Home NewsX Azure Storage – TLS 1.0 and 1.1 retirement

Azure Storage – TLS 1.0 and 1.1 retirement

by info.odysseyx@gmail.com
0 comment 14 views


outline

The deprecation of TLS 1.0 and 1.1 in Azure Storage was previously announced for November 1, 2024, but was recently pushed back to a year later. November 1, 2025.
Nonetheless, we can see some documents that give an earlier date. We are currently updating the dates on some documents.
see : https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-migration-to…


What you need to change:

to November 1, 2025Azure Blob Storage will stop supporting Transport Layer Security (TLS) versions 1.0 and 1.1, with TLS 1.2 becoming the new minimum TLS version.
This change on the Azure Storage side is internal and does not require any action on the Azure Storage service.

Regardless, at that time any client connecting to Azure storage must use TLS 1.2 to send and receive data, otherwise it will not be able to connect to the storage using an SSL connection.
Therefore, you may need to ensure that your client applications are using TLS 1.2 at that time and, if necessary, update your applications to remove any dependencies on TLS versions 1.0 and 1.1.

  • If your storage account is already configured with at least TLS version 1.2, this means that your storage clients are already connecting using TLS 1.2 or higher, in which case you do not need to take any action on those client applications.
  • If you have some storage accounts configured with a minimum TLS version of 1.0 or 1.1, you may need to check which TLS version the storage account’s clients are using. If you use TLS 1.0 and 1.1, you may need to update your applications to connect to Storage after November 1, 2025.

Once the issue is resolved, you can manually change your Azure Storage configuration to enforce a minimum TLS 1.2 if desired.
After November 1, 2025, we will enforce using at least TLS 1.2 and this change will occur internally so this will not be required.


To determine the minimum TLS version configured for each storage account in some Azure subscriptions:

You can use the PowerShell script below to help you list the minimum TLS version configured for all storage accounts in your subscription.

Connect-AzAccount -Subscription 

# get Minimum Tls Version used on all accounts in one subscription
$accounts=Get-AzStorageAccount
foreach($account in $accounts){
Write-Host $account.MinimumTlsVersion "-" $account.Context.Name
}

If you have some storage accounts that use at least TLS 1.0 or 1.1, you may need to check which version of TLS is used by the client application connecting to those storage accounts.
The only way to check this is to look at the application code or Storage Diagnostic Log When enabled, you can list all repository operations and check the TLS version used.


How to activate/deactivate Storage Diagnostic Log In the relevant Storage account:

The PowerShell script below scans all storage accounts in some Azure subscriptions and enables storage diagnostic logs on accounts configured with a minimum TLS version of less than 1.2.
Logs are enabled for all services (blobs, tables, queues, and files) in each storage account.
First, you must have a Log Analytic workspace that can accommodate those logs. It is better to create a new suggestion just for these suggestions and you can delete them later.
You must also define your Azure subscription ID and Log Analytic workspace ID in the $WorkspaceId variable in your PowerShell script.
At the end of the script there are some instructions on how to re-run the script to remove any added diagnostic settings when no longer needed.

Once Storage Diagnostic Logs are enabled on the relevant Storage account, after a short wait (maybe a few days to ensure that all applications are interacting with all storage), you can query your Log Analytics workspace and look for requests using TLS versions 1.2 or lower.
You can also use the Kusto query shared below for this.

important:
The script provided on this page is shared as a guideline for you, please understand that we are doing our best to provide you with better assistance.
Use scripts or queries from this page at your own risk.
We share these scripts without any guarantees and assume no responsibility for any unexpected results.
We recommend that you review, test, and adjust all scripts and queries as needed.

#######################################################################################################
## Enable/Disable Storage Diagnostic Logs on all storage accounts, under some subscription
#######################################################################################################

Connect-AzAccount -Subscription "your subscrition id"

# Create a Log Analytic Workspace, go to Properties and Copy "Resource ID":
$WorkspaceId = "/subscriptions//resourceGroups//providers/Microsoft.OperationalInsights/workspaces/"  
$DiagnosticSettingName = "Logs_to_check_TLS_requests" # any name to identify the Diagnostic Logs on each storage account

#######################################################################################################

# get all accounts in the subscription 
$accounts=Get-AzStorageAccount
foreach($account in $accounts)
{
    # If account.MinimumTlsVersion greater or equal "TLS1_2", we don't need Diagnostic logs, and we can continue to the next storage account 
    if ($account.MinimumTlsVersion -ge "TLS1_2") 
    {
        Write-Host $account.MinimumTlsVersion "-" $account.Context.Name "- continue"
        continue
    }

     $ResourceId = $account.Id;

