AzureFeeds

Microsoft announced the retirement of TLS 1.0 and TLS 1.1 for Azure Services, including Azure SQL Database, Azure SQL Managed Instance, Cosmos DB, and Azure Database for MySQL by August 31, 2025. Customers are required to upgrade to a more secure minimum TLS protocol version of TLS 1.2 for client-server connections to safeguard data in transit and meet the latest security standards. 

The retirement of TLS 1.0 and 1.1 for Azure databases was originally scheduled for August 2024. To support customers in completing their upgrades, the deadline was extended to August 31, 2025. 

Starting August 31, 2025, we will force upgrade servers with minimum TLS 1.0 or 1.1 to TLS 1.2, and connections using TLS 1.0 or 1.1 will be disallowed, and connectivity will fail. To avoid potential service interruptions, we strongly recommend customers complete their migration to TLS 1.2 before August 31, 2025. 

Why TLS 1.0 and 1.1 Are Being Deprecated 

TLS (Transport Layer Security) protocols are vital in ensuring encrypted data transmission between clients and servers. However, TLS 1.0 and 1.1, introduced in 1999 and 2006 respectively, are now outdated and vulnerable to modern attack vectors. By retiring these versions, Microsoft is taking a proactive approach to enhance the security landscape for Azure services such as Azure databases. 

Security Benefits of Upgrading to TLS 1.2 

• Enhanced encryption algorithms: TLS 1.2 provides stronger cryptographic protocols, reducing the risk of exploitation. 

• Protection against known vulnerabilities: Deprecated versions are susceptible to attacks such as BEAST, POODLE, and others TLS 1.2 addresses. 

• Compliance with industry standards: Many regulations, including GDPR, PCI DSS, and HIPAA, mandate the use of secure, modern TLS versions. 

How to Verify and Update TLS Settings for Azure Database Services

For instructions on how to verify your Azure database is configured with minimum TLS 1.2 or upgrade the minimum TLS setting to 1.2, follow the respective guide below for your database service. 

Azure SQL Database and Azure SQL Managed Instance 

The Azure SQL Database and SQL Managed Instance minimum TLS version setting allows customers to choose which version of TLS their database uses. 

Azure SQL Database 

To identify clients that are connecting to your Azure SQL DB using TLS 1.0 and 1.1, SQL audit logs must be enabled. With auditing enabled you can view client connections: 

Connectivity settings – Azure SQL Database and SQL database in Fabric | Microsoft Learn 

To configure the minimum TLS version for your Azure SQL DB using the Azure portal, Azure PowerShell or Azure CLI: 

Connectivity settings – Azure SQL Database and SQL database in Fabric | Microsoft Learn  

Azure SQL Managed Instance 

To identify clients that are connecting to your Azure SQL MI using TLS 1.0 and 1.1, auditing must be enabled. With auditing enabled, you can consume audit logs using Azure Storage, Event Hubs or Azure Monitor Logs to view client connections: 

 Configure auditing – Azure SQL Managed Instance | Microsoft Learn 

To configure the minimum TLS version for your Azure SQL MI using Azure PowerShell or Azure CLI: 

Configure minimal TLS version – managed instance – Azure SQL Managed Instance | Microsoft Learn 

Azure Cosmos Database 

The minimum service-wide accepted TLS version for Azure Cosmos Database is TLS 1.2, but this selection can be changed on a per account basis. 

To verify the minimum TLS version of the minimalTlsVersion property on your Cosmos DB account: 

Self-serve minimum tls version enforcement in Azure Cosmos DB – Azure Cosmos DB | Microsoft Learn 

To configure the minimum TLS version for your Cosmos DB account using the Azure Portal, Azure PowerShell, Azure CLI or Arm Template: 

Self-serve minimum tls version enforcement in Azure Cosmos DB – Azure Cosmos DB | Microsoft Learn  

Azure Database for MySQL

Azure Database for MySQL supports encrypted connections using TLS 1.2 by default, and all incoming connections with TLS 1.0 and TLS 1.1 are denied by default, though users are allowed to change the setting.   

To verify the minimum TLS version configured for your Azure DB for MySQL server tls_version server parameter using the MySQL command-line interface:

Encrypted Connectivity Using TLS/SSL – Azure Database for MySQL – Flexible Server | Microsoft Learn 

To configure the minimum TLS version for your Azure DB for MySQL server using the MySQL command-line interface:  

Configure Server Parameters – Azure Portal – Azure Database for MySQL – Flexible Server | Microsoft Learn 

If your database is currently configured with a minimum TLS setting of TLS 1.2, no action is required. 

Conclusion 

The deprecation of TLS 1.0 and 1.1 marks a significant milestone in enhancing the security of Azure databases. By transitioning to TLS 1.2, users can ensure highly secure encrypted data transmission, compliance with industry standards, and robust protection against evolving cyber threats. Upgrade to TLS 1.2 now to prepare for this change and maintain secure, compliant database connectivity settings. 

Note: If you have workloads with dependencies on TLS 1.0 or 1.1 that may impact your ability to transition, please complete and submit a request to help us better understand and support your scenario.