Azure Support for TLS 1.0 and TLS 1.1 is Ending
Update February 2025
Resources interacting with Azure Automation using TLS 1.0/1.1 protocol will be blocked from March 1, 2025
Transport Layer Security (TLS) 1.0 and 1.1 are security protocols for establishing encryption channels over computer networks. Starting March 1, 2025, your resources interacting with Azure Automation using TLS 1.0/1.1 protocols won’t be able to connect to Azure Automation. All interactions through Webhooks, Agent-based/Extension-based User Hybrid Runbook Workers, Automation DSC navigating on the outdated TLS protocols will be blocked. All jobs running or scheduled on Hybrid Workers using TLS 1.0 and 1.1 protocols will fail.
See the following article on updating your Automation Account TLS Security - Management of Azure Automation data
Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), is the standard security technology for establishing an encrypted link between a web server and a client, like a web browser. This link ensures that all data passed between the server and the client remain private and encrypted.
To enhance security and provide best-in-class encryption for your data, Microsoft require interactions with Azure services to be secured using Transport Layer Security (TLS) 1.2 or later beginning 31 October 2024, when support for TLS 1.0 and 1.1 will end.
The Microsoft implementation of older TLS versions is not known to be vulnerable, however, TLS 1.2 and later offer improved security with features such as perfect forward secrecy and stronger cipher suites.
Recommended action
To avoid potential service disruptions, confirm that your resources that interact with Azure services are using TLS 1.2 or later. Then:
- If they’re already exclusively using TLS 1.2 or later, you don’t need to take further action.
- If they still have a dependency on TLS 1.0 or 1.1, transition them to TLS 1.2 or later by 31 October 2024.
Common Resources that use TLS
Azure App Services
Transport Layer Security (TLS) is a widely adopted security protocol designed to secure connections and communications between servers and clients. App Service allows customers to use TLS/SSL certificates to secure incoming requests to their web apps. App Service currently supports different set of TLS features for customers to secure their web apps.
While App Services support TLS versions 1.0, 1.1, 1.2, and 1.3, the minimum default is set to use TLS 1.2. So there should be nothing to worry about here unless you have customized the App Service to use 1.0 or 1.1.
Azure App Service TLS overview.
Azure Application Gateways
You can use Azure Application Gateway to centralize TLS/SSL certificate management and reduce encryption and decryption overhead from a backend server farm. This centralized TLS handling also lets you specify a central TLS policy that’s suited to your organizational security requirements. This helps you meet compliance requirements as well as security guidelines and recommended practices.
The TLS policy includes control of the TLS protocol version as well as the cipher suites and the order in which ciphers are used during a TLS handshake. Application Gateway offers two mechanisms for controlling TLS policy. You can use either a predefined policy or a custom policy.
Similarly to App Serivces, AppGW’s support TLS versions 1.0, 1.1, 1.2, and 1.3 and again use 1.3 by default. Custom policies can be applied to use other versions.
Application Gateway TLS policy overview.
Azure Front Door
Azure Front Door supports four versions of the TLS protocol: TLS versions 1.0, 1.1, 1.2 and 1.3. All Azure Front Door profiles created after September 2019 use TLS 1.2 as the default minimum with TLS 1.3 enabled, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.
Although Azure Front Door supports TLS 1.2, which introduced client/mutual authentication in RFC 5246, currently, Azure Front Door doesn’t support client/mutual authentication (mTLS) yet.
While AFD currently supports TLS 1.0 and 1.1, that support will end by the 1st December 2024.