Azure Storage – TLS 1.0 and 1.1 retirement by info.odysseyx@gmail.com October 30, 2024 written by info.odysseyx@gmail.com October 30, 2024 0 comment 14 views 14 outline The deprecation of TLS 1.0 and 1.1 in Azure Storage was previously announced for November 1, 2024, but was recently pushed back to a year later. November 1, 2025.Nonetheless, we can see some documents that give an earlier date. We are currently updating the dates on some documents.see : https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-migration-to… What you need to change: to November 1, 2025Azure Blob Storage will stop supporting Transport Layer Security (TLS) versions 1.0 and 1.1, with TLS 1.2 becoming the new minimum TLS version. This change on the Azure Storage side is internal and does not require any action on the Azure Storage service. Regardless, at that time any client connecting to Azure storage must use TLS 1.2 to send and receive data, otherwise it will not be able to connect to the storage using an SSL connection.Therefore, you may need to ensure that your client applications are using TLS 1.2 at that time and, if necessary, update your applications to remove any dependencies on TLS versions 1.0 and 1.1. If your storage account is already configured with at least TLS version 1.2, this means that your storage clients are already connecting using TLS 1.2 or higher, in which case you do not need to take any action on those client applications. If you have some storage accounts configured with a minimum TLS version of 1.0 or 1.1, you may need to check which TLS version the storage account’s clients are using. If you use TLS 1.0 and 1.1, you may need to update your applications to connect to Storage after November 1, 2025. Once the issue is resolved, you can manually change your Azure Storage configuration to enforce a minimum TLS 1.2 if desired.After November 1, 2025, we will enforce using at least TLS 1.2 and this change will occur internally so this will not be required. To determine the minimum TLS version configured for each storage account in some Azure subscriptions: You can use the PowerShell script below to help you list the minimum TLS version configured for all storage accounts in your subscription. Connect-AzAccount -Subscription # get Minimum Tls Version used on all accounts in one subscription $accounts=Get-AzStorageAccount foreach($account in $accounts){ Write-Host $account.MinimumTlsVersion "-" $account.Context.Name } If you have some storage accounts that use at least TLS 1.0 or 1.1, you may need to check which version of TLS is used by the client application connecting to those storage accounts.The only way to check this is to look at the application code or Storage Diagnostic Log When enabled, you can list all repository operations and check the TLS version used. How to activate/deactivate Storage Diagnostic Log In the relevant Storage account: The PowerShell script below scans all storage accounts in some Azure subscriptions and enables storage diagnostic logs on accounts configured with a minimum TLS version of less than 1.2. Logs are enabled for all services (blobs, tables, queues, and files) in each storage account.First, you must have a Log Analytic workspace that can accommodate those logs. It is better to create a new suggestion just for these suggestions and you can delete them later.You must also define your Azure subscription ID and Log Analytic workspace ID in the $WorkspaceId variable in your PowerShell script.At the end of the script there are some instructions on how to re-run the script to remove any added diagnostic settings when no longer needed. Once Storage Diagnostic Logs are enabled on the relevant Storage account, after a short wait (maybe a few days to ensure that all applications are interacting with all storage), you can query your Log Analytics workspace and look for requests using TLS versions 1.2 or lower.You can also use the Kusto query shared below for this. important:The script provided on this page is shared as a guideline for you, please understand that we are doing our best to provide you with better assistance.Use scripts or queries from this page at your own risk.We share these scripts without any guarantees and assume no responsibility for any unexpected results.We recommend that you review, test, and adjust all scripts and queries as needed. ####################################################################################################### ## Enable/Disable Storage Diagnostic Logs on all storage accounts, under some subscription ####################################################################################################### Connect-AzAccount -Subscription "your subscrition id" # Create a Log Analytic Workspace, go to Properties and Copy "Resource ID": $WorkspaceId = "/subscriptions//resourceGroups//providers/Microsoft.OperationalInsights/workspaces/" $DiagnosticSettingName = "Logs_to_check_TLS_requests" # any name to identify the Diagnostic Logs on each storage account ####################################################################################################### # get all accounts in the subscription $accounts=Get-AzStorageAccount foreach($account in $accounts) { # If account.MinimumTlsVersion greater or equal "TLS1_2", we don't need Diagnostic logs, and we can continue to the next storage account if ($account.MinimumTlsVersion -ge "TLS1_2") { Write-Host $account.MinimumTlsVersion "-" $account.Context.Name "- continue" continue } $ResourceId = $account.Id; #$metric = New-AzDiagnosticDetailSetting -Metric -RetentionEnabled -Category AllMetrics -Enabled #$setting = New-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $ResourceId -WorkspaceId $WorkspaceId -Setting $metric #Set-AzDiagnosticSetting -InputObject $setting #$metric = New-AzDiagnosticDetailSetting -Metric -RetentionEnabled -Category AllMetrics -Enabled $readlog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled -Category StorageRead -Enabled $writelog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled -Category StorageWrite -Enabled $deletelog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled -Category StorageDelete -Enabled # Create an array of resource IDs for different services in the storage account $Ids = @($ResourceId + "/blobServices/default" $ResourceId + "/fileServices/default" $ResourceId + "/queueServices/default" $ResourceId + "/tableServices/default" ) # Enable / Disable Diagnostic Settings to each service $Ids | ForEach-Object { # Enable Storage Diagnostic Logs on all storage accounts (comment Remove-AzDiagnosticSetting command below) #--------------------------------------------------------- $setting = New-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $_ -WorkspaceId $WorkspaceId -Setting $readlog,$writelog,$deletelog Set-AzDiagnosticSetting -InputObject $setting # Disable Storage Diagnostic Logs on all storage accounts (comment two lines above) # This will Disable only Logs with name defined above $DiagnosticSettingName, and will maintain any other previous existing Diagnostic Logs configurations #--------------------------------------------------------- #Remove-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $_ } } ####################################################################################################### At the end of the script there are some instructions on how to rerun the script to remove any added diagnostic settings when no longer needed. To check the storage diagnostic log to identify client applications using TLS 1.0 or 1.1 to connect to storage services: To query your Log Analytics workspace and find requests using TLS versions 1.2 and lower, you can use the Kusto query below.The Kusto query returns all requests using TLS versions lower than 1.2 across all services (blobs, tables, queues, and files) in all storage accounts that have logs in diagnostic logs in the same Log Analysis workspace used.If you only want to check some specific storage accounts, uncomment line 6 and enter the storage account name you want to check. union StorageBlobLogs, StorageFileLogs, StorageQueueLogs, StorageTableLogs //| where AccountName in ("storageaccount1","storageaccount2") | where TimeGenerated > ago(7d) | where strcmp(TlsVersion,"TLS 1.2") <0 | project TimeGenerated, TlsVersion, AccountName, ServiceType, OperationName, StatusCode, CallerIpAddress, UserAgentHeader, Uri In the last line, select only the relevant fields to investigate.CallerIpAddress, UserAgentHeader help identify the client application.TlsVersion is a relevant field that indicates the TLS version of each request.TimeGenerated, AccountName, ServiceType, OperationName, StatusCode, Uri acn also help identify the service used and the request URI.To check all fields, just remove or comment out the last line. conclusion: Azure Storage TLS 1.0 and 1.1 deprecation dates have been pushed back by one year. November 1, 2025.After that date, any clients that connect to the Azure Storage service using TLS version 1.2 or lower will no longer be able to connect to Azure Storage.You don’t need to take any action against the Azure Storage service. This change happens automatically.After that date, you just need to ensure that all client applications connecting to your Storage account are using TLS 1.2 or higher. Related documents: Azure Storage TLS 1.0 and 1.1 deprecation: https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-migration-to… Other Azure products TLS 1.0 and 1.1 deprecations and FAQs: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/support-for-legacy-tls-proto… Enforces the minimum required version of Transport Layer Security (TLS) for requests to your storage account. https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-ve… Audit compliance using Azure Policy. https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-ve… Storage diagnostic logs:Create diagnostic settings: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal#cre… destination: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal#des… Log Analysis Tutorial: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-tutorial Log Analytics workspace – Sample Kusto query: https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal#sample-… Available log formats and information: https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage-reference#resource-logs Storage diagnostic logs May occur in some cases additional charge – The most significant cost for most Azure Monitor implementations is typically data collection and retention in Log Analytics workspaces. After investigation, you can disable storage diagnostic logs again if you do not need them.Log cost calculation: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/cost-logs Analytics log pricing: https://azure.microsoft.com/en-us/pricing/details/monitor/ Hope this can be useful!!! Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post The Ultimate AI Tool for Video Summarization and Analysis next post Customer review: Compliance Process Automation for Teams ensures conformity to financial regulations You may also like Ride-sharing and Robotaxis Decopled Revenue Model Problems February 17, 2025 Web Raiders run the Global Brut Force attack from 2.5M IPS February 12, 2025 Generator Tech, Robot, risk of emerging February 11, 2025 Robotaxis is bringing in the lift dallas’ with ‘2026 with’ February 11, 2025 Why did Qualcom lose his first leadership February 10, 2025 Lenovo’s ThinkPad X 1 Carbon has rewrite my MacBook Pro February 5, 2025 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.