Share via

Azure Policy and App Services TLS

Ted 191 Reputation points
2023-08-29T13:42:17.09+00:00

Hello,

I'm puzzled on an Azure Policy to restrict TLS version on App Services.

I set a new Azure Policy to deny deployment if minTlsVersion doesn't equal 1.2. For new deployment, it works fine. However, going back to the App Services General settings, if I change manually the TLS, it accepts to get back to 1.1 or 1.0. Why is the deny working for new deployment but not for settings change? 

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "anyOf": [
            {
              "field": "type",
              "equals": "Microsoft.Web/sites/config"
            },
            {
              "field": "type",
              "equals": "Microsoft.Web/sites/slots/config"
            }
          ]
        },
        {
          "anyOf": [
            {
              "allOf": [
                {
                  "field": "Microsoft.Web/sites/config/minTlsVersion",
                  "exists": "true"
                },
                {
                  "field": "Microsoft.Web/sites/config/minTlsVersion",
                  "notEquals": "1.2"
                }
              ]
            },
            {
              "allOf": [
                {
                  "field": "Microsoft.Web/sites/slots/config/minTlsVersion",
                  "exists": "true"
                },
                {
                  "field": "Microsoft.Web/sites/slots/config/minTlsVersion",
                  "notEquals": "1.2"
                }
              ]
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

Thank you in advance.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
805 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,037 questions
Accepted answer
  1. AnuragSingh-MSFT 20,671 Reputation points
    2023-09-01T06:28:09.0066667+00:00

    @Ted , thank you for posting this question.

    The policy shared in the question would work to show that an App Service is non-compliant after updating the tls version to anything <1.2. I tested it in my subscription and the resource is shown as non-compliant after the next policy evaluation.

    However, this policy does not deny the update of resource because of the difference in ARM template of how the request gets submitted for update vs actual resource ARM template generated from portal. If developer tools is used in Edge browser (using F12) and request is examined for update of "minTlsVersion", it would be noticed that the request to update tls version follows the ARM template as mentioned here - Microsoft.Web sites ARM template. In this case, the minTlsVersion field is part of "siteConfig" under resource of type "Microsoft.Web/sites".

    As the policy definition does not check for "type"="Microsoft.Web/sites" AND "field['Microsoft.Web/sites/siteConfig/minTlsVersion']="1.2", the ARM does not block the resource update.

    This is a known issue and is also documented here - Nonstandard update pattern through Azure Portal

    Hope this helps.

    If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest