Azure Storage - TLS 1.0 and 1.1 retirement
Overview
TLS 1.0 and 1.1 retirement on Azure Storage was previously announced for Nov 1st, 2024, and it was postponed recently to 1 year later, to Nov 1st, 2025.
Despite that, we may see some documentation informing the old date - we are currently updating the date on some documentation.
See : https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-migrate-to-tls2
What you need to change:
On Nov 1st, 2025, Azure Blob Storage will stop supporting versions 1.0 and 1.1 of Transport Layer Security (TLS) and TLS 1.2 will become the new minimum TLS version.
This change on Azure Storage side will be internally and you don't need to take any action on Azure Storage service.
Despite that, at that time, all clients connecting to Azure storage needs to send and receive data by using TLS 1.2, otherwise will not be able to connect to storage using SSL connections.
So, you may need to make sure your client applications are using TLS 1.2 at that time, and update your applications, if needed, removing all dependencies on TLS version 1.0 and 1.1.
- If your storage accounts are already configured with minimum TLS version 1.2, this means that storage clients are already connecting using TLS 1.2or above, and in that case you don't need to take any action on that client applications.
- If you have some storage account configured with minimum TLS version 1.0 or 1.1, you may need to check what TLS version that storage account's clients are using; if using TLS 1.0 and 1.1, you may need to update that applications to ensure being able to connect to Storage after Nov 1st, 2025.
Once that corrected, you may manually change Azure Storage configurations to enforce minimum TLS 1.2, if you want.
That is not needed, as after Nov 1st, 2025 will be enforced to use minimum TLS 1.2, and this change is something that happening internally.
How to verify what minimum TLS version is configured on each storage accounts, under some Azure Subscription:
To help you on listing the minimum TLS version configured on all storage accounts in your subscription, you can use the below PowerShell script:
If you have some storage accounts using minimum TLS 1.0 or 1.1, you may need to check the TLS version used by the client applications connecting to that Storage account.
The only ways to check that is looking on the application code, or having Storage Diagnostic Logs enabled, to list all storage operations and check the TLS version used.
How to enable/disable Storage Diagnostic Logs on the relevant Storage accounts:
The below PowerShell Script will scan all storage accounts in some Azure subscription, and will enable Storage Diagnostic Logs on the ones configured with minimum TLS version below 1.2.
The logs will be enabled to all services (Blob, Table, Queue and Files), on each storage account.
You need first to have some Log Analytic workspace to accommodate that logs; it’s better to create a new one, just to these proposes, and you can delete it later.
You also need to define the Azure Subscription ID, and the Log Analytic workspace ID, on the $WorkspaceId variable, in the PowerShell script.
At the end of the script, there are some instructions on how to run the script again to remove all Diagnostic settings added, when not needed anymore.
Once Storage Diagnostic Logs enabled on the relevant Storage accounts, wait some time (maybe some days to make sure all your applications interact with all storages), and then you can query Log Analytics Workspace, and look for any requests using TLS version below 1.2.
For that you can use the Kusto query also shared below.
Important:
Please understand the scripts provided on this page are shared as Guidance for you, and as best effort to try be better help you.
Please use any script or query on this page as per you own risk.
We share these scripts, without any guarantee and we can’t assume any responsibility for any unexpected results.
We strongly recommend you to review, test and adjust all scripts and queries as per your needs.
At the end of the script, there are some instructions on how to run the script again to remove all Diagnostic settings added, when not needed anymore.
How to check Storage Diagnostic Logs to identify the client applications using TLS 1.0 or 1.1 to connect to Storage service:
To query Log Analytics Workspace, and look for any requests using TLS version below 1.2, you can use the Kusto query below.
The Kusto query will return all requests using TLS version below 1.2, from all services (Blob, Table, Queue and Files), on all storage accounts that have Logs from Diagnostic Logs, on the same Log Analytic workspace used.
If you want to check only some specific(s) storage account(s), uncomment the 6th line and provide the storage account names(s) you want to check.
The last line select only the relevant fields to you investigation.
