How to identify Azure resources that need to update to TLS 1.2 or later version?

SafiyullahSA 105 Reputation points
2024-03-26T23:16:02.1666667+00:00

I received a notification from Microsoft that interactions with Azure services must be secured using Transport Layer Security (TLS) 1.2 or later by October 31, 2024. I want to know which resources or services are affected and need to be updated to TLS 1.2. Can someone provide guidance or a tool to help identify these resources?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,262 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,965 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
996 questions
0 comments No comments
{count} votes

Accepted answer
  1. Dillon Silzer 57,456 Reputation points
    2024-03-27T00:47:11.96+00:00

    Hello,

    I'd recommend going through the list of possible resources that could be using TLS 1.0 and 1.1:

    How to tell if my resource uses anything below TLS 1.2

    https://jamescook.dev/azure-tls-end-of-support-2024#heading-how-to-tell-if-my-resource-uses-anything-below-tls-12

    Then you will need to know what apps are connecting to these services and check the protocols being used.

    If this is helpful please accept answer.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. KarishmaTiwari-MSFT 20,217 Reputation points Microsoft Employee
    2024-03-27T01:11:04.71+00:00

    @Safiyullah S A Thanks for posting your query on Microsoft Q&A.

    In addition to the answer provided by Dillon on how to check for the TLS version for your Azure services (by checking 'Configuration'), you can go through these documents on

    We recommend the following steps as you prepare to migrate your clients to TLS 1.2:

    -Update your operating system to the latest version.

    -Update your development libraries and frameworks to their latest versions. For example, Python 3.8 supports TLS 1.2.

    -Fix hardcoded instances of security protocols older than TLS 1.2.

    -Notify your customers and partners of your product or service's migration to TLS 1.2.

    -For more detailed guidance, see the checklist to deprecate older TLS versions in your environment.

    Q: If I didn't do the update by end of Oct 31st. What will be the worst-case scenario?

    On Nov 1, 2024, Azure Blob Storage will stop supporting versions 1.0 and 1.1 of Transport Layer Security (TLS). TLS 1.2 will become the new minimum TLS version. This change impacts all existing and new blob storage accounts, using TLS 1.0 and 1.1 in all clouds. Storage accounts already using TLS 1.2 aren't impacted by this change.

    To avoid disruptions to applications that connect to your storage account, you must ensure that your account requires clients to send and receive data by using TLS 1.2 and remove dependencies on TLS version 1.0 and 1.1. We're recommending that customers secure their infrastructure by using TLS 1.2 with Azure Storage. The older TLS versions (1.0 and 1.1) are being deprecated and removed to meet evolving technology and regulatory standards (FedRamp, NIST), and provide improved security for our customers.

    TLS 1.2 is more secure and faster than TLS 1.0 and 1.1, which don't support modern cryptographic algorithms and cipher suites.

    Q: How can I identify that my end client is using which TLS version connecting to my storage account? Is there any Kusto Query or using Resource Graph Explorer?
    You can enforce a minimum required version of Transport Layer Security (TLS) for requests to your storage account.

    Navigate to your storage account in the Azure portal.

    Here is a sample query to determine which clients made requests with a version of TLS older than TLS 1.2 over the past seven days:

    https://stackoverflow.com/questions/78069466/how-to-determine-incoming-tls-version-for-azure-storage

    You can modify it as per your use case.


    Hope that helps.

    If you have questions, please let me know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.