Skip to main content
Back to the Azure Footguns Database
SecurityHighOccasionalAZF-0033

Minimum TLS version quietly lowered from 1.2 to 1.0 on Storage, SQL, or App Service

A minimum-TLS setting drops from TLS 1.2 to TLS 1.0 on a storage account, SQL server, or web app, and weak, deprecated transport encryption is allowed again.

Footgun ID
AZF-0033 (Azure Footgun No. 33)
Azure service
Azure Storage / SQL / App Service
Resource type
Microsoft.Storage/storageAccounts
Updated
July 1, 2026

What it is

The minimum TLS version enforced on a resource's endpoint gets lowered, typically from TLS 1.2 back to TLS 1.0 or 1.1. The setting exists on multiple services and each has its own property: Azure Storage (properties.minimumTlsVersion), Azure SQL (properties.minimalTlsVersion), and App Service (properties.siteConfig.minTlsVersion). Once lowered, clients can negotiate deprecated, weaker cipher suites again.

Impact (security)
Deprecated TLS 1.0/1.1 handshakes accepted on data-plane endpoints
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Someone integrates a legacy client, a runtime, or an appliance that can't negotiate TLS 1.2, and the fastest way to make the connection succeed is to lower the floor rather than fix the client. The change is a one-line property edit and it works immediately, so it ships and stays.

Because the endpoint still serves modern clients over TLS 1.2 exactly as before, nothing looks broken. The weakening is invisible unless someone is comparing the setting against its prior, stronger value. Each service spells the property differently, which makes it easy to miss in a review that only knows one of them.

What it costs / blast radius

This is a transport-security regression, not a cost. TLS 1.0 and 1.1 are deprecated and carry known weaknesses; accepting them means a network attacker able to influence the handshake can push a client onto weaker encryption, and it typically breaks compliance baselines (PCI DSS, and Azure's own hardening guidance) that require TLS 1.2 or higher. The blast radius is every client that connects to that endpoint. (Azure behavior; the setting is off the happy path only when someone downgrades it.)

See it

Footgun: minimum TLS lowered to 1.0 (shown on Storage; SQL and App Service have the same trap)
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpdata'
  location: location
  kind: 'StorageV2'
  sku: { name: 'Standard_LRS' }
  properties: {
    minimumTlsVersion: 'TLS1_0'   // was TLS1_2 — now accepts deprecated handshakes
  }
}
Fix: pin the floor to TLS 1.2 (minimalTlsVersion on SQL, siteConfig.minTlsVersion on App Service)
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpdata'
  location: location
  kind: 'StorageV2'
  sku: { name: 'Standard_LRS' }
  properties: {
    minimumTlsVersion: 'TLS1_2'   // fix the legacy client instead of lowering the floor
  }
}

How StratoLens helps

StratoLens knows the minimum-TLS property under all three names and flags the moment any of them drops below its prior value, across every subscription, with the before and after version and when it changed. A TLS 1.2-to-1.0 downgrade surfaces as a weakening event instead of hiding as a routine config edit on whichever service happened to change.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.