Azure Storage - TLS 1.0 and 1.1 retirement

  • Thread starter Thread starter LuisFilipe
  • Start date Start date
L

LuisFilipe

Overview​


TLS 1.0 and 1.1 retirement on Azure Storage was previously announced for Nov 1st, 2024, and it was postponed recently to 1 year later, to Nov 1st, 2025.
Despite that, we may see some documentation informing the old date - we are currently updating the date on some documentation.
See : Migrate to Transport Layer Security (TLS) 1.2 for Azure Blob Storage - Azure Storage

What you need to change:​


On Nov 1st, 2025, Azure Blob Storage will stop supporting versions 1.0 and 1.1 of Transport Layer Security (TLS) and TLS 1.2 will become the new minimum TLS version.
This change on Azure Storage side will be internally and you don't need to take any action on Azure Storage service.

Despite that, at that time, all clients connecting to Azure storage needs to send and receive data by using TLS 1.2, otherwise will not be able to connect to storage using SSL connections.
So, you may need to make sure your client applications are using TLS 1.2 at that time, and update your applications, if needed, removing all dependencies on TLS version 1.0 and 1.1.


  • If your storage accounts are already configured with minimum TLS version 1.2, this means that storage clients are already connecting using TLS 1.2or above, and in that case you don't need to take any action on that client applications.
  • If you have some storage account configured with minimum TLS version 1.0 or 1.1, you may need to check what TLS version that storage account's clients are using; if using TLS 1.0 and 1.1, you may need to update that applications to ensure being able to connect to Storage after Nov 1st, 2025.

Once that corrected, you may manually change Azure Storage configurations to enforce minimum TLS 1.2, if you want.
That is not needed, as after Nov 1st, 2025 will be enforced to use minimum TLS 1.2, and this change is something that happening internally.

How to verify what minimum TLS version is configured on each storage accounts, under some Azure Subscription:​


To help you on listing the minimum TLS version configured on all storage accounts in your subscription, you can use the below PowerShell script:





Code: 
Connect-AzAccount -Subscription <your subscrition id>

# get Minimum Tls Version used on all accounts in one subscription
$accounts=Get-AzStorageAccount
foreach($account in $accounts){
Write-Host $account.MinimumTlsVersion "-" $account.Context.Name
}





If you have some storage accounts using minimum TLS 1.0 or 1.1, you may need to check the TLS version used by the client applications connecting to that Storage account.
The only ways to check that is looking on the application code, or having Storage Diagnostic Logs enabled, to list all storage operations and check the TLS version used.

How to enable/disable Storage Diagnostic Logs on the relevant Storage accounts:​


The below PowerShell Script will scan all storage accounts in some Azure subscription, and will enable Storage Diagnostic Logs on the ones configured with minimum TLS version below 1.2.
The logs will be enabled to all services (Blob, Table, Queue and Files), on each storage account.
You need first to have some Log Analytic workspace to accommodate that logs; it’s better to create a new one, just to these proposes, and you can delete it later.
You also need to define the Azure Subscription ID, and the Log Analytic workspace ID, on the $WorkspaceId variable, in the PowerShell script.
At the end of the script, there are some instructions on how to run the script again to remove all Diagnostic settings added, when not needed anymore.

Once Storage Diagnostic Logs enabled on the relevant Storage accounts, wait some time (maybe some days to make sure all your applications interact with all storages), and then you can query Log Analytics Workspace, and look for any requests using TLS version below 1.2.
For that you can use the Kusto query also shared below.

Important:
Please understand the scripts provided on this page are shared as Guidance for you, and as best effort to try be better help you.
Please use any script or query on this page as per you own risk.
We share these scripts, without any guarantee and we can’t assume any responsibility for any unexpected results.
We strongly recommend you to review, test and adjust all scripts and queries as per your needs.





Code: 
#######################################################################################################
## Enable/Disable Storage Diagnostic Logs on all storage accounts, under some subscription
#######################################################################################################

Connect-AzAccount -Subscription "your subscrition id"

# Create a Log Analytic Workspace, go to Properties and Copy "Resource ID":
$WorkspaceId = "/subscriptions/<yourAzureSubscritionId>/resourceGroups/<LogAnalyticsWorkspace_ResourceGroupName>/providers/Microsoft.OperationalInsights/workspaces/<LogAnalyticsWorkspaceName>"  
$DiagnosticSettingName = "Logs_to_check_TLS_requests" # any name to identify the Diagnostic Logs on each storage account

#######################################################################################################

# get all accounts in the subscription 
$accounts=Get-AzStorageAccount
foreach($account in $accounts)
{
    # If account.MinimumTlsVersion greater or equal "TLS1_2", we don't need Diagnostic logs, and we can continue to the next storage account 
    if ($account.MinimumTlsVersion -ge "TLS1_2") 
    {
        Write-Host $account.MinimumTlsVersion "-" $account.Context.Name "- continue"
        continue
    }

     $ResourceId = $account.Id;