CallerIpAddress, UserAgentHeader should help you on identifying the client application;
TlsVersion is the relevant field showing the TLS version on each request;
TimeGenerated, AccountName, ServiceType, OperationName, StatusCode, Uri acn also help you on identifying the service and request URI used,
If you want to check all fields, just remove or comment the last line.
Conclusion:
Azure Storage TLS 1.0 and 1.1 deprecation date was postponed 1 year, to Nov 1st, 2025.
After that date, all clients connecting to Azure Storage services using TLS version below 1.2, will not be able to connect to Azure Storage anymore.
You don't need to take any action on your Azure Storage services; this change will be automatic.
You just need to ensure that all client applications connecting to your Storage accounts are using TLS 1.2 or above, after that date.
Related documentation:
Azure Storage TLS 1.0 and 1.1 deprecation: https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-migrate-to-tls2
Other Azure products TLS 1.0 and 1.1 deprecation and FAQ's: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/support-for-legacy-tls-protocols-and-cipher-suites-in-azure/ba-p/3952099
Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account: https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal
Use Azure Policy to audit for compliance: https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal#use-azure-policy-to-audit-for-compliance
Storage Diagnostic Logs:
Create diagnostic settings: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal#create-diagnostic-settings
Destinations: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal#destinations
Log Analytics tutorial: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-tutorial
Log Analytic workspace - Sample Kusto queries: https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal#sample-kusto-queries
Log Format and information available: https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage-reference#resource-logs
Storage Diagnostic Logs may incur in some additional charges - the most significant charges for most Azure Monitor implementations will typically be ingestion and retention of data in your Log Analytics workspaces;
you can disable Storage Diagnostic Logs again after our investigation, if you don’t need that.
Logs cost calculation: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/cost-logs
Analytic logs pricing: https://azure.microsoft.com/en-us/pricing/details/monitor/
I hope this can be useful!!!
Published on:
Learn moreRelated posts
Creating an Agent with Actions in Azure AI Foundry
Azure AI Foundry is an Azure service where you can create agents using various LLMs (including your own). In this post we will look at how to ...
New Test Run Hub in Azure Test Plans
Delivering high-quality software is a necessity and that’s why Azure Test Plans has introduced the all-new Test Run Hub, an enabler for teams ...
Microsoft Teams: New SlimCore-based optimization for Microsoft Teams in VDI – support for MacOS on Citrix and Azure Virtual Desktops/Windows 365
This feature allows MAC endpoints to optimize Microsoft Teams in VDI environments with the new SlimCore-based media engine, providing an expan...
Microsoft Whiteboard: Azure to OneDrive migration progress update
Microsoft Whiteboard storage is migrating from Azure to OneDrive, starting February 2024 and completing by August 2025, with full deprecation ...
Copilot Studio: Azure AI Search Complete Setup Guide
Copilot Studio can use an Azure AI Search index as knowledge to answer Users questions ... The post Copilot Studio: Azure AI Search Complete S...
Microsoft Azure Fundamentals #1: Creating External Tenants in Entra ID: A Step-by-Step Guide
It is important to configure external tenants for different scenarios. In this post we can see how to create a tenant step by step so that it ...
Azure Information Protection: Enable multifactor authentication for your Azure tenant by October 1, 2025
Microsoft will enforce multifactor authentication (MFA) for all Azure resource management actions starting October 1, 2025, with a postponemen...
Azure Automation Custom Runtime Environments
A custom runtime environment is a way of defining a specific job execution environment for Azure Automation runbooks, including Microsoft Grap...
Dynamics 365 Customer Insights – Data – Export your data to Azure Data Lake Storage
We are announcing the general availability of the export to Azure Data Lake Storage (ADLS) feature in Dynamics 365 Customer Insights – Data on...
Dynamics 365 Business Central: Quickly find the Tenant ID, Azure AD Instance, and Tenant Scope from the domain (tenant) name without signing in
Hi, Readers.Today I would like to share another mini tip, how to quickly find the Tenant ID, Azure AD Instance, and Tenant Scope from the doma...