TLS 1.0 and 1.1 support will be removed for new & existing Azure storage accounts starting Feb 2026
This post was edited in September 2025 to reflect the retirement date change from November 1, 2025 to February 3, 2026. To meet evolving technology and regulatory needs and align with security best practices, we are removing support for Transport Layer Security (TLS) 1.0 and 1.1 for both existing and new storage accounts in all clouds. TLS 1.2 will be the minimum supported TLS version for Azure Storage starting February 3, 2026. Azure Storage currently supports TLS 1.0 and 1.1 (for backward compatibility) and TLS 1.2 on public HTTPS endpoints. TLS 1.2 is more secure and faster than older TLS versions. TLS 1.0 and 1.1 do not support modern cryptographic algorithms and cipher suites. Many of the Azure storage customers are already using TLS 1.2 and we are sharing this guidance to expedite the transition for customers currently on TLS 1.0 and 1.1. Customers must secure their infrastructure by using TLS 1.2+ with Azure Storage by February 2, 2026. The older TLS versions (1.0 and 1.1) are being deprecated and removed to meet evolving standards (FedRAMP, NIST), and provide improved security for our customers. This change will impact both existing and new storage accounts using TLS 1.0 and 1.1. To avoid disruptions to your applications connecting to Azure Storage, you must migrate to TLS 1.2 and remove dependencies on TLS version 1.0 and 1.1, by February 2, 2026. Learn more about how to migrate to TLS1.2. As best practice, we also recommend using Azure policy to enforce a minimum TLS version. Learn more here about how to enforce a minimum TLS version for all incoming requests. If you already use Azure Policy to enforce TLS version, minimum supported version after this change rolls out will be TLS 1.2. Help and Support If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, create a support request: For Issue type, select Technical. For Subscription, select your subscription. For Service, select My services. For Service type, select Blob Storage. For Resource, select the Azure resource you are creating a support request for. For Summary, type a description of your issue. For Problem type, select Connectivity For Problem subtype, select Issues using TLS.Introducing Virtual Machine restore points – a simpler way to protect Azure workloads
Virtual Machine restore point are now generally available. Customers and Azure partners who are looking to build business continuity and disaster recovery solutions can use VM restore points to capture app consistent and crash consistent backups natively on the Azure platform. This can then be used to restore disks and VMs during scenarios such as data loss, data corruption or disaster recovery.Enable Secure access to Azure Storage Account across multiple subscriptions
Public read access to Azure containers and blob storage is an easy and convenient way to share data, however it also poses a security risk. For better and enhanced security, public access to the entire storage account can be disallowed regardless of the public access setting for an individual container present within the storage container. Disallowing public access to storage prevents a user from enabling public access for a container in the respective storage account. Ensuring secure access to storage account(s) across subscriptions and storage accounts can be tedious as we grow. Here is a solution that can help you to disallow public access to storage account(s) at scale. You can extract the list of all storage accounts from the Azure subscription(s) and use the same .csv file as an input in the solution below to disallow access to storage account containers at scale across all your subscriptions. Pre-Requisite: - Az Modules must be installed - Service Principal created as part of Step 1, must be having contributor level access to subscriptions Steps to follow: Step 1: Create a service principal Please refer: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-5.7.0 Post creation of service principal, please retrieve below values. Tenant Id Client Secret Client Id Step 2: Create a PowerShell function which will be used in generating authorization token function Get-apiHeader{ [CmdletBinding()] Param ( [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $TENANTID, [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $ClientId, [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $PasswordClient, [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $resource ) $tokenresult=Invoke-RestMethod -Uri https://login.microsoftonline.com/$TENANTID/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://$resource/"; "client_id" = "$ClientId"; "client_secret" = "$PasswordClient" } $token=$tokenresult.access_token $Header=@{ 'Authorization'="Bearer $token" 'Host'="$resource" 'Content-Type'='application/json' } return $Header } Step 3: Invoke API to retrieve authorization token using function created in above step Note: Replace $TenantId, $ClientId and $ClientSecret with value captured in step 1 $AzureApiheaders = Get-apiHeader -TENANTID $TenantId -ClientId $ClientId -PasswordClient $ClientSecret -resource "management.azure.com" Step 4: Extracting list of storage accounts across accessible subscriptions $subscriptionList = Get-AzSubscription $subscriptionIdList = $subscriptionList.Id foreach($subscriptionId in $subscriptionIdList) { $resourceURL = "https://management.azure.com/subscriptions/$($subscriptionId)/providers/Microsoft.Storage/storageAccounts?api-version=2021-01-01" $resourcedetails=(Invoke-RestMethod -Uri $resourceURL -Headers $AzureApiheaders -Method GET) $TableData = $resourcedetails.value.ID } Step 5: Enable secure access to storage account foreach($Data in $TableData) { #Select Current Subscription and get All Storage Accounts $resourceid=$Data $resourceURL="https://management.azure.com$($resourceid)?api-version=2021-02-01" $resourcedetails=(Invoke-RestMethod -Uri $resourceURL -Headers $AzureApiheaders -Method GET) $resourcelocation=$resourcedetails.location $permissions=$resourcedetails.properties.allowBlobPublicAccess if($permissions -eq $false) { Write-Output "Public access to Storage Account: $($resourcedetails.name) is already disabled" } Else { Write-Output "Changing ACL for Storage Account: $($resourcedetails.name)" $body = @" { "location":"$($resourcelocation)", "properties": { "allowBlobPublicAccess": "false" } }"@ Invoke-RestMethod -Uri $resourceURL -Method Put -Headers $AzureApiheaders -Body $body } } Overall Script: function Get-apiHeader{ [CmdletBinding()] Param ( [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $TENANTID, [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $ClientId, [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $PasswordClient, [Parameter(Mandatory=$true)] [System.String] [ValidateNotNullOrEmpty()] $resource ) $tokenresult=Invoke-RestMethod -Uri https://login.microsoftonline.com/$TENANTID/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://$resource/"; "client_id" = "$ClientId"; "client_secret" = "$PasswordClient" } $token=$tokenresult.access_token $Header=@{ 'Authorization'="Bearer $token" 'Host'="$resource" 'Content-Type'='application/json' } return $Header } $AzureApiheaders = Get-apiHeader -TENANTID $TenantId -ClientId $ClientId -PasswordClient $ClientSecret -resource "management.azure.com" $subscriptionList = Get-AzSubscription $subscriptionIdList = $subscriptionList.Id foreach($subscriptionId in $subscriptionIdList) { $resourceURL = "https://management.azure.com/subscriptions/$($subscriptionId)/providers/Microsoft.Storage/storageAccounts?api-version=2021-01-01" $resourcedetails=(Invoke-RestMethod -Uri $resourceURL -Headers $AzureApiheaders -Method GET) $TableData = $resourcedetails.value.ID foreach($Data in $TableData) { #Select Current Subscription and get All Storage Accounts $resourceid=$Data $resourceURL="https://management.azure.com$($resourceid)?api-version=2021-02-01" $resourcedetails=(Invoke-RestMethod -Uri $resourceURL -Headers $AzureApiheaders -Method GET) $resourcelocation=$resourcedetails.location $permissions=$resourcedetails.properties.allowBlobPublicAccess if($permissions -eq $false) { Write-Output "Public access to Storage Account: $($resourcedetails.name) is already disabled" } Else { Write-Output "Changing ACL for Storage Account: $($resourcedetails.name)" $body = @" { "location":"$($resourcelocation)", "properties": { "allowBlobPublicAccess": "false" } }"@ Invoke-RestMethod -Uri $resourceURL -Method Put -Headers $AzureApiheaders -Body $body } } } References: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=powershell
