Microsoft AzureOverview
Azure Function Apps should reject legacy TLS protocols for inbound connections. TLS 1.0 and TLS 1.1 are legacy protocols with known weaknesses, and Microsoft recommends requiring TLS 1.2 or later for Azure App Service platform resources, including Azure Functions.
This control helps ensure clients connect to the Function App and its SCM/Kudu management endpoint using modern transport security.
Remediation guidance
Remediation
Set the Function App minimum inbound TLS version to TLS 1.2 or later. Also update the SCM/Kudu minimum TLS version because deployment, log streaming, and advanced tooling use that endpoint separately.
Azure CLI
Check the current site and SCM minimum TLS settings:
az functionapp show \
--resource-group {{asset.azureResourceGroup}} \
--name {{asset.name}} \
--query 'siteConfig.{siteTls:minTlsVersion,scmTls:scmMinTlsVersion}' \
--output table
Set the main Function App endpoint to TLS 1.2 or later:
az functionapp config set \
--resource-group {{asset.azureResourceGroup}} \
--name {{asset.name}} \
--min-tls-version 1.2
Set the SCM/Kudu endpoint to TLS 1.2 or later:
az resource update \
--ids "{{asset.idFromProvider}}/config/web" \
--set properties.scmMinTlsVersion=1.2
Rollout guidance
- Check recent traffic for TLS 1.0/1.1 clients before enforcing the change on critical public APIs.
- Coordinate client upgrades for legacy agents, embedded devices, older Java/.NET clients, and third-party webhook senders.
- Update deployment slots separately; each slot has independent TLS settings.
- Enforce the setting with Azure Policy after compatibility is confirmed.
References
- https://learn.microsoft.com/en-us/azure/app-service/tls-minimum-version
- https://learn.microsoft.com/en-us/azure/app-service/overview-tls
Query logic
These are the stored checks tied to this control.
Azure Function Apps allowing old TLS
Connectors
Covered asset types
Expected check: eq []
{
functionApps(
where: { configs_SOME: { NOT: { minTlsVersion_IN: ["1.2", "1.3"] } } }
) {
...AssetFragment
}
}
