diff --git a/doc/030_preparing_a_new_repo.rst b/doc/030_preparing_a_new_repo.rst
index 0ae1d4815..df6afcec0 100644
--- a/doc/030_preparing_a_new_repo.rst
+++ b/doc/030_preparing_a_new_repo.rst
@@ -506,10 +506,6 @@ or
     $ export AZURE_ACCOUNT_NAME=<ACCOUNT_NAME>
     $ export AZURE_ACCOUNT_SAS=<SAS_TOKEN>
 
-With the later form, ensure your ``SAS_TOKEN`` does not start with a leading
-``?``. If the generated token starts with a leading ``?`` it is safe to just
-delete the first character (the ``?``) before use.
-
 Afterwards you can initialize a repository in a container called ``foo`` in the
 root path like this:
 
diff --git a/internal/backend/azure/azure.go b/internal/backend/azure/azure.go
index 9f2f0b163..7f3539f07 100644
--- a/internal/backend/azure/azure.go
+++ b/internal/backend/azure/azure.go
@@ -57,7 +57,12 @@ func open(cfg Config, rt http.RoundTripper) (*Backend, error) {
 		// we (as per the SDK ) assume the default Azure portal.
 		url := fmt.Sprintf("https://%s.blob.core.windows.net/", cfg.AccountName)
 		debug.Log(" - using sas token")
-		client, err = storage.NewAccountSASClientFromEndpointToken(url, cfg.AccountSAS.Unwrap())
+		sas := cfg.AccountSAS.Unwrap()
+		// strip query sign prefix
+		if sas[0] == '?' {
+			sas = sas[1:]
+		}
+		client, err = storage.NewAccountSASClientFromEndpointToken(url, sas)
 		if err != nil {
 			return nil, errors.Wrap(err, "NewAccountSASClientFromEndpointToken")
 		}