[BUG]Azure MCP cannot create Storage Accounts in policy-restricted environments because TLS1_2 cannot be set

[kredd2506]

Describe the bug

Azure MCP’s Storage Account Create API does not expose any parameter for configuring minimumTlsVersion.

However, our Azure subscription enforces a mandatory policy:

Storage Accounts Minimum TLS 1.2

CONA_Root_Prevent-and-Block-Policies → Storage accounts should have the specified minimum TLS version

When Azure MCP sends the ARM create request without the minimumTlsVersion field, Azure rejects the request with:

RequestDisallowedByPolicy
Storage Accounts Minimum TLS 1.2

This makes it impossible to create a storage account using Azure MCP in any environment where TLS1_2 is required — even though creation works via Portal, CLI, ARM, and Bicep (all of which support TLS configuration).

This is a functional limitation in Azure MCP

Expected behavior

Azure MCP should allow Storage Account creation to succeed in a policy-restricted subscription by:

Exposing a parameter such as minimumTlsVersion

Passing the correct default automatically (TLS1_2)
OR

Auto-detecting required policy and including the proper TLS property in the create request

At minimum, Azure MCP should not send an incomplete request that violates subscription policies.

Actual behavior

Azure MCP attempts to create the Storage Account with this payload:

resource-group: rg_sandsub_s_aga_westus2
account: datastore2025
location: westus2
sku: Standard_LRS
kind: StorageV2

But MCP does not set minimumTlsVersion, because the parameter is not supported by the API.

Azure rejects the request with:

ErrorCode: RequestDisallowedByPolicy
Resource 'datastore2025' was disallowed by policy:
Policy_CONA_SEC - Storage Accounts Minimum TLS 1.2

Retrying with extra MCP parameters (even undocumented ones) does not work, because MCP ignores them.

Reproduction Steps

Repro Steps

Run in Azure MCP:

Create a storage account named 'datastore2025' in resource group 'rg_sandsub_s_aga_westus2' in location 'westus2' with Standard_LRS.

MCP sends storage_account_create without minimumTlsVersion

Azure returns policy error

MCP has no mechanism to satisfy the policy

Storage account cannot be created through MCP

Repro Environment Requirements

Any subscription with policy enforcing Storage Accounts must have Minimum TLS 1.2

This includes all corporate environments such as CONA Services.

Environment

Azure MCP (Server Mode)

Azure Subscription: a96e49c9-c03d-4ead-adc8-069ffcbc3b29

Region: westus2

Client OS: Windows 10

IDE: VS Code

MCP SDK / Azure Mode: Latest (2025.01)

AZURE MCP tls error.docx

[kredd2506]

For reference, the current CreateStorageAccount method signature in Azure MCP does not expose any parameter related to TLS configuration:

Task CreateStorageAccount(
string account,
string resourceGroup,
string location,
string subscription,
string? sku = null,
string? accessTier = null,
bool? enableHierarchicalNamespace = null,
string? tenant = null,
RetryPolicyOptions? retryPolicy = null,
CancellationToken cancellationToken = default);

Source:

mcp/tools/Azure.Mcp.Tools.Storage/src/Services/IStorageService.cs

Line 19 in 842d6be

string account,

Because the API currently does not include any way to set minimumTlsVersion, MCP is unable to satisfy enterprise policies that require TLS 1.2 during Storage Account creation. This appears to be the reason the ARM request fails under policy-restricted subscriptions.