I have just installed an SSL certificate on my Azure Web App. I have checked if the installation is correct by using the Symantec SSL checker tool available here.
In the results I can read that
BEAST This server is vulnerable to a BEAST attack. Make sure you have the TLSv1.2 protocol enabled on your server. Disable the RC4, MD5, and DES algorithms. Contact your web server vendor for assistance.
How can I do that in the Azure portal?
UPDATE: I have also checked this by using this website. It also confirm that the vulnerability is not mitigated server side.
BEAST is a client-side vulnerability. Yes TLS 1.0 is old and badly ageing but in a multi-tenant service it makes sense to still have it in. You want to break the least amount of people out there and yes, people still handshake TLS 1.0 like you wouldn't believe.
That being said, if you're ready to kill TLS 1.0 for your deployment(s), just host in App Service Environment.
Disable TLS 1.0
A recurring question from customers, especially customers who are dealing with PCI compliance audits, is how to explicitly disable TLS 1.0 for their apps.
TLS 1.0 can be disabled through the following clusterSettings entry:
"clusterSettings": [ { "name": "DisableTls1.0", "value": "1" } ],