This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 14.000000000000002%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
According to this announcement in a few weeks TLS 1.0, 1.1 are going to be disabled for:
It also says:
Make sure that applications and PowerShell (that use Microsoft Graph) and Azure AD PowerShell scripts are hosted and run on a platform that supports TLS 1.2.
but does not specify explicitly which endpoints are affected. My guess is that the endpoints include graph.microsoft.com.
What I am not sure about is if login.microsoftonline.com is affected, too. The login endpoint is used by our customers' apps authenticating with a client ID and a secret key (using AppRegistrations). Do they have to make sure that TLS 1.2 is enabled on their machines?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
@Jędrzej Grabowski ,
Yes I believe login.microsoftonline.com is affected too . I am checking more on this and will update the thread. The TLS1.2 needs to be enabled on the client machines whoever try to contact any of the listed Azure AD services in the article.
Thank you! I am looking for a way to check which clients might be affected as described in the article. Step 6. says:
Choose each category of logs:
User interactive
User non-interactive
Managed identity
Our clients log in as Service Principals, but "Service principal Sign-ins" is not mentioned in the quoted list. How can I check service principal sign-ins for the Legacy TLS flag then?
Service principal Sign-ins would come under User non-interactive . Managed identity is also kind of a service principle but its signin logs are marked distinctly . In your case I don't think you should worry about this part . AS you have mentioned earlier.
The login endpoint is used by our customers' apps authenticating with a client ID and a secret key (using AppRegistrations). Do they have to make sure that TLS 1.2 is enabled on their machines?
Any application access over TLS protocol is done at the deeper TCP/IP stack level so as long as the client machines or devices from where the application access is initiated, have TLS 1.2 support enabled there will be no issue in accessing the apps federated with Azure AD (which will use login.microsoftonline.com) . But wherever it is not enabled properly as per the article , you might see issues on those user devices .
Unfortunately service principal sign-ins are not supported properly, I am afraid.
I made a deliberate service principal sign-in using TLS 1.1. I expected to see "legacy TLS" information either in Azure Portal or in the JSON files downloaded (ApplicationSignIns_2022-01-13_2022-01-14).
Even though I can see the sign-in information with the right timestamps - confirming that my legacy sign-in was recorded correctly, neither of them has any reference to "legacy TLS" as stated in View the JSON files.
It seems like a serious issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 32%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
When we made the switch to only TLS 1.2 login.microsoftonline.com was not impacted as it was a case-by-case basis. We had to contact MS and have them explicitly disable TLS 1.x for our tenants. I would contact them to see for your case.