Share via

Azure SQL Managed Instance Tls Version Check

Padmanaban, Poobalan 20 Reputation points
2025-05-28T18:34:29.0933333+00:00

As per the Azure portal, all managed instances are configured to use TLS 1.2. However, we received an email stating, "Microsoft has identified the following resources that have active TLS 1.0/1.1 traffic to Azure SQL Managed Instance." To investigate, we executed queries in Azure CLI and Azure Monitor, but were unable to identify any resources using TLS 1.0 or 1.1. Please advise on how to accurately check which resources are using TLS 1.2 or lower.

az sql mi show --name <ManagedInstanceName> --resource-group <ResourceGroupName> --query minimalTlsVersion -- Received output as Tls1.2

AzureDiagnostics

| where ResourceType == "MANAGEDINSTANCES"

| where isnotempty(tlsVersion_s)

| where tlsVersion_s == "TLS1_0" or tlsVersion_s == "TLS1_1"

| project TimeGenerated, client_ip_s, tlsVersion_s, database_name_s, application_name_s

| sort by TimeGenerated desc -- No Result

Azure SQL Database

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 22,031 Reputation points Volunteer Moderator
    2025-05-28T22:37:59.99+00:00

    Hello Padmanaban, Poobalan,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    You need to investigate more by taking the below steps:

    1. Use SQL extended events to detect TLS versions at handshake: 
         CREATE EVENT SESSION [TrackTLS] ON SERVER
   ADD EVENT sqlserver.connectivity_ring_buffer_recorded
   (WHERE (ring_buffer_record LIKE '%TLS%'))
   ADD TARGET package0.ring_buffer;
   ALTER EVENT SESSION [TrackTLS] ON SERVER STATE = START;
      Retrieve session logs: 
         SELECT 
       event_data.value('(event/@name)[1]', 'varchar(50)') AS event_name,
       event_data.value('(event/data[@name="record"]/value)[1]', 'varchar(max)') AS record
   FROM (
       SELECT CAST(target_data AS XML) AS event_data
       FROM sys.dm_xe_session_targets
       WHERE target_name = 'ring_buffer'
   ) AS tab;
      For more reading on SQL Server Extended Events - https://learn.microsoft.com/en-us/sql/relational-databases/extended-events/extended-events?view=sql-server-ver16
    2. Use defender for Cloud to identify legacy connections if enabled, Microsoft Defender for Cloud can reveal use of legacy protocols and filter for SQL-specific recommendations, could be found on https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-sql-introduction
    3. Perform audit by taking inventory client systems connecting to the Managed Instance:
      • Use SQL audit logs to get application names (application_name_s)
      • Match against TLS compatibility:
      • .NET Framework < 4.6 – TLS 1.2 not default
      • JDBC < 6.4 – no enforced TLS 1.2
      • ODBC, PHP, etc., might default to TLS 1.0 if not configured
      Read more here - https://learn.microsoft.com/en-us/sql/connect/sql-connection-libraries?view=sql-server-ver15
    4. Check NSG flow logs or Azure Firewall logs for TLS connection attempts and their IP sources. More details are in the following links: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview and https://learn.microsoft.com/en-us/azure/firewall/premium-features#tls-inspection
    5. Finally, if unable to trace TLS 1.0/1.1 with the above methods, open a Microsoft Support Ticket via your Portal or Priority Customer Support - https://learn.microsoft.com/en-us/azure/azure-portal/supportability/priority-community-support requesting the source of the telemetry used to flag the non-compliant connections. This required you to have paid subscription.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.