services / Azure / Storage Blob Services
The control-plane blob service of a storage account, holding service-level configuration such as CORS rules, soft-delete, versioning, change feed, restore policy, and retention settings.
Control-plane configuration of a single storage account's blob service; reads here do not return blob data or secret material.
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
Returns a user delegation key, exporting cryptographic credential material that can sign SAS tokens granting direct data-plane access to blobs, thereby enabling data exfiltration and acting with delegated access to the underlying data.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security