How to determine incoming TLS version for Azure Storage

Question

Microsoft recommends setting the minimum TLS version to 1.2 for all Storage Accounts, however for existing accounts I'd like to see whether anything is currently accessing using one of the older TLS versions, before I make a change and things start breaking.

Does anyone know if there's a way to determine which TLS version incoming requests are using and, if so, where these request(s) were initiated from?

Answer 1

Does anyone know if there's a way to determine which TLS version incoming requests are using and, if so, where these request(s) were initiated from?

• To determine the incoming TLS version for Azure Storage, you can enable logging for your Azure Storage account and analyze the logs after an interval of time to detect what versions of TLS client applications are using and you can use this MS-Document to monitor the storage.

Here is a sample query to determine which clients made requests with a version of TLS older than TLS 1.2 over the past seven days:

Query:

StorageBlobLogs
| where AccountName == "<your-storage account-name>" and TlsVersion != "TLS 1.2"
| project TlsVersion, CallerIpAddress, UserAgentHeader

Reference:

Enforce a minimum required version of Transport Layer Security (TLS) for incoming requests - Azure Storage | Microsoft Learn