would someone have or seen script that changes Azure Strorage Account TLS version in bulk? We have several hundreds of storage account that has still TLS 1.0 or 1.1 enabled and we would want to change them to 1.2. Because there are so many of them clicking manually those are really not option..
I have now googled and tried to script it by my self but are banging my head to wall.
I have managed to loop trough all my subscriptions and storage accounts and save storage account name, resouce group and tls version to csv but now I'm would need help with next step: how could I then change TLS version to 1.2 if it is 1.0 or 1.1 using that data.
The line that changing tls is (https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=powershell#configure-the-minimum-tls-version-for-a-storage-account)
Set-AzStorageAccount -ResourceGroupName $rgName `
-Name $accountName `
-MinimumTlsVersion TLS1_2
My current script
$Subscriptions = Get-AzSubscription
$data = foreach ($sub in $Subscriptions) {
# suppress output on this line
Write-Host Working with Subscription $sub.Name
$null = Get-AzSubscription -SubscriptionName $sub.Name | Set-AzContext
# let Select-Object output the objects that will be collected in variable $data
Get-AzStorageAccount | Select-Object StorageAccountName, ResourceGroupName,
@{Name = 'TLSVersion'; Expression = {$_.MinimumTlsVersion}}
}
# write a CSV file containing this data
$data | Export-Csv -Path C:\temp\data.csv -NoTypeInformation
Tips?
CodePudding user response:
• I would like to appreciate the script prepared by you for changing the TLS version of multiple storage accounts across various subscriptions. I also tried to test the specific cmdlets for changing the TLS version of multiple storage accounts in my subscription since I don’t have multiple subscriptions and it worked great. Also, if you don’t have access to resources over multiple subscriptions, it is not possible to execute this script.
The minimum required Azure Resource Manager role for this script to execute successfully is ‘Contributor’ for for all subscriptions and you need to sign in with this user ID in that subscription which is higher in hierarchy in the management group than others so that it will have authority to execute and access resources in those subscriptions accordingly.
• Thus, the actual script that can successfully change the TLS version of the storage accounts in any subscription a user ID has access to is as follows. Also, it exports a CSV file containing the list of all the storage accounts which are accessed by this script: -
$Subscriptions = Get-AzSubscription
$data = foreach ($sub in $Subscriptions) {
Write-Host Working with Subscription $sub.Name
$null = Get-AzSubscription -SubscriptionName $sub.Name | Set-AzContext
Get-AzStorageAccount | Set-AzStorageAccount -MinimumTlsVersion TLS1_2 @{Name = 'TLSVersion'; Expression = {$_.MinimumTlsVersion}}
}
$data | Export-Csv -Path C:\data.csv -NoTypeInformation ‘
You can also configure an Azure policy for enforcing TLS v2.0 on storage accounts henceforth to enforce the use of TLS v2.0 on storage accounts by entering the below JSON code as a policy in Azure policy assignment.
{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"not": {
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
"equals": "TLS1_2"
}
}
]
},
"then": {
"effect": "deny"
}
}
}
For more details regarding this, please refer to the documentation link below: -