learn.microsoft.com
Open in
urlscan Pro
2a02:26f0:e300:298::3544
Public Scan
Submitted URL: https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal
Effective URL: https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal
Submission: On September 23 via api from US — Scanned from DE
Effective URL: https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal
Submission: On September 23 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
Name: site-header-search-form-mobile — GET /en-us/search/
<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form-mobile" data-bi-name="site-header-search-form-mobile" name="site-header-search-form-mobile" aria-label="Search" action="/en-us/search/">
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input-mobile"
data-test-id="site-header-search-autocomplete-input-mobile" class="autocomplete-input input
width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-1-listbox" aria-controls="ax-1-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-mobile-description"
placeholder="Search" data-bi-name="site-header-search-autocomplete-input-mobile" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-header-search-autocomplete-input-mobile-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-1-listbox" data-test-id="site-header-search-autocomplete-input-mobile-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>Name: site-header-search-form — GET /en-us/search/
<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form" data-bi-name="site-header-search-form" name="site-header-search-form" aria-label="Search" action="/en-us/search/">
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input" data-test-id="site-header-search-autocomplete-input" class="autocomplete-input input input-sm
width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-0-listbox" aria-controls="ax-0-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-description"
placeholder="Search" data-bi-name="site-header-search-autocomplete-input" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-header-search-autocomplete-input-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-0-listbox" data-test-id="site-header-search-autocomplete-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>javascript:
<form action="javascript:" role="search" aria-label="Search" class="margin-bottom-xxs"><label class="visually-hidden" for="ax-2">Search</label>
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-2" data-test-id="ax-2" class="autocomplete-input input input-sm
control has-icons-left
width-full" type="text" aria-expanded="false" aria-owns="ax-3-listbox" aria-controls="ax-3-listbox" aria-activedescendant="" aria-describedby="ms--ax-2-description" placeholder="Filter by title" pattern=".*">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-filter-settings"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--ax-2-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-3-listbox" data-test-id="ax-2-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
</form>Text Content
Skip to main content
We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies
Accept Reject Manage cookies
MICROSOFT IGNITE
Nov 18–22, 2024
Join us this November to explore AI innovations, level up your skillset, and
expand your network.
Register now
Dismiss alert
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.
Download Microsoft Edge More info about Internet Explorer and Microsoft Edge
Learn
Suggestions will filter as you type
Sign in
* Profile
* Settings
Sign out
Learn
* Discover
* Documentation
In-depth articles on Microsoft developer tools and technologies
* Training
Personalized learning paths and courses
* Credentials
Globally recognized, industry-endorsed credentials
* Q&A
Technical questions and answers moderated by Microsoft
* Code Samples
Code sample library for Microsoft developer tools and technologies
* Assessments
Interactive, curated guidance and recommendations
* Shows
Thousands of hours of original programming from Microsoft experts
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Product documentation
* ASP.NET
* Azure
* Dynamics 365
* Microsoft 365
* Microsoft Edge
* Microsoft Entra
* Microsoft Graph
* Microsoft Intune
* Microsoft Purview
* Microsoft Teams
* .NET
* Power Apps
* Power Automate
* Power BI
* Power Platform
* PowerShell
* SQL
* Sysinternals
* Visual Studio
* Windows
* Windows Server
View all products
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Development languages
* C++
* C#
* DAX
* Java
* OData
* OpenAPI
* Power Query M
* VBA
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Topics
