1. Home
  2. Policy
  3. Transport Layer Security (TLS) Deprecation Guidance

Transport Layer Security (TLS) Deprecation Guidance



Microsoft Deprecation of TLS 1.0 and 1.1 in Azure Active Directory 

Transport Layer Security (TLS) is a way of encrypting data in transit and was first released in the 1990s. Versions 1.0 and 1.1 are no longer compliant with latest security requirements and are being retired by most vendors in favour of version 1.2 and 1.3.  Microsoft are planning to deprecate their support for TLS 1.0 and TLS 1.1 in Azure AD (AAD) and Active Director Federated Services (ADFS) on the 31st January 2022 which is being applied globally.   

NHSmail Active Directory Federated Services (ADFS)

The NHSmail Active Directory Federated Services (ADFS) is used to authenticate to NHSmail when logging on and used by many applications for single sign on. 

The NHSmail team has been working with Microsoft to identify nhs.net accounts that are using clients or applications that are still using TLS 1.0 or TLS 1.1. These organisations with accounts still using these versions will be contacted by their regional security representative and Product Implementation & Relationship Manager as well as the NHSmail service team to provide additional information to assist in organisations identifying impacted areas with their local infrastructure. 

For NHSmail Active Directory Federated Services (ADFS) TLS 1.0 and TLS 1.1 it will be disabled from 30 September 2022.   

Other Instances of Azure Active Directory 

If your organisation runs its own Azure Active Directory and Active Directory Federated Services (ADFS) instance you will need to review your sign in logs to identify any users still logging in with TLS 1.0 and 1.1 and remediate by 31 January 2022 when Microsoft will start making the changes to all other tenants. 

How might this change affect your organisation? 

If you have clients or use applications that communicate with or authenticate against Azure Active Directory and Active Directory Federated Services (ADFS), then those applications might not work as expected or at all if they cannot use TLS 1.2 to communicate. 

  • Windows Vista does not work with or support TLS 1.2 
  • Windows 7 supports TLS 1.2, but it is disabled by default 
  • Windows 8.1 and later supports TLS 1.2, and it is enabled by default 

What you need to do to prepare: 

Use TLS 1.2 and modern cipher suites on client/server applications/OS, communicating with Azure Active Directory, for Azure workloads or Microsoft 365 services. 

To avoid any service impact, we strongly advise that you start transitioning to TLS 1.2 as soon as possible. 

For more information/guidance related to this retirement, please refer to:  

Enable TLS 1.2 support as Azure AD TLS 1.0/1.1 is deprecated – Active Directory | Microsoft Docs 

Microsoft Deprecation of TLS 1.0 and 1.1 in O365 and Exchange Online 

Microsoft started removing access within O365 and Exchange Online for connectivity using TLS versions 1.0 and 1.1 on 15 October 2020. This means any clients, devices, or services that connect to Office 365 through TLS 1.0 or 1.1 will have already stopped working.

Important Note

If you are using TLS 1.0 or 1.1 and do not follow this guidance, there will be an impact to NHSmail and services connecting through 0365 will stop working.

What are we asking you to do?

It is important that you carry out a review of your organisation’s use of TLS and upgrade to supported versions where appropriate. The links to external resources below will support you in your review.

Guidance and resources

Last Reviewed Date 03/10/2022
Updated on 15/04/2024

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top