Merge pull request #222647 from jimmart-dev/jammart-storage-tls-cipher-3des

storage account TLS cipher suite control

Author: prmerger-automator[bot]

articles/storage/common/transport-layer-security-configure-client-version.md

@@ -7,17 +7,17 @@ author: jimmart-dev
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 07/08/2020
+ms.date: 12/29/2022
 ms.author: jammart
 ms.reviewer: fryu
 ms.subservice: common
 ms.devlang: csharp
-ms.custom: devx-track-csharp, devx-track-azurepowershell
+ms.custom: devx-track-csharp, devx-track-azurepowershell, engagement-fy23
 ---
 
 # Configure Transport Layer Security (TLS) for a client application
 
-For security purposes, an Azure Storage account may require that clients use a minimum version of Transport Layer Security (TLS) to send requests. Calls to Azure Storage will fail if the client is using a version of TLS that is lower than the minimum required version. For example, if a storage account requires TLS 1.2, then a a request sent by a client who is using TLS 1.1 will fail.
+For security purposes, an Azure Storage account may require that clients use a minimum version of Transport Layer Security (TLS) to send requests. Calls to Azure Storage will fail if the client is using a version of TLS that is lower than the minimum required version. For example, if a storage account requires TLS 1.2, then a request sent by a client who is using TLS 1.1 will fail.
 
 This article describes how to configure a client application to use a particular version of TLS. For information about how to configure a minimum required version of TLS for an Azure Storage account, see [Configure minimum required version of Transport Layer Security (TLS) for a storage account](transport-layer-security-configure-minimum-version.md).
 

articles/storage/common/transport-layer-security-configure-minimum-version.md

@@ -7,11 +7,11 @@ author: jimmart-dev
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 07/07/2021
+ms.date: 12/30/2022
 ms.author: jammart
 ms.reviewer: fryu
 ms.subservice: common 
-ms.custom: devx-track-azurepowershell, devx-track-azurecli 
+ms.custom: devx-track-azurepowershell, devx-track-azurecli, engagement-fy23
 ms.devlang: azurecli
 ---
 
@@ -27,6 +27,9 @@ This article describes how to use a DRAG (Detection-Remediation-Audit-Governance
 
 For information about how to specify a particular version of TLS when sending a request from a client application, see [Configure Transport Layer Security (TLS) for a client application](transport-layer-security-configure-client-version.md).
 
+> [!NOTE]
+> The cipher suite used when clients send data to and receive data from a storage account is dependent on the TLS version used. It is not possible to configure a storage account to block the use of specific ciphers, other than by requiring a minimum TLS version. If you require the ability to allow only specific cipher suites when connecting to your storage account, consider using Azure Application Gateway. For more information about using Application Gateway for this purpose, see [Configure TLS policy versions and cipher suites on Azure Application Gateway](../../application-gateway/application-gateway-configure-ssl-policy-powershell.md).
+
 ## Detect the TLS version used by client applications
 
 When you enforce a minimum TLS version for your storage account, you risk rejecting requests from clients that are sending data with an older version of TLS. To understand how configuring the minimum TLS version may affect client applications, Microsoft recommends that you enable logging for your Azure Storage account and analyze the logs after an interval of time to detect what versions of TLS client applications are using.