* Artificial intelligence
* Compliance
* DevOps
* Platform engineering
* Security
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
Suggestions will filter as you type
Sign in
* Profile
* Settings
Sign out
Azure
* Products
* Popular products
* Azure AI Services
* Azure App Service
* Azure Databricks
* Azure DevOps
* Azure Functions
* Azure Monitor
* Azure Virtual Machines
* Popular categories
* Compute
* Networking
* Storage
* AI & machine learning
* Analytics
* Databases
* Security
* View all products
* Architecture
* Cloud Adoption Framework
* Well-Architected Framework
* Azure Architecture Center
* Develop
* Python
* .NET
* JavaScript
* Java
* PowerShell
* Azure CLI
* View all developer resources
* Learn Azure
* Start your AI learning assessment
* Top learning paths
* Cloud concepts
* AI fundamentals
* Intro to generative AI
* Azure Architecture fundamentals
* Earn credentials
* Instructor-led courses
* View all training
* Troubleshooting
* Resources
* Product overview
* Latest blog posts
* Pricing information
* Support options
* More
* Products
* Popular products
* Azure AI Services
* Azure App Service
* Azure Databricks
* Azure DevOps
* Azure Functions
* Azure Monitor
* Azure Virtual Machines
* Popular categories
* Compute
* Networking
* Storage
* AI & machine learning
* Analytics
* Databases
* Security
* View all products
* Architecture
* Cloud Adoption Framework
* Well-Architected Framework
* Azure Architecture Center
* Develop
* Python
* .NET
* JavaScript
* Java
* PowerShell
* Azure CLI
* View all developer resources
* Learn Azure
* Start your AI learning assessment
* Top learning paths
* Cloud concepts
* AI fundamentals
* Intro to generative AI
* Azure Architecture fundamentals
* Earn credentials
* Instructor-led courses
* View all training
* Troubleshooting
* Resources
* Product overview
* Latest blog posts
* Pricing information
* Support options
Portal Free account
Table of contents Exit focus mode
Search
Suggestions will filter as you type
* Azure Blob Storage documentation
* Overview
* What is Azure Blob Storage?
* Compare core storage services
* Blob Storage feature support
* Blob Storage
* Overview
* Architecture
* Quickstarts
* Storage accounts
* Data transfer and migration
* Data management
* Security and networking
* Security recommendations
* Security baseline
* Encryption
* Networking
* Require secure transfer
* Configure firewalls and virtual networks
* Use Azure Private Endpoints
* Restrict scope of copy operations
* Manage Transport Layer Security (TLS)
* Enforce minimum TLS version for incoming requests
* Configure TLS version for a client application
* Migrate to TLS 1.2
* Network routing preference
* Use a custom domain
* Authorization
* Microsoft Defender for Storage
* Data protection
* Availability and disaster recovery
* Performance and scale
* Cost management
* Monitoring metrics and logs
* Application development
* Troubleshooting
* Samples
* Reference
* Resources
* Data Lake Storage
* Reference
* Resources
Download PDF
1. Learn
2. Azure
3. Storage
1. Learn
2. Azure
3. Storage
Read in English Save
* Add to Collections
* Add to Plan
Table of contents Read in English Add to Collections Add to Plan Edit
--------------------------------------------------------------------------------
SHARE VIA
Facebook x.com LinkedIn Email
--------------------------------------------------------------------------------
Print
Table of contents
ENFORCE A MINIMUM REQUIRED VERSION OF TRANSPORT LAYER SECURITY (TLS) FOR
REQUESTS TO A STORAGE ACCOUNT
* Article
* 03/22/2024
* 16 contributors
Feedback
IN THIS ARTICLE
1. Detect the TLS version used by client applications
2. Remediate security risks with a minimum version of TLS
3. Use Azure Policy to audit for compliance
4. Use Azure Policy to enforce the minimum TLS version
5. Permissions necessary to require a minimum version of TLS
6. Network considerations
7. Next steps
Show 3 more
Communication between a client application and an Azure Storage account is
encrypted using Transport Layer Security (TLS). TLS is a standard cryptographic
protocol that ensures privacy and data integrity between clients and services
over the Internet. For more information about TLS, see Transport Layer Security.
Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1,
and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and
TLS 1.1 are still supported for backward compatibility.
Tip
Azure Storage relies on Windows implementation of SSL that is not based on
OpenSSL and therefore is not exposed to OpenSSL related vulnerabilities.
