Microsoft Deprecation of TLS 1.0 and 1.1 in Azure Active Directory
Transport Layer Security (TLS) is a way of encrypting data in transit and was first released in the 1990s. Versions 1.0 and 1.1 are no longer compliant with latest security requirements and are being retired by most vendors in favour of version 1.2 and 1.3. Microsoft are planning to deprecate their support for TLS 1.0 and TLS 1.1 in Azure AD (AAD) and Active Director Federated Services (ADFS) on the 31st January 2022 which is being applied globally.
NHSmail Active Directory Federated Services (ADFS)
The NHSmail Active Directory Federated Services (ADFS) is used to authenticate to NHSmail when logging on and used by many applications for single sign on.
The NHSmail team has been working with Microsoft to identify nhs.net accounts that are using clients or applications that are still using TLS 1.0 or TLS 1.1. These organisations with accounts still using these versions will be contacted by their regional security representative and Product Implementation & Relationship Manager as well as the NHSmail service team to provide additional information to assist in organisations identifying impacted areas with their local infrastructure.
For NHSmail Active Directory Federated Services (ADFS) TLS 1.0 and TLS 1.1 it will be disabled on 30 June 2022.
Other Instances of Azure Active Directory
If your organisation runs its own Azure Active Directory and Active Directory Federated Services (ADFS) instance you will need to review your sign in logs to identify any users still logging in with TLS 1.0 and 1.1 and remediate by 31 January 2022 when Microsoft will start making the changes to all other tenants.
How might this change affect your organisation?
If you have clients or use applications that communicate with or authenticate against Azure Active Directory and Active Directory Federated Services (ADFS), then those applications might not work as expected or at all if they cannot use TLS 1.2 to communicate.
- Windows Vista does not work with or support TLS 1.2
- Windows 7 supports TLS 1.2, but it is disabled by default
- Windows 8.1 and later supports TLS 1.2, and it is enabled by default
What you need to do to prepare:
Use TLS 1.2 and modern cipher suites on client/server applications/OS, communicating with Azure Active Directory, for Azure workloads or Microsoft 365 services.
To avoid any service impact, we strongly advise that you start transitioning to TLS 1.2 as soon as possible.
For more information/guidance related to this retirement, please refer to:
Microsoft Deprecation of TLS 1.0 and 1.1 in O365 and Exchange Online
Microsoft started removing access within O365 and Exchange Online for connectivity using TLS versions 1.0 and 1.1 on 15 October 2020. This means any clients, devices, or services that connect to Office 365 through TLS 1.0 or 1.1 will have already stopped working.
What are we asking you to do?
It is important that you carry out a review of your organisation’s use of TLS and upgrade to supported versions where appropriate. The links to external resources below will support you in your review.
Guidance and resources
- Microsoft guidance on TLS deprecation. An overview of TLS 1.0 and 1.1 deprecation.
- Microsoft whitepaper on solving the TLS 1.0 problem. This provides guidance on identifying and removing TLS 1.0 dependencies in software built on top of Microsoft operating systems.
- Guidance on how to check and enforce what version of TLS your browser is using:
- How to enable TLS 1.2 on clients – A Microsoft guide to enabling TLS 1.2 on windows operating systems.
- Microsoft guidance on group policy configuration. TLS can be set via group policy so that TLS 1.0 and 1.1 can be disabled to test the outcome for a subset of users on applications, workflows, functions, tasks etc.Note: It is only Office 365 and NHSmail traffic that needs to be assessed as it is Office 365/ Exchange Online that Microsoft are deprecating TLS 1.0/1.1 support for.
- Handshake simulation at Qualys SSL Labs. This determines which version of TLS will be requested by various clients when connecting to your online services. The simulation covers client OS/browser combinations across manufacturers.