Cyscale
Back to controls

Ensure 'Minimum TLS version' for storage accounts is set to 'Version 1.2'

In some cases, Azure Storage sets the minimum TLS version to be 1.0 by default. TLS 1.0 is a legacy version with known vulnerabilities. However, this minimum TLS version can be configured to be later protocols, such as TLS 1.2.

Category

Controls

Medium

Applies to

Microsoft Azure

Coverage

1 queries

Asset types

1 covered

Overview

In some cases, Azure Storage sets the minimum TLS version to be 1.0 by default. TLS 1.0 is a legacy version with known vulnerabilities. However, this minimum TLS version can be configured to be later protocols, such as TLS 1.2.

Rationale

TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit.

Impact

When set to TLS 1.2, all requests must use this version of the protocol. Applications using legacy versions of the protocol will fail.

Default Value

If a storage account is created through the portal, its MinimumTlsVersion property will be set to TLS 1.2.

If a storage account is created through PowerShell or CLI, the MinimumTlsVersion property for that storage account will not be set and will default to TLS 1.0.

Remediation guidance

Azure Remediation

Service-wide fix (recommended): enforce TLS 1.2 as the minimum on all storage accounts and remove any remaining client dependency on TLS 1.0 or 1.1.

Azure portal

  1. Open the storage account.
  2. Go to Configuration.
  3. Set Minimum TLS version to Version 1.2.
  4. Save the change and test affected clients.

Azure CLI

az storage account update   --name <storage-account-name>   --resource-group <resource-group>   --min-tls-version TLS1_2

Validate the setting:

az storage account show   --name <storage-account-name>   --resource-group <resource-group>   --query minimumTlsVersion

PowerShell

Set-AzStorageAccount -AccountName <storage-account-name> -ResourceGroupName <resource-group> -MinimumTlsVersion TLS1_2

Operational notes

  • Azure Storage currently recommends TLS 1.2 as the minimum enforceable version. TLS 1.3 can be negotiated by clients, but it cannot yet be enforced as the minimum at the storage-account level.
  • Blob Storage support for TLS 1.0 and 1.1 is ending on February 3, 2026. If you still have clients using those versions, treat that as an application remediation task now, not later.

References

  • https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version
  • https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-migrate-to-tls2

Query logic

These are the stored checks tied to this control.

Azure Storage Accounts Without Minimum TLS 1.2

Connectors

Microsoft Azure

Covered asset types

StorageAccount

Expected check: eq []

{
  storageAccounts(where: { minimumTlsVersion_IN: ["TLS1_0", "TLS1_1"] }) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon