Azure Storage TLS: Changes are coming! (…and why you care)

Girish Prajwal 706 Reputation points
2020-10-13T13:02:35.15+00:00

Hi Team,

Today, I received an alert mail from MS. I am not sure to which service, I have to make changes with regards the Certificate. No information on the service which will be impacted.

https://techcommunity.microsoft.com/t5/azure-storage/azure-storage-tls-changes-are-coming-and-why-you-care/ba-p/1705518

I am unsure on this.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,874 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,284 questions
0 comments
Accepted answer
  1. bharathn-msft 5,086 Reputation points Microsoft Employee
    2020-10-15T06:38:23.743+00:00

    @Girish Prajwal - Apologies for delayed response. Below is the information I could gather for your queries , requesting you to review it.

    • I am unsure which Azure Service needs the latest Certificates updated

    Would request you to please review “Will this change affect me” section in the documentation and see if you are running one of those specific scenarios. Most customers will not be affected, and this is more of an informational notification.

    • How did my colleague who has reader permissions on few of the subscription receive the alert and not me as I have owner access on over 25 subscriptions in
    our environment

    Notifications have been sent via Azure Portal notification and Email. If your colleague as a reader got the notification, most likely it might have been from a
    service health alert. Email notifications have been sent to the account admin or subscription admin. If your email is not email enabled for these roles, there
    could be a possibility that it might be bounced.

    • I cannot go through all services checking on thumbprints of the certificates

    We expect that most Azure customers will not be impacted. However, your application may be impacted only if it explicitly specifies a list of acceptable CAs. This
    practice is known as certificate pinning.

    Hope the above information helps, please revert back if you have any further queries. Thank you.

    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Leon Laude 85,716 Reputation points
    2020-10-13T13:13:00.11+00:00

    Hi @Girish Prajwal ,

    You'll find more information here:

    Azure TLS certificate changes
    https://video2.skills-academy.com/en-us/azure/security/fundamentals/tls-certificate-changes

    There's also a sticky thread below, if you have any questions I suggest you ask over there:
    https://video2.skills-academy.com/en-us/answers/questions/117444/reminder-azure-tls-certificate-changes.html

    ----------

    (If the reply was helpful please don't forget to upvote or accept as answer, thank you)

    Best regards,
    Leon

    0 comments
  2. Girish Prajwal 706 Reputation points
    2020-10-13T14:42:26.767+00:00

    In the meanwhile LeonLaude, can you help me with the below

    We received similar alert today, and I verified that both our WebApps and IOT services are not using any certificates. However, we have multiple storage accounts in our subscriptions. How can I identify which storage or the Azure service will be impacted?

    Give me insights.

    Along with this, I am unsure how did my friend received this alert and not me. Is it because the certificates were raised by him using our on-premise Root CA.

    How can I check "How did he receive this alert from Microsoft" if this was an alert set in Azure.

  3. Sumarigo-MSFT 44,996 Reputation points Microsoft Employee
    2020-10-13T17:43:58.873+00:00

    @Girish Prajwal

    For it to have an impact:
    • App/use-case must be referencing one of the certs listed on our website.
    • App must be using one of the Azure endpoints.

    Ex: You may check this Azure service impacted API Management, APP Services, CDN, Azure Front Door, Application gateway and AAD Proxy

    Revocation of non-compliant Certificate Authorities potentially impacting customer’s Azure service(s).

    To summaries, if at all there’s an impact to your customer’s app, There’s guidance available on how to check if your app might be affected.

    Specific instructions for Azure SQL: https://video2.skills-academy.com/en-us/azure/azure-sql/updates/ssl-root-certificate-expiring

    You can check certificate utilized or revoked through DigiCert ICA Replacement and Revocation Tracker

    There is a similar thread discussion in the SO forum, You may refer to the suggestion mentioned over there

    Additional information: If the query is specific to the azure app services, it would not impact until applications are using *.azurewebsites.net certificate's properties in the code or properties in the upstream or downstream application.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    --------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  4. Girish Prajwal 706 Reputation points
    2020-10-14T05:45:21.717+00:00

    Hi Team,

    I still didn't get the right answer on the above question.

    • I am unsure which Azure Service needs the latest Certificates updated
    • How did my colleague who has reader permissions on few of the subscription receive the alert and not me as I have owner access on over 25 subscriptions in our environment
    • I cannot go through all services checking on thumbprints of the certificates
    • I would continue here and need a suggestion on how do I find the answers for the 1st two questions
    • I am unhappy with the the other Sticky Thread which is ogoing currently as my question is not answered so far by either Bharath or anyone from MS.

    Regards,
    Girish Prajwal