I got tired of having to check TLS configurations manually across our Azure environment. When you’re dealing with lots of subscriptions and lots of resource groups, finding out which TLS versions are insecure can take forever. So I built a PowerShell script to automate the entire process.
You can find the complete script on GitHub: https://github.com/Timohone/azure-tls-version-checker/
What It Does
This script connects to your Azure tenant and scans through every subscription and resource group you have access to. It checks TLS configurations for 13 different Azure services and generates both CSV and HTML reports. The whole thing runs automatically once you kick it off.
The services covered include App Services, Storage Accounts, SQL Databases, Key Vaults, Application Gateways, Front Door, API Management, and several others.
The Problem It Solves
Auditing Azure security compliance is a long and complicated process. You need to check that no one is using old TLS versions like 1.0 or 1.1. If you do this manually through the portal, you have to click through lots of different resources across many different subscriptions. It takes hours, and you’re bound to miss something.
This script handles all of that in one shot. You get a complete inventory of every resource with its TLS version clearly listed. The HTML report gives you a nice visual overview, while the CSV is perfect for filtering and further analysis.
How It Works
The script uses the Az PowerShell module to iterate through your Azure environment systematically. For each subscription, it sets the context and then processes every resource group. Within each group, it queries specific service types and extracts their TLS configuration.
Here’s how the main loop processes subscriptions and resource groups:
foreach ($sub in $subscriptions) { Write-Output "Processing Subscription: $($sub.Name) ($($sub.Id))"
try { # Set the context to the current subscription Set-AzContext -SubscriptionId $sub.Id -ErrorAction Stop
# Get all resource groups in the subscription $resourceGroups = Get-AzResourceGroup -ErrorAction SilentlyContinue
foreach ($rg in $resourceGroups) { # Process each service type... } } catch { Write-Warning "Failed to process subscription $($sub.Name): $_" continue }}For services like App Service and Storage Accounts, it reads the MinTlsVersion property directly. Here’s the App Service section:
Get-AzWebApp -ResourceGroupName $rg.ResourceGroupName -ErrorAction SilentlyContinue | ForEach-Object { $app = $_ $appConfig = Get-AzWebApp -ResourceGroupName $app.ResourceGroup -Name $app.Name -ErrorAction SilentlyContinue $tlsVersion = if ([string]::IsNullOrEmpty($appConfig.SiteConfig.MinTlsVersion)) { "Not Configured" } else { $appConfig.SiteConfig.MinTlsVersion } $tlsReport.Add([PSCustomObject]@{ ServiceName = "Azure App Service" ResourceName = $app.Name ResourceGroup = $app.ResourceGroup TlsVersion = $tlsVersion Location = $app.Location AdditionalInfo = "DefaultHostName: $($app.DefaultHostName); Sku: $($app.Sku.Tier); State: $($app.State)" })}For SQL servers, it checks MinimalTlsVersion. Application Gateways expose this through their SSL policy settings. The script normalizes all this data into a consistent format.
Running It
You need the Az module installed first:
Install-Module -Name Az -AllowClobber -Scope CurrentUserThen just authenticate with Connect-AzAccount and run the script:
Connect-AzAccount -ErrorAction StopGet-AzureTLSReportIt will process everything it has access to and drop two files in your current directory: AzureTLSReport.csv and AzureTLSReport.html.
The HTML report includes a simple table with all the details. Service name, resource name, resource group, TLS version, location, and some additional context like SKU or state information.
Get Started
Clone the repo and give it a try:
git clone https://github.com/Timohone/azure-tls-version-checkercd azure-tls-auditCheck out the README for detailed setup instructions and examples. If you run into issues or have suggestions for improvements, open an issue on GitHub.