I got tired of manually checking TLS configurations across our Azure environment. When you’re managing multiple subscriptions with dozens of resource groups, hunting down insecure TLS versions becomes a real time sink. So I built a PowerShell script to automate the entire process.

You can find the complete script on GitHub: https://github.com/Timohone/azure-tls-version-checker/

What It Does

This script connects to your Azure tenant and scans through every subscription and resource group you have access to. It checks TLS configurations for 13 different Azure services and generates both CSV and HTML reports. The whole thing runs automatically once you kick it off.

The services covered include App Services, Storage Accounts, SQL Databases, Key Vaults, Application Gateways, Front Door, API Management, and several others. Pretty much everything that has a TLS configuration setting gets checked.

The Problem It Solves

Azure security compliance audits are tedious. You need to verify that nothing is using outdated TLS versions like 1.0 or 1.1. Doing this manually through the portal means clicking through hundreds of resources across different subscriptions. It takes hours and you’re bound to miss something.

This script handles all of that in one shot. You get a complete inventory of every resource with its TLS version clearly listed. The HTML report gives you a nice visual overview, while the CSV is perfect for filtering and further analysis.

How It Works

The script uses the Az PowerShell module to iterate through your Azure environment systematically. For each subscription, it sets the context and then processes every resource group. Within each group, it queries specific service types and extracts their TLS configuration.

Here’s how the main loop processes subscriptions and resource groups:

Terminal window
foreach ($sub in $subscriptions) {
    Write-Output "Processing Subscription: $($sub.Name) ($($sub.Id))"


    try {
        # Set the context to the current subscription
        Set-AzContext -SubscriptionId $sub.Id -ErrorAction Stop


        # Get all resource groups in the subscription
        $resourceGroups = Get-AzResourceGroup -ErrorAction SilentlyContinue


        foreach ($rg in $resourceGroups) {
            # Process each service type...
        }
    }
    catch {
        Write-Warning "Failed to process subscription $($sub.Name): $_"
        continue
    }
}

For services like App Service and Storage Accounts, it reads the MinTlsVersion property directly. Here’s the App Service section:

Terminal window
Get-AzWebApp -ResourceGroupName $rg.ResourceGroupName -ErrorAction SilentlyContinue | ForEach-Object {
    $app = $_
    $appConfig = Get-AzWebApp -ResourceGroupName $app.ResourceGroup -Name $app.Name -ErrorAction SilentlyContinue
    $tlsVersion = if ([string]::IsNullOrEmpty($appConfig.SiteConfig.MinTlsVersion)) { "Not Configured" } else { $appConfig.SiteConfig.MinTlsVersion }
    $tlsReport.Add([PSCustomObject]@{
        ServiceName = "Azure App Service"
        ResourceName = $app.Name
        ResourceGroup = $app.ResourceGroup
        TlsVersion = $tlsVersion
        Location = $app.Location
        AdditionalInfo = "DefaultHostName: $($app.DefaultHostName); Sku: $($app.Sku.Tier); State: $($app.State)"
    })
}

For SQL servers, it checks MinimalTlsVersion. Application Gateways expose this through their SSL policy settings. The script normalizes all this data into a consistent format.

One thing I made sure to include is error handling that doesn’t kill the entire run. If one subscription or resource group fails, the script logs a warning and keeps going. You still get reports for everything else.

Running It

You need the Az module installed first:

Terminal window
Install-Module -Name Az -AllowClobber -Scope CurrentUser

Then just authenticate with Connect-AzAccount and run the script:

Terminal window
Connect-AzAccount -ErrorAction Stop
Get-AzureTLSReport

It will process everything it has access to and drop two files in your current directory: AzureTLSReport.csv and AzureTLSReport.html.

The HTML report includes a simple table with all the details. Service name, resource name, resource group, TLS version, location, and some additional context like SKU or state information. Everything you need to identify problematic configurations.

The HTML generation is straightforward:

Terminal window
$htmlContent = @"
<html>
<head>
<style>
    body { font-family: Arial, sans-serif; }
    table { border-collapse: collapse; width: 100%; margin-top: 20px; }
    th, td { border: 1px solid black; padding: 8px; text-align: left; }
    th { background-color: #f2f2f2; }
</style>
</head>
<body>
    <h1>Azure TLS Version Report</h1>
    <table>
        <tr>
            <th>Service Name</th>
            <th>Resource Name</th>
            <th>Resource Group</th>
            <th>TLS Version</th>
            <th>Location</th>
            <th>Additional Info</th>
        </tr>
"@


foreach ($entry in $tlsReport) {
    $htmlContent += "<tr>"
    $htmlContent += "<td>$($entry.ServiceName)</td>"
    # ... more columns
    $htmlContent += "</tr>"
}

What I’d Add Next

The script currently covers the major services but there are more Azure resources that could be included. Things like Azure Functions, Logic Apps, and Event Hubs all have TLS settings worth checking.

Another useful addition would be a compliance check that automatically flags resources using TLS 1.0 or 1.1. Right now you get the data and have to review it yourself. Adding a status column that marks things as compliant or non-compliant would speed up remediation.

The reports could also benefit from some filtering options. Being able to generate a report for just one subscription or just the non-compliant resources would make the output more actionable for specific use cases.

Why PowerShell

I went with PowerShell because the Az module gives you direct access to resource properties that aren’t always visible through the portal or REST API. The scripting approach also makes it easy to schedule this as a recurring audit task.

You could run this weekly or monthly as part of your security review process. Stick it in Azure Automation or run it from a VM with a scheduled task. Either way, you get continuous monitoring without manual effort.

Get Started

Clone the repo and give it a try:

Terminal window
git clone https://github.com/Timohone/azure-tls-version-checker
cd azure-tls-audit

Check out the README for detailed setup instructions and examples. If you run into issues or have suggestions for improvements, open an issue on GitHub.

Bottom Line

If you’re responsible for Azure security compliance, you need automated tooling. Manual checks don’t scale and they’re error prone. This script gives you complete visibility into TLS configurations across your entire Azure environment in minutes instead of hours.

The code is straightforward and you can modify it to fit your specific needs. Add more services, change the output format, integrate it with your existing reporting systems. It’s a starting point that already does the heavy lifting.

Fork it, customize it, make it yours. The full source is available at https://github.com/Timohone/azure-tls-version-checker.