Digital by Design
BlogAbout

Troy Hite

Cloud & AI Infrastructure Solution Engineer sharing insights on cloud technologies and software engineering.

Quick Links

HomeBlogAboutRSS Feed

Connect

© 2026 Troy Hite. All rights reserved.

Built with Next.js, TypeScript & Tailwind CSS

Home→Blog→Azure Storage TLS 1.0/1.1 Deprecation: What You Need to Know Today
← Back to all posts
February 3, 202610 min read

Azure Storage TLS 1.0/1.1 Deprecation: What You Need to Know Today

AzureSecurityAzure StorageTLSComplianceDevOps

Today marks a significant shift in how we secure data in Azure Storage. As of February 3, 2026, Azure Blob Storage and all other Azure Storage services have officially deprecated Transport Layer Security (TLS) versions 1.0 and 1.1. If you're reading this and wondering whether your applications are affected, this post will walk you through what happened, why Microsoft made this change, and most importantly, how to ensure your applications remain secure and operational moving forward.

Transport Layer Security (TLS) encryption

What Just Happened?

Starting today, Azure Storage no longer accepts connections using TLS 1.0 or TLS 1.1. This means that any client application attempting to connect to Azure Blob Storage, Azure Files, Queue Storage, or Table Storage using these older protocols will be rejected. The minimum supported version is now TLS 1.2.

This change applies to all storage accounts across all Azure clouds: public, government, and sovereign regions. Whether you created your storage account yesterday or years ago, the enforcement is universal.

If you're already using TLS 1.2 or TLS 1.3, you won't notice any change. But if you have legacy applications, older frameworks, or systems that haven't been updated in a while, you might be experiencing connection failures right now.

Why Did Microsoft Deprecate TLS 1.0 and 1.1?

The short answer: security and compliance.

TLS 1.0 was released in 1999, and TLS 1.1 followed in 2006. While revolutionary at the time, these protocols have significant security vulnerabilities that modern attackers can exploit. They don't support contemporary cryptographic algorithms and cipher suites that are now considered baseline requirements for secure communication.

The Security Perspective

TLS exists to encrypt data sent over the internet, protecting sensitive information from malicious actors. When your application connects to Azure Storage over HTTPS, TLS handles the encryption. During the TLS handshake, the client and server negotiate which protocol version to use. If both parties support TLS 1.2 or higher, great. But if your client requests TLS 1.0 or 1.1, that handshake now fails.

TLS 1.2 offers:

  • Stronger cryptographic algorithms that resist modern attack vectors
  • Better performance due to optimized cipher suites
  • Support for modern security features like AEAD (Authenticated Encryption with Associated Data)

The Compliance Perspective

Regulatory frameworks like FedRAMP (Federal Risk and Authorization Management Program) and NIST (National Institute of Standards and Technology) have mandated the retirement of TLS 1.0 and 1.1. Organizations that handle government data, healthcare information, or financial transactions are legally required to use TLS 1.2 or higher.

Microsoft's decision aligns with these evolving standards and ensures that Azure Storage meets the security requirements of highly regulated industries.

How to Know If Your Applications Are Affected

Before you can fix a problem, you need to know if you have one. Here's how to detect whether your applications are using outdated TLS versions.

Enable Storage Analytics Logging

Azure Storage provides logging capabilities that capture details about every request, including the TLS version used. Enable logging on your storage accounts and analyze the logs after a reasonable interval (a few days to a week, depending on traffic patterns).

Look for entries where the TLS version is 1.0 or 1.1. These represent connections that are now being rejected.

To enable logging and detect TLS versions, follow Microsoft's guidance on detecting TLS versions used by client applications.

Check Your Code

Search your codebase for hardcoded references to TLS 1.0 or TLS 1.1. In .NET applications, for example, you might find code like this:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

This explicitly sets the protocol to TLS 1.0, which will now fail. Similarly, check for:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11;

Both of these need to be updated or removed entirely.

