputation points

2025-08-01T07:16:23.8266667+00:00

Hello @Nandamuri Pranay Teja ,

Thank you for your response.

To answer your queries:

The SAS token I used has the permissions sp=wl, which provides write and list access. I have also tried with extended permissions sp=racwdli, but unfortunately, the issue still persists.

For IP restrictions, I have specified sip=0.0.0.0-255.255.255.255 to allow access from all IP ranges.

I also tested the SAS URL in other environments like a browser and using curl, but it did not work in either case for the container.

Please let me know if you need any more details to assist further.
Swapnil Singh 0 Reputation points

2025-08-01T07:20:16.9+00:00

Answer 1

Hello Swapnil Singh

Thank you for the response!

Please confirm How are you generating the SAS token? (Portal, CLI, PowerShell, SDK) What exact error message do you get with curl? (include the full response) Can you share the complete SAS URL structure? (with sensitive parts redacted like: https://account.blob.core.windows.net/container?sp=...&sig=REDACTED) Are you using a standard storage account or premium/special configuration?

However, in the meantime Let's test your SAS token step by step:

List container contents

curl -X GET "https://<account>.blob.core.windows.nt/<container>?restype=container&comp=list&<your-sas-token>"

Upload a test blob

curl -X PUT "https://<account>.blob.core.windows.net/<container>/test.txt?<your-sas-token>" \
  -H "x-ms-blob-type: BlockBlob" \
  -H "Content-Type: text/plain" \
  -d "test content"

Check for these common problems:

Clock Skew Issues Ensure your system time is accurate. Add buffer time

# Start time 15 minutes ago, expiry well in future
--start-time "2025-08-05T06:00:00Z" \
--expiry "2025-08-10T00:00:00Z"

Make sure you're using the correct storage account key:

# Get the correct key
az storage account keys list --account-name <account> --resource-group <rg>

Your SAS URL should look like this:

https://<account>.blob.core.windows.net/<container>?sp=racwdli&st=2025-08-05T06%3A00%3A00Z&se=2025-08-10T00%3A00%3A00Z&sv=2024-11-04&sr=c&sig=<signature>

Do let me know if you have any questions!

Nandamuri Pranay Teja 4,445 Reputation points Microsoft External Staff Moderator

2025-08-06T09:27:51.19+00:00

Hello Swapnil Singh

Just checking in to see if the provided answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further queries do let us know.
Nandamuri Pranay Teja 4,445 Reputation points Microsoft External Staff Moderator

2025-08-07T03:59:18.3+00:00

Hello Swapnil Singh

I wanted to follow-up to see if the provided answer helped. And, if you have any further queries do let us know.

Share via

Issue with SAS URL Format for Output Container in Azure Document Redaction API

1 answer

Your answer