Ensure 'Minimum TLS version' for storage accounts is set to 'Version 1.2'

Overview

In some cases, Azure Storage sets the minimum TLS version to be 1.0 by default. TLS 1.0 is a legacy version with known vulnerabilities. However, this minimum TLS version can be configured to be later protocols, such as TLS 1.2.

Rationale

TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.

Impact

When set to TLS 1.2, all requests must use this version of the protocol. Applications using legacy versions of the protocol will fail.

Default Value

If a storage account is created through the portal, its MinimumTlsVersion property will be set to TLS 1.2.

If a storage account is created through PowerShell or CLI, the MinimumTlsVersion property for that storage account will not be set and will default to TLS 1.0.

Remediation guidance

From Azure Console

Open the storage account in the Azure Portal using the Open in Azure button
Under the Setting section, Click on Configuration.
Set the minimum TLS version to be Version 1.2.

From Azure CLI

az storage account update --name <storage_account> --resource-group <resource_group> --min-tls-version TLS1_2

From Azure Powershell

To set the minimum TLS version, run the following command:

Set-AzStorageAccount -AccountName  -ResourceGroupName  -MinimumTlsVersion TLS1_2

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure Storage Accounts Without Minimum TLS 1.2

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(where: { minimumTlsVersion_IN: ["TLS1_0", "TLS1_1"] }) {
    ...AssetFragment
  }
}