detected critical or warning alerts on your Microsoft Entra Domain Services managed domain, caux.ch

Peter Osazuwa 41 Reputation points
2025-05-07T11:56:51.5233333+00:00

We are receiving this email alert "You have alerts on your managed domain

We detected critical or warning alerts on your Microsoft Entra Domain Services managed domain, caux.ch, on May 7, 2025 10:24 UTC. These issues may negatively affect your service—please resolve them as soon as possible.

To see your alerts and check the health of your managed domain, visit the Health page on the [Azure portal](https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Feur.safelink.emails.azure.net%2Fredirect%2F%3Fdestination%3Dhttps%253A%252F%252Fportal.azure.com%252F%26p%3DbT02Yjc4OTNiNy01ZDllLTQ4MDYtYjY4NC1iNGM0MDY5NmIwY2MmdT1hZW8mbD1wb3J0YWwuYXp1cmUuY29t&data=05%7C02%7Cpeter.osazuwa%40caux.ch%7C6945c45263cd4777db5c08dd8d5b9ea8%7C900f930a04ca4f2daf775381d497b637%7C0%7C0%7C638822146835283220%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=%2B7xDwtmoz1JCMnUlqui%2BGbucFR0guK9V9Il0CxlTq%2B8%3D&reserved=0"Original URL: https://eur.safelink.emails.azure.net/redirect/?destination=https%3A%2F%2Fportal.azure.com%2F&p=bT02Yjc4OTNiNy01ZDllLTQ4MDYtYjY4NC1iNGM0MDY5NmIwY2MmdT1hZW8mbD1wb3J0YWwuYXp1cmUuY29t. Click or tap if you trust this link."), or click the button below."

Here is further details in the portal "The managed domain has detected usage of a deprecated TLS version, which is scheduled for retirement.

Severity

Critical

ID

AADDS600.

When we run "To assist with issue, run the Microsoft Entra Domain Services Network diagnostics", we can`t find any issues. The result comes back as "Diagnostics completed successfully... Validation OK" Can you help please?

Microsoft Security | Microsoft Entra | Microsoft Entra Internet Access
{count} votes

Accepted answer
  1. Harshitha Eligeti 4,380 Reputation points Microsoft External Staff Moderator
    2025-05-08T00:03:00.51+00:00

    Hello @Peter Osazuwa
    I understand that you received an email regarding critical or warning alerts on your Microsoft Entra Domain Services (MEDS) managed domain, [caux.ch], on May 7, 2025, at 10:24 UTC.

    The health of your managed domain is continuously monitored by the Azure platform, and any critical issues are reported via email notifications. These alerts indicate urgent concerns that may impact the service and require immediate attention.

    Please follow below steps to check & resolve Alerts:

    1.Check the Health Status

    Navigate to the Microsoft Entra admin center → Domain Services → Select your managed domain, such as abc.com → Health page to view active alerts. Review any warnings or critical issues that may require action.

    2.Resolve Configuration Issues

    If the alerts indicate a configuration problem, apply the suggested fixes. Wait up to six hours after making changes and check if the alert is cleared.

    If no alerts appear in the Domain Services Health page, the issue may have been automatically resolved by Azure or addressed by another administrator who also received the notification.

    For your reference: https://learn.microsoft.com/en-us/entra/identity/domain-services/notifications

    Regarding the "The managed domain has detected usage of a deprecated TLS version, which is scheduled for retirement. To identify where the old TLS version is being used, you can follow the instructions below.Primarily check which protocal call is being used for that follow the below steps:

    Press Windows+R to open the Run box.

    Type inetcpl.cpl and then select OK. Then, the Internet Properties window is opened. In the Internet Properties window, select the Advanced tab and scroll down to check the settings related to TLS.

    To help you identify any clients or apps that still use legacy TLS in your environment, view the Microsoft Entra sign-in logs. For clients or apps that sign in over legacy TLS, Microsoft Entra ID marks the Legacy TLS field in Additional Details with True. The Legacy TLS field only appears if the sign-in occurred over legacy TLS. If you don't see any legacy TLS in your logs, you're ready to switch to TLS 1.2.

    To find the sign-in attempts that used legacy TLS protocols, an administrator can review the logs by:

    Exporting and querying the logs in Azure Monitor. Downloading the last seven days of logs in JavaScript Object Notation (JSON) format. Filtering and exporting sign-in logs using PowerShell.

    You can follow this document: Telemetry in the sign-in logs

    After you obtain the logs, you can get more details about legacy TLS-based sign-in log entries in the Microsoft Entra admin center.

    Microsoft Entra Domain Services supports TLS versions 1.0 and 1.1, but they're disabled by default. Domain Services will use the following retirement path for TLS versions 1.0 and 1.1:

    Domain Services will remove the ability to disable the TLS 1.2 only mode. Customers who disable TLS 1.2 only mode can enable it. After Domain Services removes the ability to disable the TLS 1.2 only mode, customers can't enable or disable TLS 1.2 only mode. The Domain Services team will work with customers who need TLS versions 1.0 and 1.1.

    You can follow the document to migrate TLS 1.2 only mode in Domain Services: Domain Services TLS Enforcement

    For Detailed information follow the documents: Enable support for TLS 1.2 in your environment for Microsoft Entra TLS 1.1 and 1.0 deprecation, Transport Layer Security (TLS) 1.2 enforcement for Microsoft Entra Domain Services

    By following these steps, you can track down where the old TLS version is being used in your environment and take the necessary actions to update to a secure TLS version. If you need further assistance or have any specific questions, feel free to ask.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.