services / Azure / Storage account
An Azure Storage account is a primary production data store holding blobs, files, queues, and tables, with control-plane configuration for networking, encryption, access keys, and custom domains.
Storage accounts back a single organizational function's data; their access keys and SAS tokens are full-control data-plane credentials, making key/SAS-returning operations effectively account-takeover primitives.
Microsoft.Storage/storageAccounts/listAccountSas/action
Returns an account-level SAS token, a signed credential granting broad data-plane access across the account's services that the attacker can exfiltrate and reuse.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security