Use secure protocols for Storage Accounts
October 4, 2025 ยท View on GitHub
SYNOPSIS
Storage Accounts should not accept weak or deprecated transport protocols for client-server communication.
DESCRIPTION
The minimum version of TLS that Azure Storage Accounts accept for blob storage is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Storage Accounts lets you disable outdated protocols and enforce TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
When clients connect using an older version of TLS that is disabled, the connection will fail.
RECOMMENDATION
Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.
EXAMPLES
Configure with Bicep
To deploy Storage Accounts that pass this rule:
- Set the
properties.minimumTlsVersionproperty toTLS1_2or newer.
For example:
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: name
location: location
sku: {
name: 'Standard_GRS'
}
kind: 'StorageV2'
properties: {
allowBlobPublicAccess: false
supportsHttpsTrafficOnly: true
minimumTlsVersion: 'TLS1_2'
accessTier: 'Hot'
allowSharedKeyAccess: false
networkAcls: {
defaultAction: 'Deny'
}
}
}
Configure with Azure template
To deploy Storage Accounts that pass this rule:
- Set the
properties.minimumTlsVersionproperty toTLS1_2or newer.
For example:
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_GRS"
},
"kind": "StorageV2",
"properties": {
"allowBlobPublicAccess": false,
"supportsHttpsTrafficOnly": true,
"minimumTlsVersion": "TLS1_2",
"accessTier": "Hot",
"allowSharedKeyAccess": false,
"networkAcls": {
"defaultAction": "Deny"
}
}
}
Configure with Azure Policy
To address this issue at runtime use the following policies:
- Storage accounts should have the specified minimum TLS version
/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0
LINKS
- SE:07 Encryption
- Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account
- DP-3: Encrypt sensitive data in transit
- TLS encryption in Azure
- Preparing for TLS 1.2 in Microsoft Azure
- Use Azure Policy to enforce the minimum TLS version
- Azure deployment reference