Azure Storage accounts permit clients to send and receive data with the oldest
version of TLS, TLS 1.0, and above. To enforce stricter security measures, you
can configure your storage account to require that clients send and receive data
with a newer version of TLS. If a storage account requires a minimum version of
TLS, then any requests made with an older version will fail.
This article describes how to use a DRAG
(Detection-Remediation-Audit-Governance) framework to continuously manage secure
TLS for your storage accounts.
For information about how to specify a particular version of TLS when sending a
request from a client application, see Configure Transport Layer Security (TLS)
for a client application.
Note
The cipher suite used when clients send data to and receive data from a storage
account is dependent on the TLS version used. It is not possible to configure a
storage account to block the use of specific ciphers, other than by requiring a
minimum TLS version. If you require the ability to allow only specific cipher
suites when connecting to your storage account, consider using Azure Application
Gateway. For more information about using Application Gateway for this purpose,
see Configure TLS policy versions and cipher suites on Azure Application
Gateway.
DETECT THE TLS VERSION USED BY CLIENT APPLICATIONS
When you enforce a minimum TLS version for your storage account, you risk
rejecting requests from clients that are sending data with an older version of
TLS. To understand how configuring the minimum TLS version may affect client
applications, Microsoft recommends that you enable logging for your Azure
Storage account and analyze the logs after an interval of time to detect what
versions of TLS client applications are using.
To log requests to your Azure Storage account and determine the TLS version used
by the client, you can use Azure Storage logging in Azure Monitor. For more
information, see Monitor Azure Storage.
Azure Storage logging in Azure Monitor supports using log queries to analyze log
data. To query logs, you can use an Azure Log Analytics workspace. To learn more
about log queries, see Tutorial: Get started with Log Analytics queries.
To log Azure Storage data with Azure Monitor and analyze it with Azure Log
Analytics, you must first create a diagnostic setting that indicates what types
of requests and for which storage services you want to log data. To create a
diagnostic setting in the Azure portal, follow these steps:
1. Create a new Log Analytics workspace in the subscription that contains your
Azure Storage account. After you configure logging for your storage account,
the logs will be available in the Log Analytics workspace. For more
information, see Create a Log Analytics workspace in the Azure portal.
2. Navigate to your storage account in the Azure portal.
3. In the Monitoring section, select Diagnostic settings.
4. Select the Azure Storage service for which you want to log requests. For
example, choose Blob to log requests to Blob storage.
5. Select Add diagnostic setting.
6. Provide a name for the diagnostic setting.
7. Under Category details, in the log section, choose which types of requests
to log. You can log read, write, and delete requests. For example, choosing
StorageRead and StorageWrite will log read and write requests to the
selected service.
8. Under Destination details, select Send to Log Analytics. Select your
subscription and the Log Analytics workspace you created earlier, as shown
in the following image.
After you create the diagnostic setting, requests to the storage account are
subsequently logged according to that setting. For more information, see Create
diagnostic setting to collect resource logs and metrics in Azure.
For a reference of fields available in Azure Storage logs in Azure Monitor, see
Resource logs.
QUERY LOGGED REQUESTS BY TLS VERSION
Azure Storage logs in Azure Monitor include the TLS version used to send a
request to a storage account. Use the TlsVersion property to check the TLS
version of a logged request.
To determine how many requests were made against Blob storage with different
versions of TLS over the past seven days, open your Log Analytics workspace.
Next, paste the following query into a new log query and run it. Remember to
replace the placeholder values in brackets with your own values:
Kusto Copy
StorageBlobLogs
| where TimeGenerated > ago(7d) and AccountName == "<account-name>"
| summarize count() by TlsVersion
The results show the count of the number of requests made with each version of
TLS:
QUERY LOGGED REQUESTS BY CALLER IP ADDRESS AND USER AGENT HEADER
Azure Storage logs in Azure Monitor also include the caller IP address and user
agent header to help you to evaluate which client applications accessed the
storage account. You can analyze these values to decide whether client
applications must be updated to use a newer version of TLS, or whether it's
acceptable to fail a client's request if it is not sent with the minimum TLS
version.
