SAS Token for Azure

The Azure IoT connection requires a SAS token to be generated. I understand how that is done using the tools provided by Azure. So in a production environment does one select a TTL of like 10 years?
I have also seen some use a web service to create a short-lived SAS (https://kevinsaye.wordpress.com/2017/01/05/using-azure-functions-to-generate-an-iot-sas-token/). In that particular example, he used straight HTTP which wouldn’t be advisable. The device would need to store the access key to the token service.

Microsoft’s documentation does refer to a “Token Service” that would generate the SAS token.
(https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-security#custom-device-and-module-authentication)

Has anyone deployed a decent quantity of devices for commercial use using Azure IoT? How did you handle the SAS token?

Edit: This would be a similar implementation but slightly updated. http://blogs.recneps.net/post/Generating-your-IoT-Hub-Shared-Access-Signature-for-your-ESP-8266-using-Azure-Functions

That is a good question. We will look into this on our end.