Require secure transfer in Azure Storage

The "Secure transfer required" option enhances the security of your storage account by only allowing requests to the account from secure connections. For example, when you're calling REST APIs to access your storage account, you must connect by using HTTPS. "Secure transfer required" rejects requests that use HTTP.

When you use the Azure Files service, any connection without encryption fails when "Secure transfer required" is enabled. This includes scenarios that use SMB 2.1, SMB 3.0 without encryption, and some versions of the Linux SMB client.

By default, the "Secure transfer required" option is disabled.

Note

Because Azure Storage doesn't support HTTPS for custom domain names, this option is not applied when you're using a custom domain name. And classic storage accounts are not supported.

Enable "Secure transfer required" in the Azure portal

You can turn on the "Secure transfer required" setting when you create a storage account in the Azure portal. You can also enable it for existing storage accounts.

Require secure transfer for a new storage account

  1. Open the Create storage account pane in the Azure portal.
  2. Under Secure transfer required, select Enabled.

    Create storage account blade

Require secure transfer for an existing storage account

  1. Select an existing storage account in the Azure portal.
  2. In the storage account menu pane, under SETTINGS, select Configuration.
  3. Under Secure transfer required, select Enabled.

    Storage account menu pane

Enable "Secure transfer required" programmatically

To require secure transfer programmatically, use the setting supportsHttpsTrafficOnly in storage account properties with REST API, tools, or libraries:

Enable "Secure transfer required" setting with PowerShell

This sample requires the Azure PowerShell module version 4.1 or later. Run Get-Module -ListAvailable AzureRM to find the version. If you need to install or upgrade, see Install Azure PowerShell module.

Run Connect-AzureRmAccount to create a connection with Azure.

Use the following command line to check the setting:

> Get-AzureRmStorageAccount -Name "{StorageAccountName}" -ResourceGroupName "{ResourceGroupName}"
StorageAccountName     : {StorageAccountName}
Kind                   : Storage
EnableHttpsTrafficOnly : False
...

Use the following command line to enable the setting:

> Set-AzureRmStorageAccount -Name "{StorageAccountName}" -ResourceGroupName "{ResourceGroupName}" -EnableHttpsTrafficOnly $True
StorageAccountName     : {StorageAccountName}
Kind                   : Storage
EnableHttpsTrafficOnly : True
...

Enable "Secure transfer required" setting with CLI

To run this sample, make sure you have installed the latest Azure CLI 2.0. To start, run az login to create a connection with Azure.

This sample works in a Bash shell. For options on running Azure CLI scripts on Windows client, see Install the Azure CLI on Windows.

If you don't have an Azure subscription, create a free account before you begin.

Use the following command line to check the setting:

> az storage account show -g {ResourceGroupName} -n {StorageAccountName}
{
  "name": "{StorageAccountName}",
  "enableHttpsTrafficOnly": false,
  "type": "Microsoft.Storage/storageAccounts"
  ...
}

Use the following command line to enable the setting:

> az storage account update -g {ResourceGroupName} -n {StorageAccountName} --https-only true
{
  "name": "{StorageAccountName}",
  "enableHttpsTrafficOnly": true,
  "type": "Microsoft.Storage/storageAccounts"
  ...
}

Next steps

Azure Storage provides a comprehensive set of security capabilities, which together enable developers to build secure applications. For more details, go to the Storage Security Guide.