Use Testing Tools

Third-party tools can help identify the TLS versions your applications negotiate:

  • Qualys SSL Labs: Test your application's TLS capabilities from the server side
  • Fiddler: Capture HTTPS traffic and inspect the TLS version in the handshake

These tools provide visibility into what's happening at the protocol level, which can be invaluable for debugging connection issues.

How to Migrate Your Applications to TLS 1.2

Once you've identified where TLS 1.0 or 1.1 is being used, it's time to update your client applications. The migration process varies depending on your technology stack, but the principles remain the same.

Step 1: Update Your Operating System

Modern operating systems have TLS 1.2 enabled by default:

  • Windows 8 and later support TLS 1.2 by default
  • Windows Server 2016 and later support TLS 1.2 by default
  • Linux distributions from the past several years include TLS 1.2 support in OpenSSL

If you're running older OS versions, you'll need to upgrade or apply patches that enable TLS 1.2 support.

Step 2: Update Frameworks and Libraries

The frameworks and libraries your applications depend on must also support TLS 1.2.

For .NET applications:

  • Upgrade to .NET Framework 4.7 or later (ideally .NET 6 or later)
  • Avoid .NET Framework 4.5 or earlier, which have limited TLS 1.2 support
  • Use at least Visual Studio 2017 or later for development

For Python applications:

  • Use Python 3.5 or later, which supports TLS 1.2
  • Ensure your requests or urllib3 libraries are up to date

For Node.js applications:

  • Use Node.js 10.x or later
  • Update your HTTP client libraries to recent versions

For Java applications:

  • Use Java 8 or later with recent security updates
  • Ensure your HTTP client libraries support TLS 1.2

Step 3: Remove Hardcoded Protocol Versions

This is critical. Search your codebase for any explicit references to TLS versions and remove them. Instead, configure your applications to defer to the operating system's default TLS version.

In .NET, enable the SystemDefaultTLSVersions flag in your application config:

<configuration>
  <runtime>
    <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false" />
  </runtime>
</configuration>

Or in code:

// Don't hardcode this:
// ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

// Instead, let the OS decide (or explicitly support TLS 1.2+):
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls13;

By deferring to the OS default, your application will automatically support future TLS versions (like TLS 1.3) without code changes.

Step 4: Configure Client Applications

For specific guidance on configuring clients to use TLS 1.2, Microsoft provides detailed instructions in their client application configuration guide.

This includes platform-specific steps for:

  • PowerShell scripts
  • Azure CLI
  • REST API clients
  • Storage SDK clients (.NET, Java, Python, Node.js, etc.)

Step 5: Test Thoroughly

Before deploying changes to production, test your applications in a staging environment. Verify that:

  • Connections to Azure Storage succeed
  • Data operations (read, write, delete) work as expected
  • Performance hasn't degraded
  • Logs show TLS 1.2 or higher being negotiated

Enforcing TLS 1.2 at the Storage Account Level

Beyond updating client applications, you should also configure your Azure Storage accounts to enforce TLS 1.2 as the minimum version. This provides defense in depth; even if a misconfigured client attempts to use an older protocol, the storage account will reject it.

How to Enforce Minimum TLS Version

You can configure the minimum TLS version through:

Azure Portal:

  1. Navigate to your storage account
  2. Under Settings, select Configuration
  3. Set Minimum TLS version to 1.2

Azure CLI:

az storage account update \
  --name <storage-account-name> \
  --resource-group <resource-group-name> \
  --min-tls-version TLS1_2

PowerShell:

Set-AzStorageAccount `
  -ResourceGroupName <resource-group-name> `
  -Name <storage-account-name> `
  -MinimumTlsVersion TLS1_2

ARM Template / Bicep:

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: storageAccountName
  location: location
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
  properties: {
    minimumTlsVersion: 'TLS1_2'
  }
}

Use Azure Policy for Governance

For organizations with many storage accounts, manually configuring each one isn't scalable. Instead, use Azure Policy to enforce minimum TLS versions across your subscriptions.

