Why is Azure DevTest Labs deploying an storage account with TLS 1.0? It is not configureable

Question

DevTest Labs provisions a number of resources on deployment, including a storage account. Aside from not being able to set mandatory tags on any of these resources, the ultimate roadblock is that the storage account is configured with TLS 1.0 by default. I believe this version is even leaving support sometime this year, and there is no way of configuring the TLS version as part of the deployment (neither the Terraform provider nor the ARM template show parameters for this).

I could probably change TLS to 1.2 after the resource is created, we're it not that a storage account with TLS 1.0 is not allowed to be deployed (which is a reasonable security concern).

• When is upgrading the TLS version planned, considering 1.0 is leaving support soon?
• Is it configurable in some way that I've missed?

Answer 1

Hello Koen van Eijk,

Thank you for posting your query here!

Adding on to the previous response, yes, Microsoft has announced that support for TLS 1.0 and 1.1 will be removed for both existing and new storage accounts in all clouds starting from Nov 1, 2024. https://techcommunity.microsoft.com/t5/azure-storage-blog/tls-1-0-and-1-1-support-will-be-removed-for-new-amp-existing/ba-p/4026181

https://azure.microsoft.com/en-us/updates/azuretls12/

Azure DevTest Labs automatically creates an Azure Storage account for every lab it creates. However, it seems that the minimum TLS version is set to 1.0 by default.

There’s a similar discussion on Stack Overflow which reports that while TLS 1.0 and 1.1 appear to be enabled when tested with certain tools, Azure actually blocks these versions at the application layer if the minimum TLS version for the storage account is set to 1.2.

As noted, while Azure DevTest Labs does not currently allow for the direct configuration of TLS settings during the deployment of a storage account, you can indeed update the TLS version after the storage account has been created.

· Navigate to the Azure Portal.

· Go to your storage account created by DevTest Labs.

· Under the Settings section, find Configuration.

· In the Minimum TLS version field, select TLS 1.2 or higher and save the changes.

By following these steps, you'll make sure that even if you can't set TLS settings during the initial setup in DevTest Labs, your environment will still meet secure TLS standards after everything is up and running.

Do let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Hello Koen van Eijk

Unfortunately, Azure DevTest Labs does not provide direct configuration TLS options during deployment to set the minimum TLS version for the storage account. but you can update TLS version after deployment.

You’re correct that TLS 1.0 and 1.1 Azure Blob Storage will no longer be supported in November 1, 2024,
TLS 1.2 will become the new minimum TLS version for all existing and new blob storage accounts12.

TLS 1.0 and 1.1 support will be removed for new & existing Azure storage accounts starting Nov 2024
https://techcommunity.microsoft.com/t5/azure-storage-blog/tls-1-0-and-1-1-support-will-be-removed-for-new-amp-existing/ba-p/4026181