SAS Token for Azure

The Azure IoT connection requires a SAS token to be generated. I understand how that is done using the tools provided by Azure. So in a production environment does one select a TTL of like 10 years?
I have also seen some use a web service to create a short-lived SAS ( In that particular example, he used straight HTTP which wouldn’t be advisable. The device would need to store the access key to the token service.

Microsoft’s documentation does refer to a “Token Service” that would generate the SAS token.

Has anyone deployed a decent quantity of devices for commercial use using Azure IoT? How did you handle the SAS token?

Edit: This would be a similar implementation but slightly updated.

That is a good question. We will look into this on our end.