I've been receiving notifications from Microsoft about deprecated TLS versions being used in our Azure tenants. I've managed to pinpoint the issue to my Storage Accounts, where the minimum TLS version is currently set to 1.0. My main concern now is figuring out an easy way to identify what is connecting using TLS 1.0. I can't just change the setting in the Storage Account without risking disruptions to any connected clients, services, or applications. Any advice on how to go about this?
3 Answers
Start by checking out the Diagnostic Settings and Log Analytics for your resource types. They can give you the information you're looking for, but just a heads up, it might get a bit pricey depending on how much data you analyze.
You can also use Azure Resource Graph queries to check for TLS versions. Something like this:
```
resources
| where properties.minimumTlsVersion contains "1.0"
or properties.minimumTlsVersion contains "1.1"
or properties.minimumTlsVersion contains "TLS1_0"
or properties.minimumTlsVersion contains "TLS1_1"
| project
['Type'] = type,
['Resource name'] = name,
['Resource Group name'] = resourceGroup,
['TLS Version'] = properties.minimumTlsVersion
```
Or simply:
```
resources
| where isnotnull(properties.minimumTlsVersion)
| project
['Type'] = type,
['Resource name'] = name,
['Resource Group name'] = resourceGroup,
['TLS Version'] = properties.minimumTlsVersion
```
This will help you identify what’s allowing lower TLS versions.
But they're trying to pinpoint which storage clients are making the actual connections, right? It's not just about what the accounts allow.
You can find detailed instructions on the Microsoft Docs site about how to detect the TLS version used by your client applications. Here's a link: https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal#detect-the-tls-version-used-by-client-applications
I'm running into issues with their instructions not matching what I see in my Azure tenant. When I try to create a diagnostic setting on a storage account, I don't have the options for read/write logs they mention.
Is there really no simpler way to identify what's connecting to a storage account and the TLS version in use? That seems like a lot of extra steps for something that should be straightforward.