Preparing for TLS 1.2 in Office 365 and Office 365 GCC
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
Summary
To provide the best-in-class encryption to our customers, Microsoft has deprecated Transport Layer Security (TLS) versions 1.0 and 1.1 in Office 365 and Office 365 GCC. We understand that the security of your data is important, and we're committed to transparency about changes that may affect your use of the TLS service.
The Microsoft TLS 1.0 implementation has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, we discontinued support for TLS 1.0 and 1.1 in Microsoft Office 365 and Office 365 GCC.
For information about how to remove TLS 1.0 and 1.1 dependencies, see the following white paper: Solving the TLS 1.0 problem.
After you upgrade to TLS 1.2, make sure that the cipher suites you're using are supported by Azure Front Door. Microsoft 365 and Azure Front Door have slight differences in cipher suite support. For details, see What are the current cipher suites supported by Azure Front Door?.
More information
We began deprecation of TLS 1.0 and 1.1 as of January 2020. Any clients, devices, or services that connect to Office 365 through TLS 1.0 or 1.1 in our DoD or GCC High instances are unsupported. For our commercial customers of Office 365, deprecation of TLS 1.0 and 1.1 began October 15, 2020 and rollout continued over the following weeks and months.
We recommend that all client-server and browser-server combinations use TLS 1.2 (or a later version) in order to maintain connection to Office 365 services. You might have to update certain client-server and browser-server combinations.
Note
For SMTP Inbound mail flow, after deprecation of TLS 1.0 and 1.1, we will accept only TLS 1.2 connection. However, we will continue accepting SMTP Connection which is unencrypted without any TLS. We do not recommend email transmission without any encryption.
You'll need to update applications that call Microsoft 365 APIs over TLS 1.0 or TLS 1.1 to use TLS 1.2. .NET 4.5 defaults to TLS 1.1. To update your .NET configuration, see How to enable Transport Layer Security (TLS) 1.2 on clients.
The following clients are known to be unable to use TLS 1.2. Update these clients to ensure uninterrupted access to the service.
- Android 4.3 and earlier versions
- Firefox version 5.0 and earlier versions
- Internet Explorer 8-10 on Windows 7 and earlier versions
- Internet Explorer 10 on Windows Phone 8
- Safari 6.0.4/OS X10.8.4 and earlier versions
TLS 1.2 for Microsoft Teams Rooms and Surface Hub
Microsoft Teams Rooms (previously known as Skype Room System V2 SRS V2) have supported TLS 1.2 since December 2018. We recommend that Rooms devices have Microsoft Teams Rooms app version 4.0.64.0 or later installed. For more information, see the Release notes. The changes are backward and forward compatible.
Surface Hub released TLS 1.2 support in May 2019.
TLS 1.2 support for Microsoft Teams Rooms and Surface Hub products also requires the following server-side code changes:
Skype for Business Online server changes were made live in April 2019. Now, Skype for Business Online supports connecting Microsoft Teams Rooms and Surface Hub devices by using TLS 1.2.
Skype for Business Server customers must install a cumulative update (CU) to use TLS 1.2 for Teams Rooms Systems and Surface Hub.
- For Skype for Business Server 2015, CU9 is already released in May 2019.
- For Skype for Business Server 2019, CU1 was previously planned for April 2019 but is delayed to June 2019.
Note
Skype for Business on-premises customers should not disable TLS 1.0/1.1 before installing specific CUs for Skype for Business Server.
If you are using any on-premises infrastructure for hybrid scenarios or Active Directory Federation Services, make sure that the infrastructure can support both inbound and outbound connections that use TLS 1.2.
References
The following resources provide guidance to help make sure that your clients are using TLS 1.2 or a later version and to disable TLS 1.0 and 1.1.
- For Windows 7 clients that connect to Office 365, make sure that TLS 1.2 is the default secure protocol in WinHTTP in Windows. For more information see KB 3140245 - Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows.
- TLS cipher suites supported by Office 365
- To start addressing weak TLS use by removing TLS 1.0 and 1.1 dependencies, see TLS 1.2 support at Microsoft.
- New IIS functionality makes it easier to find clients on Windows Server 2012 R2 and Windows Server 2016 that connect to the service by using weak security protocols.
- Get more information about how to solve the TLS 1.0 problem.
- For general information about our approach to security, go to the Office 365 Trust Center.
- To identify the TLS version that is used by SMTP clients, see SMTP Auth clients report in the EAC.
- Preparing for TLS 1.0/1.1 Deprecation - Office 365 Skype for Business
- Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2
- Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It
- Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1
- Enable TLS 1.1 and TLS 1.2 support in Office Online Server
- Enable TLS and SSL support in SharePoint 2013
- Enable TLS 1.1 and TLS 1.2 support in SharePoint Server 2016
- Enable TLS 1.1 and TLS 1.2 support in SharePoint Server 2019