![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 62%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,453 questions
Thank you for your post!
When it comes to upgrading to TLS 1.2 for the Azure Key Vault, this will need to be enabled on the Application or client and server operating system (OS) end. Because the Key Vault front end is a multi-tenant server, meaning key vaults from different customers can share the same public IP address - it isn't possible for the Key Vault service team to disable old versions of TLS (1.x) for individual key vaults at the transport level.
For more info - TLS and HTTPS:
- The Key Vault front end (data plane) is a multi-tenant server. This means that key vaults from different customers can share the same public IP address. In order to achieve isolation, each HTTP request is authenticated and authorized independently of other requests.
- You may identify older versions of TLS to report vulnerabilities but because the public IP address is shared, it is not possible for key vault service team to disable old versions of TLS for individual key vaults at transport level.
- The HTTPS protocol allows the client to participate in TLS negotiation. Clients can enforce the most recent version of TLS, and whenever a client does so, the entire connection will use the corresponding level protection. Applications that are communicating with or authenticating against Azure Active Directory might not work as expected if they are NOT able to use TLS 1.2 or recent version to communicate.
- Despite known vulnerabilities in TLS protocol, there is no known attack that would allow a malicious agent to extract any information from your key vault when the attacker initiates a connection with a TLS version that has vulnerabilities. The attacker would still need to authenticate and authorize itself, and as long as legitimate clients always connect with recent TLS versions, there is no way that credentials could have been leaked from vulnerabilities at old TLS versions.
For Azure Key Vault, ensure that the application accessing the Keyvault service should be running on a platform that supports TLS 1.2 or recent version. If the application is dependent on .Net framework, it should be updated as well. You can also make the registry changes mentioned in this article to explicitly enable the use of TLS 1.2 at OS level and for .Net framework. To meet with compliance obligations and to improve security posture, Key Vault connections via TLS 1.0 & 1.1 are considered a security risk, and any connections using old TLS protocols will be disallowed in 2023. You can monitor TLS version used by clients by monitoring Key Vault logs with sample Kusto query here.
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
Additional Links:
- Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation
- Monitor TLS version used by clients by monitoring Key Vault logs - Sample Kusto queries
- Enable Key Vault Logging to monitor TLS versions used
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
