Enforce TLS 1.2 on Azure Storage Accounts

Ensure minimum TLS version is set to 1.2 on Azure Storage Accounts to meet encryption-in-transit compliance requirements.

This check ensures that all Azure Storage Accounts enforce a minimum TLS version of 1.2. Older TLS versions (1.0 and 1.1) are considered insecure and deprecated by most security frameworks.

Enforcing TLS 1.2 protects data in transit from downgrade attacks and eavesdropping, and is required by standards like SOC 2, ISO 27001, and HIPAA.

When is this check triggered?

Sprinto triggers this check if:

The Minimum TLS version on a storage account is set to TLS 1.0 or 1.1
No evidence is available confirming the use of TLS 1.2 or higher

How to resolve

To update the TLS version setting in Azure:

Log in to the Azure Portal.
Go to Storage Accounts and select the relevant account.
In the left panel, select Configuration.
Locate the field Minimum TLS version.
Set the value to TLS 1.2.
Click Save.

Repeat for all storage accounts that are in scope for your audit.

Provide evidence

Submit one of the following through Sprinto:

A screenshot of the Storage Account’s Configuration tab showing TLS 1.2

Azure CLI output:

az storage account show --name <account-name> --query minimumTlsVersion

JSON from Azure Resource Graph, Bicep, or ARM template that specifies:
```
"minimumTlsVersion": "TLS1_2"
```

Best practices

Always use TLS 1.2 or higher; TLS 1.0 and 1.1 are deprecated by major browsers and platforms.
Review this setting for all new storage accounts as part of provisioning.
Consider disabling HTTP access entirely to enforce encrypted traffic only.

PreviousEncryption & Backup Monitoring NextAudit Logs & Evidence Trails

Last updated 3 days ago