Azure · blueww · Nov 27, 2025 · Jan 6, 2026 · Jan 7, 2026 · Jan 7, 2026
diff --git a/src/Storage/Storage.Management.Test/Storage.Management.Test.csproj b/src/Storage/Storage.Management.Test/Storage.Management.Test.csproj
@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <PsModuleName>Management.Storage</PsModuleName>
@@ -11,10 +11,10 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Storage.Blobs" Version="12.25.0" />
-    <PackageReference Include="Azure.Storage.Files.DataLake" Version="12.23.0" />
-    <PackageReference Include="Azure.Storage.Files.Shares" Version="12.23.0" />
-    <PackageReference Include="Azure.Storage.Queues" Version="12.23.0" />
+    <PackageReference Include="Azure.Storage.Blobs" Version="12.27.0-beta.1" />
+    <PackageReference Include="Azure.Storage.Files.DataLake" Version="12.25.0-beta.1" />
+    <PackageReference Include="Azure.Storage.Files.Shares" Version="12.25.0-beta.1" />
+    <PackageReference Include="Azure.Storage.Queues" Version="12.25.0-beta.1" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/src/Storage/Storage.Management/ChangeLog.md b/src/Storage/Storage.Management/ChangeLog.md
@@ -18,6 +18,14 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Supported user delegation SAS + bearer token authentication in Blob, DatalakeGen2, File, Queue service.
+    - `New-AzStorageContext`
+    - `New-AzStorageBlobSASToken`
+    - `New-AzStorageContainerSASToken`
+    - `New-AzDataLakeGen2SASToken`
+    - `New-AzStorageFileSASToken`
+    - `New-AzStorageQueueSASToken`
+    - `New-AzStorageShareSASToken`  
 * Upgraded management plane SDK and auto generated cmdlets to base on API spec generated by TSP
 * Updated Azure.Core from 1.47.3 to 1.50.0
 

diff --git a/src/Storage/Storage.Management/help/New-AzDataLakeGen2SasToken.md b/src/Storage/Storage.Management/help/New-AzDataLakeGen2SasToken.md
@@ -15,17 +15,17 @@ Generates a SAS token for Azure DatalakeGen2 item.
 ### ReceiveManual (Default)
 ```
 New-AzDataLakeGen2SasToken [-FileSystem] <String> [-Path <String>] [-Permission <String>]
- [-Protocol <SasProtocol>] [-IPAddressOrRange <String>] [-StartTime <DateTimeOffset>]
- [-ExpiryTime <DateTimeOffset>] [-EncryptionScope <String>] [-FullUri] [-Context <IStorageContext>]
- [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
+ [-DelegatedUserObjectId <String>] [-Protocol <SasProtocol>] [-IPAddressOrRange <String>]
+ [-StartTime <DateTimeOffset>] [-ExpiryTime <DateTimeOffset>] [-EncryptionScope <String>] [-FullUri]
+ [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
 ```
 
 ### ItemPipeline
 ```
 New-AzDataLakeGen2SasToken -InputObject <AzureDataLakeGen2Item> [-Permission <String>]
- [-Protocol <SasProtocol>] [-IPAddressOrRange <String>] [-StartTime <DateTimeOffset>]
- [-ExpiryTime <DateTimeOffset>] [-EncryptionScope <String>] [-FullUri] [-Context <IStorageContext>]
- [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
+ [-DelegatedUserObjectId <String>] [-Protocol <SasProtocol>] [-IPAddressOrRange <String>]
+ [-StartTime <DateTimeOffset>] [-ExpiryTime <DateTimeOffset>] [-EncryptionScope <String>] [-FullUri]
+ [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -79,6 +79,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DelegatedUserObjectId
+This value specifies the Entra ID of the user who is authorized to use the resulting SAS URL. The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued to the user specified in this value. This parameter can only be specified when input Storage Context is OAuth based.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -EncryptionScope
 Encryption scope to use when sending requests authorized with this SAS URI.
 

diff --git a/src/Storage/Storage.Management/help/New-AzStorageBlobSASToken.md b/src/Storage/Storage.Management/help/New-AzStorageBlobSASToken.md
@@ -16,36 +16,36 @@ Generates a SAS token for an Azure storage blob.
 ### BlobNameWithPermission (Default)
 ```
 New-AzStorageBlobSASToken [-Container] <String> [-Blob] <String> [-Permission <String>]
- [-Protocol <SharedAccessProtocol>] [-IPAddressOrRange <String>] [-StartTime <DateTime>]
- [-ExpiryTime <DateTime>] [-FullUri] [-EncryptionScope <String>] [-Context <IStorageContext>]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [-DelegatedUserObjectId <String>] [-Protocol <SharedAccessProtocol>] [-IPAddressOrRange <String>]
+ [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri] [-EncryptionScope <String>]
+ [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
 ```
 
 ### BlobPipelineWithPolicy
 ```
 New-AzStorageBlobSASToken -CloudBlob <CloudBlob> [-BlobBaseClient <BlobBaseClient>] -Policy <String>
- [-Protocol <SharedAccessProtocol>] [-IPAddressOrRange <String>] [-StartTime <DateTime>]
- [-ExpiryTime <DateTime>] [-FullUri] [-EncryptionScope <String>] [-Context <IStorageContext>]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [-DelegatedUserObjectId <String>] [-Protocol <SharedAccessProtocol>] [-IPAddressOrRange <String>]
+ [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri] [-EncryptionScope <String>]
+ [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
 ```
 
 ### BlobPipelineWithPermission
 ```
 New-AzStorageBlobSASToken -CloudBlob <CloudBlob> [-BlobBaseClient <BlobBaseClient>] [-Permission <String>]
- [-Protocol <SharedAccessProtocol>] [-IPAddressOrRange <String>] [-StartTime <DateTime>]
- [-ExpiryTime <DateTime>] [-FullUri] [-EncryptionScope <String>] [-Context <IStorageContext>]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [-DelegatedUserObjectId <String>] [-Protocol <SharedAccessProtocol>] [-IPAddressOrRange <String>]
+ [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri] [-EncryptionScope <String>]
+ [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
 ```
 
 ### BlobNameWithPolicy
 ```
 New-AzStorageBlobSASToken [-Container] <String> [-Blob] <String> -Policy <String>
- [-Protocol <SharedAccessProtocol>] [-IPAddressOrRange <String>] [-StartTime <DateTime>]
- [-ExpiryTime <DateTime>] [-FullUri] [-EncryptionScope <String>] [-Context <IStorageContext>]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [-DelegatedUserObjectId <String>] [-Protocol <SharedAccessProtocol>] [-IPAddressOrRange <String>]
+ [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri] [-EncryptionScope <String>]
+ [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
 ```
 
@@ -174,6 +174,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DelegatedUserObjectId
+This value specifies the Entra ID of the user who is authorized to use the resulting SAS URL. The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued to the user specified in this value. This parameter can only be specified when input Storage Context is OAuth based.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -EncryptionScope
 Encryption scope to use when sending requests authorized with this SAS URI.
 

diff --git a/src/Storage/Storage.Management/help/New-AzStorageContainerSASToken.md b/src/Storage/Storage.Management/help/New-AzStorageContainerSASToken.md
@@ -15,18 +15,18 @@ Generates an SAS token for an Azure storage container.
 