    #$metric = New-AzDiagnosticDetailSetting -Metric -RetentionEnabled -Category AllMetrics -Enabled
    #$setting = New-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $ResourceId -WorkspaceId $WorkspaceId -Setting $metric
    #Set-AzDiagnosticSetting -InputObject $setting

    #$metric = New-AzDiagnosticDetailSetting -Metric -RetentionEnabled -Category AllMetrics -Enabled
    $readlog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled  -Category StorageRead -Enabled 
    $writelog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled -Category StorageWrite -Enabled
    $deletelog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled -Category StorageDelete -Enabled

    
    # Create an array of resource IDs for different services in the storage account
    $Ids = @($ResourceId + "/blobServices/default"
            $ResourceId + "/fileServices/default"
            $ResourceId + "/queueServices/default"
            $ResourceId + "/tableServices/default"
    )

    # Enable / Disable Diagnostic Settings to each service
    $Ids | ForEach-Object {
    # Enable Storage Diagnostic Logs on all storage accounts (comment Remove-AzDiagnosticSetting command below)
    #---------------------------------------------------------
    $setting = New-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $_ -WorkspaceId $WorkspaceId -Setting $readlog,$writelog,$deletelog
    Set-AzDiagnosticSetting -InputObject $setting

    # Disable Storage Diagnostic Logs on all storage accounts (comment two lines above)
    # This will Disable only Logs with name defined above $DiagnosticSettingName, and will maintain any other previous existing Diagnostic Logs configurations
    #---------------------------------------------------------
    #Remove-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $_ 
    }
}
#######################################################################################################

At the end of the script there are some instructions on how to rerun the script to remove any added diagnostic settings when no longer needed.


To check the storage diagnostic log to identify client applications using TLS 1.0 or 1.1 to connect to storage services:

To query your Log Analytics workspace and find requests using TLS versions 1.2 and lower, you can use the Kusto query below.
The Kusto query returns all requests using TLS versions lower than 1.2 across all services (blobs, tables, queues, and files) in all storage accounts that have logs in diagnostic logs in the same Log Analysis workspace used.
If you only want to check some specific storage accounts, uncomment line 6 and enter the storage account name you want to check.

union 
    StorageBlobLogs,
    StorageFileLogs,
    StorageQueueLogs,
    StorageTableLogs
//| where AccountName in ("storageaccount1","storageaccount2")
| where TimeGenerated > ago(7d) 
| where strcmp(TlsVersion,"TLS 1.2") <0
| project TimeGenerated, TlsVersion, AccountName, ServiceType, OperationName, StatusCode, CallerIpAddress, UserAgentHeader, Uri 

In the last line, select only the relevant fields to investigate.
CallerIpAddress, UserAgentHeader help identify the client application.
TlsVersion is a relevant field that indicates the TLS version of each request.
TimeGenerated, AccountName, ServiceType, OperationName, StatusCode, Uri acn also help identify the service used and the request URI.
To check all fields, just remove or comment out the last line.


conclusion:

Azure Storage TLS 1.0 and 1.1 deprecation dates have been pushed back by one year. November 1, 2025.
After that date, any clients that connect to the Azure Storage service using TLS version 1.2 or lower will no longer be able to connect to Azure Storage.
You don’t need to take any action against the Azure Storage service. This change happens automatically.
After that date, you just need to ensure that all client applications connecting to your Storage account are using TLS 1.2 or higher.


Related documents:

Azure Storage TLS 1.0 and 1.1 deprecation: https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-migration-to…

Other Azure products TLS 1.0 and 1.1 deprecations and FAQs: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/support-for-legacy-tls-proto…

Enforces the minimum required version of Transport Layer Security (TLS) for requests to your storage account. https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-ve…

Audit compliance using Azure Policy. https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-ve…

Storage diagnostic logs:
Create diagnostic settings: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal#cre…

destination: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal#des…

Log Analysis Tutorial: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-tutorial

Log Analytics workspace – Sample Kusto query: https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal#sample-…

Available log formats and information: https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage-reference#resource-logs

Storage diagnostic logs May occur in some cases additional charge – The most significant cost for most Azure Monitor implementations is typically data collection and retention in Log Analytics workspaces.
After investigation, you can disable storage diagnostic logs again if you do not need them.
Log cost calculation: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/cost-logs

Analytics log pricing: https://azure.microsoft.com/en-us/pricing/details/monitor/

Hope this can be useful!!!





Source link

You may also like

Leave a Comment

Our Company

Welcome to OdysseyX, your one-stop destination for the latest news and opportunities across various domains.

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Laest News

@2024 – All Right Reserved. Designed and Developed by OdysseyX