Preparing for TLS 1.2 in Microsoft Azure
Updated: 10 March, 2020
Microsoft Azure recommends that all customers complete migration towards solutions that support transport layer security (TLS) 1.2 and to make sure that TLS 1.2 is used by default.
All Azure services fully support TLS 1.2, and services where customers are only using TLS 1.2 have made a switch to only accept TLS 1.2 traffic. Services that currently accept TLS 1.0/1.1 traffic will continue supporting these protocol versions until further notice to ensure compatibility with existing applications. Whilst Microsoft’s TLS 1.0 implementation has no known security vulnerabilities, it’s important to account for potential future protocol downgrade attacks and other TLS vulnerabilities. Microsoft continues to monitor the security landscape and will re-evaluate its position when necessary.
We understand that the security of your data is important, and we’re committed to transparency about changes that may affect your use of TLS with Azure services.
As previously stated, Microsoft is driving a long-term shift to refuse legacy protocol and cipher suite connections. Evaluate your workloads for TLS 1.2 readiness and develop a migration plan.
Azure has completed the engineering work to remove dependency on TLS 1.0/1.1 protocols and provide full support to customers who want to have their workloads configured to only accept and initiate TLS 1.2 connections.
All customers should configure their Azure-hosted workloads and on-premises applications interacting with Azure services to use TLS 1.2 by default. For additional information on TLS 1.2 migration, please see Solving the TLS 1.0 Problem.
Please note that Azure Guest OS images have had TLS 1.0/1.1 disabled since the Family 6 release in January 2019. Read this guide to troubleshooting issues related to TLS ciphers in Guest OS image.
Please review the existing announcements related to TLS support for Azure services, and continue to watch for further updates.