 ### SasPolicy
 ```
-New-AzStorageContainerSASToken [-Name] <String> -Policy <String> [-Protocol <SharedAccessProtocol>]
- [-IPAddressOrRange <String>] [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri]
- [-EncryptionScope <String>] [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>]
- [-WhatIf] [-Confirm] [<CommonParameters>]
+New-AzStorageContainerSASToken [-Name] <String> -Policy <String> [-DelegatedUserObjectId <String>]
+ [-Protocol <SharedAccessProtocol>] [-IPAddressOrRange <String>] [-StartTime <DateTime>]
+ [-ExpiryTime <DateTime>] [-FullUri] [-EncryptionScope <String>] [-Context <IStorageContext>]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ### SasPermission
 ```
-New-AzStorageContainerSASToken [-Name] <String> [-Permission <String>] [-Protocol <SharedAccessProtocol>]
- [-IPAddressOrRange <String>] [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri]
- [-EncryptionScope <String>] [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>]
- [-WhatIf] [-Confirm] [<CommonParameters>]
+New-AzStorageContainerSASToken [-Name] <String> [-Permission <String>] [-DelegatedUserObjectId <String>]
+ [-Protocol <SharedAccessProtocol>] [-IPAddressOrRange <String>] [-StartTime <DateTime>]
+ [-ExpiryTime <DateTime>] [-FullUri] [-EncryptionScope <String>] [-Context <IStorageContext>]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -99,6 +99,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DelegatedUserObjectId
+This value specifies the Entra ID of the user who is authorized to use the resulting SAS URL. The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued to the user specified in this value. This parameter can only be specified when input Storage Context is OAuth based.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -EncryptionScope
 Encryption scope to use when sending requests authorized with this SAS URI.
 

diff --git a/src/Storage/Storage.Management/help/New-AzStorageContext.md b/src/Storage/Storage.Management/help/New-AzStorageContext.md
@@ -16,8 +16,7 @@ Creates an Azure Storage context.
 ### OAuthAccount (Default)
 ```
 New-AzStorageContext [-StorageAccountName] <String> [-UseConnectedAccount] [-Protocol <String>]
- [-Endpoint <String>] [-EnableFileBackupRequestIntent]
- [<CommonParameters>]
+ [-Endpoint <String>] [-EnableFileBackupRequestIntent] [<CommonParameters>]
 ```
 
 ### AccountNameAndKey
@@ -46,28 +45,26 @@ New-AzStorageContext [-StorageAccountName] <String> [-Anonymous] [-Protocol <Str
 
 ### SasToken
 ```
-New-AzStorageContext [-StorageAccountName] <String> -SasToken <String> [-Protocol <String>]
- [-Endpoint <String>] [<CommonParameters>]
+New-AzStorageContext [-StorageAccountName] <String> -SasToken <String> [-UseConnectedAccount]
+ [-Protocol <String>] [-Endpoint <String>] [-EnableFileBackupRequestIntent] [<CommonParameters>]
 ```
 
 ### SasTokenWithAzureEnvironment
 ```
-New-AzStorageContext [-StorageAccountName] <String> -SasToken <String> -Environment <String>
- [<CommonParameters>]
+New-AzStorageContext [-StorageAccountName] <String> -SasToken <String> [-UseConnectedAccount]
+ -Environment <String> [-EnableFileBackupRequestIntent] [<CommonParameters>]
 ```
 
 ### OAuthAccountEnvironment
 ```
 New-AzStorageContext [-StorageAccountName] <String> [-UseConnectedAccount] [-Protocol <String>]
- -Environment <String> [-EnableFileBackupRequestIntent]
- [<CommonParameters>]
+ -Environment <String> [-EnableFileBackupRequestIntent] [<CommonParameters>]
 ```
 
 ### AccountNameAndKeyServiceEndpoint
 ```
 New-AzStorageContext [-StorageAccountName] <String> [-StorageAccountKey] <String> -BlobEndpoint <String>
- [-FileEndpoint <String>] [-QueueEndpoint <String>] [-TableEndpoint <String>]
- [<CommonParameters>]
+ [-FileEndpoint <String>] [-QueueEndpoint <String>] [-TableEndpoint <String>] [<CommonParameters>]
 ```
 
 ### OAuthAccountServiceEndpoint
@@ -79,8 +76,9 @@ New-AzStorageContext [[-StorageAccountName] <String>] [-UseConnectedAccount] [-B
 
 ### SasTokenServiceEndpoint
 ```
-New-AzStorageContext -SasToken <String> [-BlobEndpoint <String>] [-FileEndpoint <String>]
- [-QueueEndpoint <String>] [-TableEndpoint <String>] [<CommonParameters>]
+New-AzStorageContext -SasToken <String> [-UseConnectedAccount] [-BlobEndpoint <String>]
+ [-FileEndpoint <String>] [-QueueEndpoint <String>] [-TableEndpoint <String>] [-EnableFileBackupRequestIntent]
+ [<CommonParameters>]
 ```
 
 ### ConnectionString
@@ -293,7 +291,7 @@ Required parameter to use with OAuth (Microsoft Entra ID) Authentication for Fil
 