To determine which clients made requests with a version of TLS older than TLS
1.2 over the past seven days, paste the following query into a new log query and
run it. Remember to replace the placeholder values in brackets with your own
values:
Kusto Copy
StorageBlobLogs
| where TimeGenerated > ago(7d) and AccountName == "<account-name>" and TlsVersion != "TLS 1.2"
| project TlsVersion, CallerIpAddress, UserAgentHeader
REMEDIATE SECURITY RISKS WITH A MINIMUM VERSION OF TLS
When you are confident that traffic from clients using older versions of TLS is
minimal, or that it's acceptable to fail requests made with an older version of
TLS, then you can begin enforcement of a minimum TLS version on your storage
account. Requiring that clients use a minimum version of TLS to make requests
against a storage account is part of a strategy to minimize security risks to
your data.
Important
If you are using a service that connects to Azure Storage, make sure that
service is using the appropriate version of TLS to send requests to Azure
Storage before you set the required minimum version for a storage account.
CONFIGURE THE MINIMUM TLS VERSION FOR A STORAGE ACCOUNT
To configure the minimum TLS version for a storage account, set the
MinimumTlsVersion version for the account. This property is available for all
storage accounts that are created with the Azure Resource Manager deployment
model. For more information about the Azure Resource Manager deployment model,
see Storage account overview.
The default value of the MinimumTlsVersion property is different depending on
how you set it. When you create a storage account with the Azure portal, the
minimum TLS version is set to 1.2 by default. When you create a storage account
with PowerShell, Azure CLI, or an Azure Resource Manager template, the
MinimumTlsVersion property is not set by default and does not return a value
until you explicitly set it.
When the MinimumTlsVersion property is not set, its value may be displayed as
either null or an empty string, depending on the context. The storage account
will permit requests sent with TLS version 1.0 or greater if the property is not
set.
* Portal
* PowerShell
* Azure CLI
* Template
When you create a storage account with the Azure portal, the minimum TLS version
is set to 1.2 by default.
To configure the minimum TLS version for an existing storage account with the
Azure portal, follow these steps:
1. Navigate to your storage account in the Azure portal.
2. Under Settings, select Configuration.
3. Under Minimum TLS version, use the drop-down to select the minimum version
of TLS required to access data in this storage account.
To configure the minimum TLS version for a storage account with PowerShell,
install Azure PowerShell version 4.4.0 or later. Next, configure the
MinimumTLSVersion property for a new or existing storage account. Valid values
for MinimumTlsVersion are TLS1_0, TLS1_1, and TLS1_2.
The following example creates a storage account and sets the MinimumTLSVersion
to TLS 1.1, then updates the account and sets the MinimumTLSVersion to TLS 1.2.
The example also retrieves the property value in each case. Remember to replace
the placeholder values in brackets with your own values:
PowerShell Copy
$rgName = "<resource-group>"
$accountName = "<storage-account>"
$location = "<location>"
# Create a storage account with MinimumTlsVersion set to TLS 1.1.
New-AzStorageAccount -ResourceGroupName $rgName `
-Name $accountName `
-Location $location `
-SkuName Standard_GRS `
-AllowBlobPublicAccess $false `
-MinimumTlsVersion TLS1_1
# Read the MinimumTlsVersion property.
(Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName).MinimumTlsVersion
# Update the MinimumTlsVersion version for the storage account to TLS 1.2.
Set-AzStorageAccount -ResourceGroupName $rgName `
-Name $accountName `
-MinimumTlsVersion TLS1_2
# Read the MinimumTlsVersion property.
(Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName).MinimumTlsVersion
To configure the minimum TLS version for a storage account with Azure CLI,
install Azure CLI version 2.9.0 or later. For more information, see Install the
Azure CLI. Next, configure the minimumTlsVersion property for a new or existing
storage account. Valid values for minimumTlsVersion are TLS1_0, TLS1_1, and
TLS1_2.
