Tuesday, May 4, 2021

MS deprecates TLS 1.0 and TLS 1.1 in AzureAD

Microsoft announced they will deprecate TLS 1.0 and TLS 1.1 as authentication mechanism in AzureAD. This was already done with Office 365 with less impact. This time the impact will be much bigger!

Reason for this is security as there are serious vulnerabilities out there like Heartblead, POODLE, BEAST and others. Also other major vendors will deprecate the usage of TLS 1.0 and TLS 1.1 as also specified in RFC8996!

The MS cloud application catalog is reporting already more than 2.700 apps from the 17.000 apps not supporting TLS 1.0 or TLS 1.1.  If Azure AD is used for authentication for one of the affected apps they may fail after June 30th 2021!

Also old on-premises stuff will fail when used in combination with Azure Active Directory e.g. but not limited to: 

  • Use of outdated operating systems (Windows 7 / Window 8 without "extension", Servers older as Windows Server 2012 R2
  • Use of outdated browsers (used for app compat reasons)
  • New AzureAD device registration on older OSes
  • Older Versions of Azure AD connect, PTA agents oder AppProxy connectors
  • MFA extensions on ADFS servers with older OSes
  • NPS extensions for Azure MFA on older OSes
  • Azure AD integrated applications and PowerShell scripts based on older .Net Framework version not configure for use of TLS 1.2
  • Software as a Service (SaaS) applications or other Line of Business applications hosted on platforms without TLS 1.2 support
  • Webproxy with SSL inspection which are not supporting TLS 1.2
This list may not be complete but should show the full impact on this!

How you can solve this issue in certain scenarios you find here more information's:

You can do some testing on this also on:
(Please keep in mind that more than one URL might be involved in an authentication process!)

If you have Microsoft's Cloud App Security you find with this advanced filter all the affected software!

And last but not least you can find for all authentications on your tenant a report showing outdated authentications. How reliable this report is, judge on your self in your environment. We found still some strange reports.

TLS deprecation report (every 2 days you see a new one. You only see the last 3 reports!)