Advance your Data & AI career with 50 days of live learning, dataviz contests, hands-on challenges, study groups & certifications and more!
Get registeredJoin us at FabCon Atlanta from March 16 - 20, 2026, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM. Register now.
Hi,
I am trying to implement the URL option for my geojson reference layer in Azure Maps. I need this access method to quickly switch between reference layer files which contain big volumes of data and a manual import is therefore not going to work. However, I also need high levels of access restrictions on my data since it is sensitive.
I am currently trying to get a URL with SAS token from my storage account working but it does not display the reference file, it throws an error. I'm suspecting the format of a URL with SAS token is not read by PBI. The reference file is only displayed if all anonymous access is enabled. Can anyone walk me through how you have gotten it to work with a SAS token and private access?
And do you have any recommendation for how to make the SAS token option work in a more secure way, since if the token is found, the access is open for anyone?
Solved! Go to Solution.
Hi @filippap ,
Please refer below sample valid SAS token URL structure for Azure Blob Storage that should work with Azure Maps in Power BI.
https://<storage-account>.blob.core.windows.net/<container>/<file>.geojson?
sv=2022-11-02
&st=2025-09-05T12:00:00Z
&se=2025-09-05T20:00:00Z
&sr=b
&sp=r
&sig=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890%2Fabcdefg%3D
sv --> Storage service version (e.g 2022-11-02)
st --> Start time (UTC) when the SAS becomes valid
se --> Expiry time (UTC) when the SAS expires
sr --> Resource type (b for blob, c for container)
sp --> Permissions (r for read)
sig --> HMAC-SHA256 signature generated using the storage account key
Note: Check the URL is accessed over HTTPS, and the blob is not set to public access if you are relying solely on the SAS token for security.
Please try below additional Security things.
1. Use User Delegation SAS, It is more secure than account-level SAS. Tied to Azure AD identities. Requires role assignment for Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey.
2. Use the sip parameter to restrict access to specific IP ranges.
3. Use spr=https to enforce HTTPS-only access.
Please refer below sample SAS Token URL Structure with all security parameters.
https://mysecurestorage.blob.core.windows.net/mapsdata/india.geojson?
sv=2022-11-02
&st=2025-09-05T12:00:00Z
&se=2025-09-05T14:00:00Z
&sr=b
&sp=r
&sip=203.0.113.0-203.0.113.255
&spr=https
&sig=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890%2Fabcdefg%3D
Please refer below Microsoft official documents.
Service SAS examples - Azure Storage | Microsoft Learn
Grant limited access to data with shared access signatures (SAS) - Azure Storage | Microsoft Learn
I hope this information helps. Please do let us know if you have any further queries.
Regards,
Dinesh
Hi @v-dineshya
Thank you for the reply! I have not managed to get the SAS token to work despite that I input it on the format you propose - which is also the exact same format which I copy it from the creation of it in Azure Portal. However, since my client has installed a gateway connection between Power BI and the storage account they are okay with us accessing the reference map without a SAS token. 
However, I am still curious as to why it does not work with the token. Could you give me a sample URL with a bit more detail on the token/structure so I can confirm it matches my own?
Hi @filippap ,
Please refer below sample valid SAS token URL structure for Azure Blob Storage that should work with Azure Maps in Power BI.
https://<storage-account>.blob.core.windows.net/<container>/<file>.geojson?
sv=2022-11-02
&st=2025-09-05T12:00:00Z
&se=2025-09-05T20:00:00Z
&sr=b
&sp=r
&sig=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890%2Fabcdefg%3D
sv --> Storage service version (e.g 2022-11-02)
st --> Start time (UTC) when the SAS becomes valid
se --> Expiry time (UTC) when the SAS expires
sr --> Resource type (b for blob, c for container)
sp --> Permissions (r for read)
sig --> HMAC-SHA256 signature generated using the storage account key
Note: Check the URL is accessed over HTTPS, and the blob is not set to public access if you are relying solely on the SAS token for security.
Please try below additional Security things.
1. Use User Delegation SAS, It is more secure than account-level SAS. Tied to Azure AD identities. Requires role assignment for Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey.
2. Use the sip parameter to restrict access to specific IP ranges.
3. Use spr=https to enforce HTTPS-only access.
Please refer below sample SAS Token URL Structure with all security parameters.
https://mysecurestorage.blob.core.windows.net/mapsdata/india.geojson?
sv=2022-11-02
&st=2025-09-05T12:00:00Z
&se=2025-09-05T14:00:00Z
&sr=b
&sp=r
&sip=203.0.113.0-203.0.113.255
&spr=https
&sig=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890%2Fabcdefg%3D
Please refer below Microsoft official documents.
Service SAS examples - Azure Storage | Microsoft Learn
Grant limited access to data with shared access signatures (SAS) - Azure Storage | Microsoft Learn
I hope this information helps. Please do let us know if you have any further queries.
Regards,
Dinesh
Hi @filippap ,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. And, if you have any further query do let us know.
Regards,
Dinesh
Hi @filippap ,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. And, if you have any further query do let us know.
Regards,
Dinesh
Hi @filippap ,
Thank you for reaching out to the Microsoft Community Forum.
SAS Token with Azure Maps Reference Layer in Power BI.
1. Enable URL-based Reference Layer, In Power BI, go to the Azure Maps visual. Under the Format pane, expand Reference Layer. Choose URL as the type and paste the full URL to your GeoJSON file hosted in Azure Blob Storage.
2. Please refer sample URL.
https://<storage-account>.blob.core.windows.net/<container>/<file>.geojson?<sas-token>
Note: Check the SAS token includes read-only permissions and is short-lived.
Please try below things for Securing SAS Token Access.
1. Never share SAS URLs over HTTP. Use HTTPS to prevent man-in-the-middle attacks.
2. Only grant read access. Avoid write/delete unless absolutely necessary.
3. Set the SAS token to expire in minutes or hours, not days.
4. Don’t embed SAS tokens in reports or code. Use secure vaults or dynamic generation.
5. Store SAS tokens securely in Azure Key Vault and retrieve them programmatically when needed.
6. Enable Azure Monitor or Storage Analytics logs to track SAS token usage and detect anomalies.
7. Use User Delegation SAS, these are more secure as they are tied to Azure active directory identities and don’t require storage account keys.
8. Long expiry tokens increases risk. Use stored access policies for better control.
Please refer below Microsoft articles.
Authentication best practices in Azure Maps - Microsoft Azure Maps | Microsoft Learn
How to secure an Azure Maps application with a SAS token - Azure Maps | Microsoft Learn
How do I use SAS tokens to read files from an Azure Blob Storage container? - Microsoft Q&A
I hope this information helps. Please do let us know if you have any further queries.
Regards,
Dinesh
Hi @filippap ,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. And, if you have any further query do let us know.
Regards,
Dinesh
 
					
				
				
			
		
Join the Fabric FabCon Global Hackathon—running virtually through Nov 3. Open to all skill levels. $10,000 in prizes!
Check out the October 2025 Power BI update to learn about new features.