The following example creates a storage account and sets the minimumTLSVersion
to TLS 1.1. It then updates the account and sets the minimumTLSVersion property
to TLS 1.2. The example also retrieves the property value in each case. Remember
to replace the placeholder values in brackets with your own values:
Azure CLI Copy
Open Cloud Shell
az storage account create \
--name <storage-account> \
--resource-group <resource-group> \
--kind StorageV2 \
--location <location> \
--allow-blob-public-access false \
--min-tls-version TLS1_1
az storage account show \
--name <storage-account> \
--resource-group <resource-group> \
--query minimumTlsVersion \
--output tsv
az storage account update \
--name <storage-account> \
--resource-group <resource-group> \
--min-tls-version TLS1_2
az storage account show \
--name <storage-account> \
--resource-group <resource-group> \
--query minimumTlsVersion \
--output tsv
To configure the minimum TLS version for a storage account with a template,
create a template with the MinimumTLSVersion property set to TLS1_0, TLS1_1, or
TLS1_2. The following steps describe how to create a template in the Azure
portal.
1. In the Azure portal, choose Create a resource.
2. In Search the Marketplace, type template deployment, and then press ENTER.
3. Choose Template deployment (deploy using custom templates), choose Create,
and then choose Build your own template in the editor.
4. In the template editor, paste in the following JSON to create a new account
and set the minimum TLS version to TLS 1.2. Remember to replace the
placeholders in angle brackets with your own values.
JSON Copy
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {
"storageAccountName": "[concat(uniqueString(subscription().subscriptionId), 'tls')]"
},
"resources": [
{
"name": "[variables('storageAccountName')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"location": "<location>",
"properties": {
"minimumTlsVersion": "TLS1_2"
},
"dependsOn": [],
"sku": {
"name": "Standard_GRS"
},
"kind": "StorageV2",
"tags": {}
}
]
}
5. Save the template.
6. Specify resource group parameter, then choose the Review + create button to
deploy the template and create a storage account with the MinimumTLSVersion
property configured.
Note
After you update the minimum TLS version for the storage account, it may take up
to 30 seconds before the change is fully propagated.
Configuring the minimum TLS version requires version 2019-04-01 or later of the
Azure Storage resource provider. For more information, see Azure Storage
Resource Provider REST API.
CHECK THE MINIMUM REQUIRED TLS VERSION FOR MULTIPLE ACCOUNTS
To check the minimum required TLS version across a set of storage accounts with
optimal performance, you can use the Azure Resource Graph Explorer in the Azure
portal. To learn more about using the Resource Graph Explorer, see Quickstart:
Run your first Resource Graph query using Azure Resource Graph Explorer.
Running the following query in the Resource Graph Explorer returns a list of
storage accounts and displays the minimum TLS version for each account:
Kusto Copy
resources
| where type =~ 'Microsoft.Storage/storageAccounts'
| extend minimumTlsVersion = parse_json(properties).minimumTlsVersion
| project subscriptionId, resourceGroup, name, minimumTlsVersion
TEST THE MINIMUM TLS VERSION FROM A CLIENT
To test that the minimum required TLS version for a storage account forbids
calls made with an older version, you can configure a client to use an older
version of TLS. For more information about configuring a client to use a
specific version of TLS, see Configure Transport Layer Security (TLS) for a
client application.
When a client accesses a storage account using a TLS version that does not meet
the minimum TLS version configured for the account, Azure Storage returns error
code 400 error (Bad Request) and a message indicating that the TLS version that
was used is not permitted for making requests against this storage account.
