Use secure protocols for Storage Accounts

October 4, 2025 ยท View on GitHub

SYNOPSIS

Storage Accounts should not accept weak or deprecated transport protocols for client-server communication.

DESCRIPTION

The minimum version of TLS that Azure Storage Accounts accept for blob storage is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Storage Accounts lets you disable outdated protocols and enforce TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

When clients connect using an older version of TLS that is disabled, the connection will fail.

RECOMMENDATION

Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.

EXAMPLES

Configure with Bicep

To deploy Storage Accounts that pass this rule:

  • Set the properties.minimumTlsVersion property to TLS1_2 or newer.

For example:

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: name
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: false
    supportsHttpsTrafficOnly: true
    minimumTlsVersion: 'TLS1_2'
    accessTier: 'Hot'
    allowSharedKeyAccess: false
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
}

Configure with Azure template

To deploy Storage Accounts that pass this rule:

  • Set the properties.minimumTlsVersion property to TLS1_2 or newer.

For example:

{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard_GRS"
  },
  "kind": "StorageV2",
  "properties": {
    "allowBlobPublicAccess": false,
    "supportsHttpsTrafficOnly": true,
    "minimumTlsVersion": "TLS1_2",
    "accessTier": "Hot",
    "allowSharedKeyAccess": false,
    "networkAcls": {
      "defaultAction": "Deny"
    }
  }
}

Configure with Azure Policy

To address this issue at runtime use the following policies: