What it is
The setting that forces encrypted transport gets disabled. On Azure Storage it is Secure transfer required (properties.supportsHttpsTrafficOnly); on App Service it is HTTPS Only (properties.httpsOnly). With it off, the endpoint no longer rejects or redirects plain http:// requests, so cleartext traffic is accepted.
Why it happens
The two settings default differently. On Storage, supportsHttpsTrafficOnly is on by default on new accounts, so the risk is someone turning it off. On App Service, httpsOnly defaults to false on new web apps, so the risk is that it is never turned on in the first place. Either way the setting ends up off for a short-term reason: an old SDK or device that speaks only HTTP, a health-check probe that isn't configured for TLS, or a quick test that never gets reverted. Flipping (or never flipping) the property makes the immediate error go away.
Because HTTPS still works, the app and its dashboards look completely normal. Nothing signals that the endpoint has quietly started answering unencrypted requests too, so the setting stays off long after the reason for changing it is gone.
What it costs / blast radius
This is a transport-security regression, not a cost line. Allowing HTTP means credentials, access keys, SAS tokens, and payloads can traverse the network in cleartext, exposing them to interception and to man-in-the-middle downgrade. It also breaks common compliance requirements that mandate encryption in transit. The blast radius is any client that connects over the unencrypted path, whether by mistake or because an attacker steered it there. (Azure behavior; secure transfer is the default and only off when someone disables it.)
See it
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: 'corpdata'
location: location
kind: 'StorageV2'
sku: { name: 'Standard_LRS' }
properties: {
supportsHttpsTrafficOnly: false // now accepts plaintext http:// requests
}
}resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: 'corpdata'
location: location
kind: 'StorageV2'
sku: { name: 'Standard_LRS' }
properties: {
supportsHttpsTrafficOnly: true // reject HTTP; fix the client to speak TLS
}
}How StratoLens helps
StratoLens tracks the secure-transfer and HTTPS-only settings on storage accounts and web apps across every subscription, and flags the moment either flips from enabled to disabled, with the before/after values and when it happened. An endpoint that started accepting cleartext HTTP surfaces as a weakening event, not as a config edit nobody circles back to.