Note
When you configure a minimum TLS version for a storage account, that minimum
version is enforced at the application layer. Tools that attempt to determine
TLS support at the protocol layer may return TLS versions in addition to the
minimum required version when run directly against the storage account endpoint.
USE AZURE POLICY TO AUDIT FOR COMPLIANCE
If you have a large number of storage accounts, you may want to perform an audit
to make sure that all accounts are configured for the minimum version of TLS
that your organization requires. To audit a set of storage accounts for their
compliance, use Azure Policy. Azure Policy is a service that you can use to
create, assign, and manage policies that apply rules to Azure resources. Azure
Policy helps you to keep those resources compliant with your corporate standards
and service level agreements. For more information, see Overview of Azure
Policy.
CREATE A POLICY WITH AN AUDIT EFFECT
Azure Policy supports effects that determine what happens when a policy rule is
evaluated against a resource. The Audit effect creates a warning when a resource
is not in compliance, but does not stop the request. For more information about
effects, see Understand Azure Policy effects.
To create a policy with an Audit effect for the minimum TLS version with the
Azure portal, follow these steps:
1. In the Azure portal, navigate to the Azure Policy service.
2. Under the Authoring section, select Definitions.
3. Select Add policy definition to create a new policy definition.
4. For the Definition location field, select the More button to specify where
the audit policy resource is located.
5. Specify a name for the policy. You can optionally specify a description and
category.
6. Under Policy rule, add the following policy definition to the policyRule
section.
JSON Copy
{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"notEquals": "TLS1_2"
},
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"exists": "false"
}
]
}
]
},
"then": {
"effect": "audit"
}
}
}
7. Save the policy.
ASSIGN THE POLICY
Next, assign the policy to a resource. The scope of the policy corresponds to
that resource and any resources beneath it. For more information on policy
assignment, see Azure Policy assignment structure.
To assign the policy with the Azure portal, follow these steps:
1. In the Azure portal, navigate to the Azure Policy service.
2. Under the Authoring section, select Assignments.
3. Select Assign policy to create a new policy assignment.
4. For the Scope field, select the scope of the policy assignment.
5. For the Policy definition field, select the More button, then select the
policy you defined in the previous section from the list.
6. Provide a name for the policy assignment. The description is optional.
7. Leave Policy enforcement set to Enabled. This setting has no effect on the
audit policy.
8. Select Review + create to create the assignment.
VIEW COMPLIANCE REPORT
After you've assigned the policy, you can view the compliance report. The
compliance report for an audit policy provides information on which storage
accounts are not in compliance with the policy. For more information, see Get
policy compliance data.
It may take several minutes for the compliance report to become available after
the policy assignment is created.
To view the compliance report in the Azure portal, follow these steps:
1. In the Azure portal, navigate to the Azure Policy service.
2. Select Compliance.
3. Filter the results for the name of the policy assignment that you created in
the previous step. The report shows how many resources are not in compliance
with the policy.
4. You can drill down into the report for additional details, including a list
of storage accounts that are not in compliance.
USE AZURE POLICY TO ENFORCE THE MINIMUM TLS VERSION
Azure Policy supports cloud governance by ensuring that Azure resources adhere
to requirements and standards. To enforce a minimum TLS version requirement for
the storage accounts in your organization, you can create a policy that prevents
the creation of a new storage account that sets the minimum TLS requirement to
an older version of TLS than that which is dictated by the policy. This policy
will also prevent all configuration changes to an existing account if the
minimum TLS version setting for that account is not compliant with the policy.
The enforcement policy uses the Deny effect to prevent a request that would
create or modify a storage account so that the minimum TLS version no longer
adheres to your organization's standards. For more information about effects,
see Understand Azure Policy effects.
