Check for Minimum TLS Version

Risk Level: Medium (should be achieved)

Ensure that your Microsoft Azure Cosmos DB accounts are using the latest supported version of the TLS protocol (i.e., TLS 1.2) for client connections in order to enhance security by providing stronger encryption, protecting data integrity, reducing vulnerabilities to cyber attacks, and maintaining compatibility with modern browsers.

Security

The Transport Layer Security (TLS) protocol addresses network security problems such as tampering and eavesdropping between a client and a server. Using weak and deprecated TLS protocols can increase opportunities for malicious activities such as hacking, Man-in-the-Middle (MITM), and downgrade attacks. Therefore, it is strongly recommended to use the latest TLS version supported by Azure Cosmos DB.

Audit

To determine the TLS version configured for your Microsoft Azure Cosmos DB accounts, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cosmos DB account for Value, then choose Apply to list the Azure Cosmos DB accounts available in the selected subscription.

05 Click on the name (link) of the Azure Cosmos DB account that you want to examine.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected DB account.

07 Select the Connectivity tab and check the Minimum Transport Layer Security Protocol setting to determine the TLS version configured for the selected resource. If Minimum Transport Layer Security Protocol is not set to TLS 1.2, the selected Microsoft Azure Cosmos DB account does not use the latest supported version of the TLS protocol (i.e., TLS 1.2).

08 Repeat steps no. 5 – 7 for each Azure Cosmos DB account available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cosmosdb list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure Cosmos DB account available in the selected subscription:

az cosmosdb list
	--query '[*].id'

05 The command output should return the requested Azure Cosmos DB account IDs:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmos-prod-dba-account"
]

06 Run cosmosdb show command (Windows/macOS/Linux) with the name of the Azure Cosmos DB account that you want to examine as the identifier parameter and custom output filters to describe the Transport Layer Security (TLS) protocol version configured for the selected Cosmos DB account:

az cosmosdb show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
	--query 'minimalTlsVersion'

07 The command output should return the TLS version configured for the selected resource:

"Tls11"

If the TLS version returned by the cosmosdb show command output is different than "Tls12", as shown in the output example above, the selected Microsoft Azure Cosmos DB account does not use the latest supported version of the TLS protocol (i.e., TLS 1.2).

08 Repeat steps no. 6 and 7 for each Azure Cosmos DB account provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Microsoft Azure Cosmos DB accounts are using the latest supported version of the TLS protocol, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

05 Click on the name (link) of the Azure Cosmos DB account that you want to configure.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected DB account.

07 Select the Connectivity tab and set the Minimum Transport Layer Security Protocol setting to TLS 1.2 to enforce TLS 1.2 for all client connections to the selected Microsoft Azure Cosmos DB account. Choose Save to apply the configuration changes.

08 Repeat steps no. 5 – 7 for each Azure Cosmos DB account that you want to configure, available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cosmosdb update command (Windows/macOS/Linux) to update the TLS protocol version for the selected Microsoft Azure Cosmos DB account to TLS 1.2:

az cosmosdb update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
	--minimal-tls-version Tls12

05 The command output should return the configuration information available for the modified Cosmos DB account:

{
	"analyticalStorageConfiguration": {
		"schemaType": "WellDefined"
	},
	"connectorOffer": null,
	"consistencyPolicy": {
		"defaultConsistencyLevel": "Session",
		"maxIntervalInSeconds": 5,
		"maxStalenessPrefix": 100
	},

	...

	"minimalTlsVersion": "Tls12",
	"name": "cc-project5-cosmos-database",
	"networkAclBypass": "None",
	"networkAclBypassResourceIds": [],
	"privateEndpointConnections": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Enabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
}

06 Repeat steps no. 4 and 5 for each Azure Cosmos DB account that you want to configure, available within the selected subscription.

07 Repeat steps no. 3 – 6 for each Azure subscription created within your Microsoft Azure cloud account.

References

Azure Official Documentation
Secure your Azure Cosmos DB for NoSQL account
Self-serve minimum TLS version enforcement in Azure Cosmos DB

Azure Command Line Interface (CLI) Documentation
az account list
az account set
az cosmosdb list
az cosmosdb show
az cosmosdb update

Publication date May 28, 2025

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related CosmosDB rules