Event Grid Topic accepts insecure TLS versions

July 7, 2025 ยท View on GitHub

SYNOPSIS

Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.

DESCRIPTION

The minimum version of TLS that Event Grid Topics accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

When clients connect using an older version of TLS that is disabled, the connection will fail.

RECOMMENDATION

Configure the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.

EXAMPLES

Configure with Bicep

To deploy topics that pass this rule:

  • Set the properties.minimumTlsVersionAllowed property to 1.2.

For example:

resource topic 'Microsoft.EventGrid/topics@2025-02-15' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    disableLocalAuth: true
    publicNetworkAccess: 'Disabled'
    minimumTlsVersionAllowed: '1.2'
    inputSchema: 'CloudEventSchemaV1_0'
  }
}

Configure with Azure template

To deploy topics that pass this rule:

  • Set the properties.minimumTlsVersionAllowed property to 1.2.

For example:

{
  "type": "Microsoft.EventGrid/topics",
  "apiVersion": "2025-02-15",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "disableLocalAuth": true,
    "publicNetworkAccess": "Disabled",
    "minimumTlsVersionAllowed": "1.2",
    "inputSchema": "CloudEventSchemaV1_0"
  }
}