To create a policy with a Deny effect for a minimum TLS version that is less
than TLS 1.2, follow the same steps described in Use Azure Policy to audit for
compliance, but provide the following JSON in the policyRule section of the
policy definition:
JSON Copy
{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"notEquals": "TLS1_2"
},
{
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"exists": "false"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
}
After you create the policy with the Deny effect and assign it to a scope, a
user cannot create a storage account with a minimum TLS version that is older
than 1.2. Nor can a user make any configuration changes to an existing storage
account that currently requires a minimum TLS version that is older than 1.2.
Attempting to do so results in an error. The required minimum TLS version for
the storage account must be set to 1.2 to proceed with account creation or
configuration.
The following image shows the error that occurs if you try to create a storage
account with the minimum TLS version set to TLS 1.0 (the default for a new
account) when a policy with a Deny effect requires that the minimum TLS version
is set to TLS 1.2.
PERMISSIONS NECESSARY TO REQUIRE A MINIMUM VERSION OF TLS
To set the MinimumTlsVersion property for the storage account, a user must have
permissions to create and manage storage accounts. Azure role-based access
control (Azure RBAC) roles that provide these permissions include the
Microsoft.Storage/storageAccounts/write or Microsoft.Storage/storageAccounts/*
action. Built-in roles with this action include:
* The Azure Resource Manager Owner role
* The Azure Resource Manager Contributor role
* The Storage Account Contributor role
These roles do not provide access to data in a storage account via Microsoft
Entra ID. However, they include the
Microsoft.Storage/storageAccounts/listkeys/action, which grants access to the
account access keys. With this permission, a user can use the account access
keys to access all data in a storage account.
Role assignments must be scoped to the level of the storage account or higher to
permit a user to require a minimum version of TLS for the storage account. For
more information about role scope, see Understand scope for Azure RBAC.
Be careful to restrict assignment of these roles only to those who require the
ability to create a storage account or update its properties. Use the principle
of least privilege to ensure that users have the fewest permissions that they
need to accomplish their tasks. For more information about managing access with
Azure RBAC, see Best practices for Azure RBAC.
Note
The classic subscription administrator roles Service Administrator and
Co-Administrator include the equivalent of the Azure Resource Manager Owner
role. The Owner role includes all actions, so a user with one of these
administrative roles can also create and manage storage accounts. For more
information, see Azure roles, Microsoft Entra roles, and classic subscription
administrator roles.
NETWORK CONSIDERATIONS
When a client sends a request to storage account, the client establishes a
connection with the public endpoint of the storage account first, before
processing any requests. The minimum TLS version setting is checked after the
connection is established. If the request uses an earlier version of TLS than
that specified by the setting, the connection will continue to succeed, but the
request will eventually fail. For more information about public endpoints for
Azure Storage, see Resource URI syntax.
NEXT STEPS
* Configure Transport Layer Security (TLS) for a client application
* Security recommendations for Blob storage
--------------------------------------------------------------------------------
FEEDBACK
Was this page helpful?
Yes No
Provide product feedback |
Get help at Microsoft Q&A
--------------------------------------------------------------------------------
ADDITIONAL RESOURCES
--------------------------------------------------------------------------------
Training
Module
Secure your Azure Storage account - Training
Learn how Azure Storage provides multilayered security to protect your data with
access keys, secure networks, and Advanced Threat Protection monitoring.
Certification
Microsoft Certified: Identity and Access Administrator Associate -
Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions,
implement hybrid solutions, and implement identity governance.
English (United States)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
* Light
* Dark
* High contrast
* Manage cookies
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2024
ADDITIONAL RESOURCES
--------------------------------------------------------------------------------
Training
Module
Secure your Azure Storage account - Training
Learn how Azure Storage provides multilayered security to protect your data with
access keys, secure networks, and Advanced Threat Protection monitoring.
Certification
Microsoft Certified: Identity and Access Administrator Associate -
Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions,
implement hybrid solutions, and implement identity governance.
IN THIS ARTICLE
English (United States)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
* Light
* Dark
* High contrast
* Manage cookies
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2024