Preparing for TLS 1.2 in Microsoft Azure
Updated: March 10, 2020
Microsoft Azure recommends all customers complete migration towards solutions that support transport layer security (TLS) 1.2 and to make sure that TLS 1.2 is used by default.
All Azure services fully support TLS 1.2, and services where customers are using only TLS 1.2 have made a switch to accept only TLS 1.2 traffic. Services that currently accept TLS 1.0/1.1 traffic will continue supporting these protocol versions until further notice to ensure compatibility with existing applications. While Microsoft’s TLS 1.0 implementation has no known security vulnerabilities, it’s important to account for potential future protocol downgrade attacks and other TLS vulnerabilities. Microsoft continues to monitor the security landscape and will reevaluate its position when necessary.
We understand that the security of your data is important, and we're committed to transparency about changes that may affect your use of TLS with Azure services.
As previously stated, Microsoft is driving a long-term shift to refuse legacy protocol and cipher suite connections. Evaluate your workloads for TLS 1.2 readiness and develop a migration plan.
Azure has completed the engineering work to remove dependency on TLS 1.0/1.1 protocols and provide full support to customers that want to have their workloads configured to accept and initiate only TLS 1.2 connections.
All customers should configure their Azure-hosted workloads and on-premises applications interacting with Azure services to use TLS 1.2 by default. For additional information on TLS 1.2 migration please see Solving the TLS 1.0 Problem.
Note that Azure Guest OS images have had TLS 1.0/1.1 disabled since the Family 6 release in January 2019. Read this guide to troubleshooting issues related to TLS ciphers in Guest OS image.
Please review the existing announcements related to TLS support for Azure services and continue to watch for further updates.