    #$metric = New-AzDiagnosticDetailSetting -Metric -RetentionEnabled -Category AllMetrics -Enabled
    #$setting = New-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $ResourceId -WorkspaceId $WorkspaceId -Setting $metric
    #Set-AzDiagnosticSetting -InputObject $setting

    #$metric = New-AzDiagnosticDetailSetting -Metric -RetentionEnabled -Category AllMetrics -Enabled
    $readlog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled  -Category StorageRead -Enabled 
    $writelog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled -Category StorageWrite -Enabled
    $deletelog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled -Category StorageDelete -Enabled

    
    # Create an array of resource IDs for different services in the storage account
    $Ids = @($ResourceId + "/blobServices/default"
            $ResourceId + "/fileServices/default"
            $ResourceId + "/queueServices/default"
            $ResourceId + "/tableServices/default"
    )

    # Enable / Disable Diagnostic Settings to each service
    $Ids | ForEach-Object {
    # Enable Storage Diagnostic Logs on all storage accounts (comment Remove-AzDiagnosticSetting command below)
    #---------------------------------------------------------
    $setting = New-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $_ -WorkspaceId $WorkspaceId -Setting $readlog,$writelog,$deletelog
    Set-AzDiagnosticSetting -InputObject $setting

    # Disable Storage Diagnostic Logs on all storage accounts (comment two lines above)
    # This will Disable only Logs with name defined above $DiagnosticSettingName, and will maintain any other previous existing Diagnostic Logs configurations
    #---------------------------------------------------------
    #Remove-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $_ 
    }
}
#######################################################################################################





At the end of the script, there are some instructions on how to run the script again to remove all Diagnostic settings added, when not needed anymore.

How to check Storage Diagnostic Logs to identify the client applications using TLS 1.0 or 1.1 to connect to Storage service:​


To query Log Analytics Workspace, and look for any requests using TLS version below 1.2, you can use the Kusto query below.
The Kusto query will return all requests using TLS version below 1.2, from all services (Blob, Table, Queue and Files), on all storage accounts that have Logs from Diagnostic Logs, on the same Log Analytic workspace used.
If you want to check only some specific(s) storage account(s), uncomment the 6th line and provide the storage account names(s) you want to check.





Code: 
union 
    StorageBlobLogs,
    StorageFileLogs,
    StorageQueueLogs,
    StorageTableLogs
//| where AccountName in ("storageaccount1","storageaccount2")
| where TimeGenerated > ago(7d) 
| where strcmp(TlsVersion,"TLS 1.2") <0
| project TimeGenerated, TlsVersion, AccountName, ServiceType, OperationName, StatusCode, CallerIpAddress, UserAgentHeader, Uri





The last line select only the relevant fields to you investigation.
CallerIpAddress, UserAgentHeader should help you on identifying the client application;
TlsVersion is the relevant field showing the TLS version on each request;
TimeGenerated, AccountName, ServiceType, OperationName, StatusCode, Uri acn also help you on identifying the service and request URI used,
If you want to check all fields, just remove or comment the last line.

Conclusion:​


Azure Storage TLS 1.0 and 1.1 deprecation date was postponed 1 year, to Nov 1st, 2025.
After that date, all clients connecting to Azure Storage services using TLS version below 1.2, will not be able to connect to Azure Storage anymore.
You don't need to take any action on your Azure Storage services; this change will be automatic.
You just need to ensure that all client applications connecting to your Storage accounts are using TLS 1.2 or above, after that date.

Related documentation:​


Azure Storage TLS 1.0 and 1.1 deprecation: Migrate to Transport Layer Security (TLS) 1.2 for Azure Blob Storage - Azure Storage

Other Azure products TLS 1.0 and 1.1 deprecation and FAQ's: Support for legacy TLS protocols and cipher suites in Azure Offerings

Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account: Enforce a minimum required version of Transport Layer Security (TLS) for incoming requests - Azure Storage

Use Azure Policy to audit for compliance: Enforce a minimum required version of Transport Layer Security (TLS) for incoming requests - Azure Storage

Storage Diagnostic Logs:
Create diagnostic settings: Diagnostic settings in Azure Monitor - Azure Monitor

Destinations: Diagnostic settings in Azure Monitor - Azure Monitor

Log Analytics tutorial: Log Analytics tutorial - Azure Monitor

Log Analytic workspace - Sample Kusto queries: Monitor Azure Blob Storage

Log Format and information available: Monitoring data reference for Azure Blob Storage



Storage Diagnostic Logs may incur in some additional charges - the most significant charges for most Azure Monitor implementations will typically be ingestion and retention of data in your Log Analytics workspaces;
you can disable Storage Diagnostic Logs again after our investigation, if you don’t need that.
Logs cost calculation: Azure Monitor Logs cost calculations and options - Azure Monitor

Analytic logs pricing: Pricing - Azure Monitor | Microsoft Azure



I hope this can be useful!!!

Continue reading...
 
Back
Top