Microsoft provides built-in policy definitions like:

  • Storage accounts should use minimum TLS version of 1.2 or higher

Apply this policy to your subscriptions or management groups to ensure compliance organization-wide.

Communicating with Stakeholders

If you're managing a service or platform that uses Azure Storage, today's deprecation likely affects your customers and partners too. You need to communicate the change and help them prepare.

Notify Your Customers

Microsoft recommends notifying customers and partners about your migration to TLS 1.2 so they can make necessary changes to their applications. This is especially important if you expose APIs or services that connect to Azure Storage on behalf of users.

Your communication should:

  • Explain what changed and when
  • Describe the potential impact (connection failures if using TLS 1.0/1.1)
  • Provide clear migration guidance
  • Offer a support channel for questions

Monitor for Issues

After today's deprecation, monitor your applications and support channels for connection failures. Common symptoms include:

  • SecureChannelFailure exceptions in .NET applications
  • SSL handshake errors in logs
  • HTTP 400 or 403 errors when attempting to connect to storage

If you see a spike in these errors, it's likely due to clients still using TLS 1.0 or 1.1.

Best Practices Moving Forward

The TLS 1.0/1.1 deprecation is a reminder that security standards evolve. Here are best practices to future-proof your applications:

1. Avoid Hardcoding Protocol Versions

Never hardcode specific TLS versions unless absolutely necessary. Instead, configure applications to use the operating system's default, which allows them to take advantage of newer protocols (like TLS 1.3) as they become available.

2. Keep Dependencies Updated

Regularly update your operating systems, frameworks, and libraries. Security patches often include updates to supported TLS versions and cryptographic algorithms.

3. Use Modern Development Tools

If you're still using Visual Studio 2013 or .NET Framework 4.5, it's time to upgrade. These older tools don't support TLS 1.2 well, making it harder to write secure code.

4. Test in Production-Like Environments

Staging environments should mirror production as closely as possible, including OS versions, framework versions, and network configurations. This ensures that TLS issues are caught before they reach production.

5. Enable Logging and Monitoring

Don't wait for users to report problems. Enable detailed logging for your applications and storage accounts, and set up alerts for unusual patterns (like sudden spikes in connection failures).

6. Implement Azure Policy

Use Azure Policy to enforce minimum TLS versions, storage account encryption, and other security baselines across your organization. Policy prevents misconfigurations before they become problems.

What About TLS 1.3?

While TLS 1.2 is now the minimum, TLS 1.3 is the current standard and offers even better performance and security. Azure Storage supports TLS 1.3, and if your clients support it, they'll negotiate TLS 1.3 automatically.

TLS 1.3 benefits include:

  • Faster handshakes due to fewer round trips
  • Improved privacy by encrypting more of the handshake
  • Removal of obsolete cryptographic algorithms

If you're already updating your applications, consider configuring them to prefer TLS 1.3 while maintaining TLS 1.2 compatibility:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls13;

The Bottom Line

Today's TLS 1.0/1.1 deprecation is a necessary step toward a more secure cloud ecosystem. While it may cause short-term disruption for applications that haven't been updated, the long-term benefits (stronger encryption, regulatory compliance, and protection against modern threats) far outweigh the migration effort.

If your applications are already using TLS 1.2 or higher, you're in great shape. If not, the steps outlined in this post will guide you through the migration process. The key is to act methodically: detect where older protocols are being used, update client applications and their dependencies, enforce minimum TLS versions at the storage account level, and monitor for issues.

The age of TLS 1.0 and 1.1 is over. Welcome to the era of modern, secure cloud storage.

Resources:

  • Migrate to TLS 1.2 for Azure Blob Storage
  • Configure Transport Layer Security (TLS) for a client application
  • Enforce a minimum required version of TLS
  • Solving the TLS 1.0 Problem, 2nd Edition
  • Transport Layer Security (TLS) best practices with .NET Framework

Share this article

Share on RedditShare on LinkedInShare on X