I can't change Storage account from 1.0 to 1.2--"disallowed by policy"

Charlie Lamm (Admin) 0 Reputation points
2024-06-05T00:00:05.0933333+00:00

To make Azure VEEAM appliance work, VEEAM says the existing SA must be elevated to TLS1.2. It is 1.0. When I try to change it to TLS1.2 it throws a cryptic mesasge "disallowed by policy", apparently the default policy. Where is this set? I can't find what policy would disallow this.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,840 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. TP 82,241 Reputation points
    2024-06-05T04:08:26.34+00:00

    Hi,

    Please navigate to your Azure Policy Assignments in the portal using link below:

    https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Assignments

    Once there, check for "Storage accounts should have the specified minimum TLS version". If you have this you could delete the assignment -or- click on the assignment, click edit assignment and on Parameters tab uncheck "Only show parameters that need input or review" and then change effect to Audit (or change minimum to TLS1_2) and save.

    Wait a minute or two after deleting/modifying your assignment. You should be able to change your storage account to TLS 1.2 minimum after making above change.

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP


  2. Anand Prakash Yadav 7,465 Reputation points Microsoft Vendor
    2024-06-05T06:51:54.8266667+00:00

    Hello Charlie Lamm (Admin),

    Thank you for posting your query here!

    The error message “disallowed by policy” indicates that there’s an Azure Policy in place that prevents changing the minimum TLS version of the storage account. Let’s address this step by step:

    You’ll need to find the specific policy that’s blocking the action. The error message should list the relevant policies. You may temporarily disable the policy that requires a minimum TLS version of 1.2 or edit it and disables public access.

    Further details: https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-migrate-to-tls2#enforce-tls-12-as-the-minimum-allowed-version

    Do let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments