Working with customers, one common area that is overlooked are the legacy authentication protocols that users, devices, and systems use to communicate with different cloud services. Even for myself, awareness of this is key – one thing that I ‘knew was happening’, but didn’t realise was coming up so soon was the deprecation of TLS 1.1 and 1.0 for Azure AD. This has potential to impact many organisations we work with that haven’t looked at Azure AD Connect or other apps and services that communicate to Azure AD, and could cause issues with business continuity and service access if not addressed:

Enable support for TLS 1.2 in your environment for upcoming Azure AD TLS 1.0/1.1 deprecation – Active Directory | Microsoft Docs

WHAT IS OCCURRING?

To improve the security posture of customer tenants and to remain in compliance with industry standards, Microsoft will soon stop supporting the following Transport Layer Security (TLS) protocols and ciphers with Azure Active Directory (Azure AD):

• TLS 1.1
• TLS 1.0
• 3DES cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA)

HOW THIS CHANGE MIGHT AFFECT YOUR ORGANISATION?

Whilst TLS 1.2 has been previously enforced for Office 365 connections since October 2020 as per Preparing for TLS 1.2 in Office 365 and Office 365 GCC – Microsoft 365 Compliance | Microsoft Docs, there are still areas of tenant communication that can be impacted.

Applications that are communicating with or authenticating against Azure Active Directory might not work as expected if they are NOT able to use TLS 1.2 to communicate. This situation includes Azure AD Connect, Azure AD PowerShell, Azure AD Application Proxy connectors, PTA agents, legacy browsers, and applications that are integrated with Azure AD.