How to disable on the TLS1.0 on the Azure Frontend blob storage server

Question

How to disable on the TLS1.0 on the Azure Frontend blob storage server

Samuel Roby Varghese 0

We can see the server is also accepting TLS1.0 and TLS1.1, Can we disable this from server. We have configured in storage account settings to use “Minimum TLS” as TLS1.2. But can we get this blocked from server level as well.

Vedprakash Rote 180 Reputation points Microsoft External Staff Moderator

2025-06-18T10:40:55.35+00:00

Hello Samuel Roby Varghese,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Venkatesan S 2,820 Reputation points Microsoft External Staff Moderator

2025-06-19T03:16:27.91+00:00

Hi @Samuel Roby Varghese
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Bathini Harshitha 5 Reputation points Microsoft External Staff Moderator

2025-06-20T06:00:32.4133333+00:00

Hi @Samuel Roby Varghese ,

Could you please check the private message and confirm
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2025-06-24T08:30:14.2466667+00:00

@Samuel Roby Varghese ,

May I know if you got a chance to review my latest comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil

1 answer

Your answer

Vedprakash Rote 180 Reputation points Microsoft External Staff Moderator

2025-06-18T10:40:55.35+00:00

Hello Samuel Roby Varghese,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Venkatesan S 2,820 Reputation points Microsoft External Staff Moderator

2025-06-19T03:16:27.91+00:00

Hi @Samuel Roby Varghese
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Bathini Harshitha 5 Reputation points Microsoft External Staff Moderator

2025-06-20T06:00:32.4133333+00:00

Hi @Samuel Roby Varghese ,

Could you please check the private message and confirm
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2025-06-24T08:30:14.2466667+00:00

@Samuel Roby Varghese ,

May I know if you got a chance to review my latest comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil

Answer 1

Vedprakash Rote 180 Microsoft External Staff Moderator

Hi @Samuel Roby Varghese

To assist you better, could you kindly clarify what you mean by the "frontend server" in this context? Are you referring to the Azure Blob Storage service itself, or is there an additional component (such as a proxy or application gateway) in front of it?

Your clarification will help us provide more accurate guidance.

Based on your clarification,

Setting the Minimum TLS version to 1.2 in the Azure portal ensures that clients cannot negotiate connections using TLS 1.0 or 1.1.

SSL scanning tools may still show TLS 1.0/1.1 as "available" because the Azure frontend infrastructure (like CDN or public IP endpoints) still technically supports them for backward compatibility.

Disabling TLS 1.0/1.1 at the Endpoint Level: Currently, Azure does not allow disabling TLS 1.0/1.1 at the public endpoint or CDN level for Blob Storage.

TLS 1.0 and 1.1 support will be removed for new & existing Azure storage accounts starting Nov 2025 | Microsoft Community Hub

Azure’s global frontend infrastructure may still respond to TLS 1.0/1.1 handshakes for compatibility, even if the storage account enforces TLS 1.2, This behavior is not configurable by customers at the IP or CDN level.

Samuel Roby Varghese 0 Reputation points

2025-06-18T10:47:44.9033333+00:00

Hi Ved,

Yes I'am mentioning Azure Blob Storage services itself, the CDN or the Public IP which is associated with the storage account shows legacy TLS protocols as opened. Ofcourse we have the option to select the minimum TLS version in Azure GUI, on GRC perspective i would like to know if we can disable the legacy protocols from the endpoint level.
Vedprakash Rote 180 Reputation points Microsoft External Staff Moderator

2025-06-18T13:54:36.6266667+00:00

Hi @Samuel Roby Varghese

Setting the Minimum TLS version to 1.2 in the Azure portal ensures that clients cannot negotiate connections using TLS 1.0 or 1.1.

SSL scanning tools may still show TLS 1.0/1.1 as "available" because the Azure frontend infrastructure (like CDN or public IP endpoints) still technically supports them for backward compatibility.

Disabling TLS 1.0/1.1 at the Endpoint Level: Currently, Azure does not allow disabling TLS 1.0/1.1 at the public endpoint or CDN level for Blob Storage.

TLS 1.0 and 1.1 support will be removed for new & existing Azure storage accounts starting Nov 2025 | Microsoft Community Hub

Azure’s global frontend infrastructure may still respond to TLS 1.0/1.1 handshakes for compatibility, even if the storage account enforces TLS 1.2, This behavior is not configurable by customers at the IP or CDN level.

I hope this information helps. Please do let us know if you have any further queries.
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2025-06-23T09:28:47.5933333+00:00
Hi @Samuel Roby Varghese,

Greetings.

I would like to add to what Vedprakash Rote has said. SSL Scanning tools are not a good option to validate the minimum TLS version accepted by Storage account.

I suggest you use this query : Query logged requests by TLS version

If you have enabled minimum TLS Version as mentioned in this document and still see a connectivity happening with a TLS Version lesser than the one configured, you can let us know

We shall check and assist you further on why it's happening.

If you use a TLS version that does not meet the minimum TLS version configured for the account, Azure Storage returns error code 400 error (Bad Request) and a message indicating that the TLS version that was used is not permitted for making requests against this storage account.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

Share via

How to disable on the TLS1.0 on the Azure Frontend blob storage server

1 answer

Your answer