![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 28.999999999999996%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMN%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,614 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 30%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Hello @Michael Nelson ,
I understand that you are receiving alerts in two different tenants indicating that a managed domain has detected the use of a deprecated TLS version scheduled for retirement. To identify where the old TLS version is being used, you can follow the instructions below.
Primarily check which protocal call is being used for that follow the below steps:
- Press Windows+R to open the Run box.
- Type inetcpl.cpl and then select OK. Then, the Internet Properties window is opened.
- In the Internet Properties window, select the Advanced tab and scroll down to check the settings related to TLS.
To help you identify any clients or apps that still use legacy TLS in your environment, view the Microsoft Entra sign-in logs. For clients or apps that sign in over legacy TLS, Microsoft Entra ID marks the Legacy TLS field in Additional Details with True. The Legacy TLS field only appears if the sign-in occurred over legacy TLS. If you don't see any legacy TLS in your logs, you're ready to switch to TLS 1.2.
To find the sign-in attempts that used legacy TLS protocols, an administrator can review the logs by:
- Exporting and querying the logs in Azure Monitor.
- Downloading the last seven days of logs in JavaScript Object Notation (JSON) format.
- Filtering and exporting sign-in logs using PowerShell.
You can follow this document: Telemetry in the sign-in logs
After you obtain the logs, you can get more details about legacy TLS-based sign-in log entries in the Microsoft Entra admin center.
Microsoft Entra Domain Services supports TLS versions 1.0 and 1.1, but they're disabled by default. Domain Services will use the following retirement path for TLS versions 1.0 and 1.1:
- Domain Services will remove the ability to disable the TLS 1.2 only mode. Customers who disable TLS 1.2 only mode can enable it.
- After Domain Services removes the ability to disable the TLS 1.2 only mode, customers can't enable or disable TLS 1.2 only mode.
- The Domain Services team will work with customers who need TLS versions 1.0 and 1.1.
You can follow the document to migrate TLS 1.2 only mode in Domain Services: Domain Services TLS Enforcement
For Detailed information follow the documents: Enable support for TLS 1.2 in your environment for Microsoft Entra TLS 1.1 and 1.0 deprecation , Transport Layer Security (TLS) 1.2 enforcement for Microsoft Entra Domain Services
By following these steps, you can track down where the old TLS version is being used in your environment and take the necessary actions to update to a secure TLS version. If you need further assistance or have any specific questions, feel free to ask.