[Azure] SAS tokens returning 403 AuthorizationFailure even though token generates successfully , storage account has public access disabled.
​
Stack: FastAPI backend, React frontend, Azure Data Lake Storage Gen2, deployed on Azure Container Apps
The setup:Building a RAG-based document chat app. When users click citation links, the backend generates a SAS token and returns a blob URL so Microsoft Office Online Viewer can render DOCX/XLSX/PPTX files in an iframe. PDF files are rendered natively in the browser using <object> tag.
The problem:SAS tokens generate successfully (200 OK from backend) but when the browser or Microsoft's viewer servers try to fetch the blob URL, they get:
'''
<Error>
<Code>AuthorizationFailure</Code>
<Message>This request is not authorized to perform this operation.</Message>
</Error>
'''
What we tried:
• Account key SAS — generates fine, still 403 on fetch
• User delegation SAS — same result
• URL encoding spaces in blob path — fixed signature mismatch
• Checked SAS token format — looks correct (sv, se, sp=r, sig)
Root cause we found:The storage account has Public network access: Disabled with private endpoints only. Everything only accessible within the VNet.
Interesting behavior:
• PDF works inside corporate VPN/PAM tool , browser is inside VNet, <object data={sasUrl}> fetches directly ✅
• PDF fails outside VPN — browser on public internet, same 403 ❌
• DOCX/XLSX/PPTX fail everywhere — Microsoft's viewer servers (view.officeapps.live.com) are always on public internet, always blocked ❌
The question:With a fully private storage account (private endpoints only, public access disabled), is there any way to make SAS tokens work for third-party viewers like Microsoft Office Online? Or is the only correct architecture to stream everything through the backend?
Current workaround:Routing all file fetches through our JWT-protected backend download endpoint, which is inside the VNet and can reach storage. Works for PDF and DOCX (client-side rendering). PPTX has no good client-side renderer so showing a download button instead.
Considering:
• LibreOffice backend conversion (PPTX → PDF, stream PDF)
• Asking infra team to enable public access from selected networks
• Google Docs Viewer as alternative to Microsoft Viewer (same problem — needs public URL)
Anyone dealt with this pattern before? Is LibreOffice conversion the standard approach for private storage + document preview?