 ```yaml
 Type: System.Management.Automation.SwitchParameter
-Parameter Sets: OAuthAccount, OAuthAccountEnvironment, OAuthAccountServiceEndpoint
+Parameter Sets: OAuthAccount, SasToken, SasTokenWithAzureEnvironment, OAuthAccountEnvironment, OAuthAccountServiceEndpoint, SasTokenServiceEndpoint
 Aliases:
 
 Required: False
@@ -488,7 +486,7 @@ The cmdlet will use OAuth Authentication by default, when other authentication n
 
 ```yaml
 Type: System.Management.Automation.SwitchParameter
-Parameter Sets: OAuthAccount, OAuthAccountEnvironment, OAuthAccountServiceEndpoint
+Parameter Sets: OAuthAccount, SasToken, SasTokenWithAzureEnvironment, OAuthAccountEnvironment, OAuthAccountServiceEndpoint, SasTokenServiceEndpoint
 Aliases:
 
 Required: False

diff --git a/src/Storage/Storage.Management/help/New-AzStorageFileSASToken.md b/src/Storage/Storage.Management/help/New-AzStorageFileSASToken.md
@@ -15,34 +15,33 @@ Generates a shared access signature token for a Storage file.
 
 ### NameSasPermission
 ```
-New-AzStorageFileSASToken [-ShareName] <String> [-Path] <String> [-Permission <String>] [-Protocol <String>]
- [-IPAddressOrRange <String>] [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri]
- [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>]
+New-AzStorageFileSASToken [-ShareName] <String> [-Path] <String> [-DelegatedUserObjectId <String>]
+ [-Permission <String>] [-Protocol <String>] [-IPAddressOrRange <String>] [-StartTime <DateTime>]
+ [-ExpiryTime <DateTime>] [-FullUri] [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>]
  [<CommonParameters>]
 ```
 
 ### NameSasPolicy
 ```
-New-AzStorageFileSASToken [-ShareName] <String> [-Path] <String> -Policy <String> [-Protocol <String>]
- [-IPAddressOrRange <String>] [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri]
- [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>]
+New-AzStorageFileSASToken [-ShareName] <String> [-Path] <String> -Policy <String>
+ [-DelegatedUserObjectId <String>] [-Protocol <String>] [-IPAddressOrRange <String>] [-StartTime <DateTime>]
+ [-ExpiryTime <DateTime>] [-FullUri] [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>]
  [<CommonParameters>]
 ```
 
 ### FileSasPermission
 ```
-New-AzStorageFileSASToken -ShareFileClient <ShareFileClient> [-Permission <String>] [-Protocol <String>]
- [-IPAddressOrRange <String>] [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri]
- [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>]
+New-AzStorageFileSASToken -ShareFileClient <ShareFileClient> [-DelegatedUserObjectId <String>]
+ [-Permission <String>] [-Protocol <String>] [-IPAddressOrRange <String>] [-StartTime <DateTime>]
+ [-ExpiryTime <DateTime>] [-FullUri] [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>]
  [<CommonParameters>]
 ```
 
 ### FileSasPolicy
 ```
-New-AzStorageFileSASToken -ShareFileClient <ShareFileClient> -Policy <String> [-Protocol <String>]
- [-IPAddressOrRange <String>] [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri]
- [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+New-AzStorageFileSASToken -ShareFileClient <ShareFileClient> -Policy <String> [-DelegatedUserObjectId <String>]
+ [-Protocol <String>] [-IPAddressOrRange <String>] [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri]
+ [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -105,6 +104,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DelegatedUserObjectId
+This value specifies the Entra ID of the user who is authorized to use the resulting SAS URL. The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued to the user specified in this value. This parameter can only be specified when input Storage Context is OAuth based.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ExpiryTime
 Specifies the time at which the shared access signature becomes invalid.
 

diff --git a/src/Storage/Storage.Management/help/New-AzStorageQueueSASToken.md b/src/Storage/Storage.Management/help/New-AzStorageQueueSASToken.md
@@ -15,17 +15,16 @@ Generates a shared access signature token for an Azure storage queue.
 
 ### SasPolicy
 ```
-New-AzStorageQueueSASToken [-Name] <String> -Policy <String> [-Protocol <String>] [-IPAddressOrRange <String>]
- [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri] [-Context <IStorageContext>]
- [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
+New-AzStorageQueueSASToken [-Name] <String> -Policy <String> [-DelegatedUserObjectId <String>]
+ [-Protocol <String>] [-IPAddressOrRange <String>] [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri]
+ [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
 ```
 
 ### SasPermission
 ```
-New-AzStorageQueueSASToken [-Name] <String> [-Permission <String>] [-Protocol <String>]
- [-IPAddressOrRange <String>] [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri]
- [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+New-AzStorageQueueSASToken [-Name] <String> [-Permission <String>] [-DelegatedUserObjectId <String>]
+ [-Protocol <String>] [-IPAddressOrRange <String>] [-StartTime <DateTime>] [-ExpiryTime <DateTime>] [-FullUri]
+ [-Context <IStorageContext>] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -73,6 +72,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DelegatedUserObjectId
+This value specifies the Entra ID of the user who is authorized to use the resulting SAS URL. The resulting SAS URL must be used in conjunction with an Entra ID token that has been issued to the user specified in this value. This parameter can only be specified when input Storage Context is OAuth based.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ExpiryTime
 Specifies when the shared access signature is no longer valid.