Preparing for TLS 1.2 in Office 365
To provide best-in-class encryption to our customers, we plan to discontinue the support for Transport Layer Security (TLS) versions 1.0 and 1.1 in Office 365.
We understand that the security of your data is important, and we're committed to transparency about changes that may affect your use of the TLS service.
The Microsoft TLS 1.0 implementation has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, we are discontinuing support for TLS 1.0 and 1.1 in Microsoft Office 365.
For information about how to remove TLS 1.0 and 1.1 dependencies, see the whitepaper Solving the TLS 1.0 problem.
As of October 31, 2018, Office 365 will no longer support TLS 1.0 and 1.1. This means that Microsoft will not fix new issues that are found in clients, devices, or services that connect to Office 365 by using TLS 1.0 and 1.1.
This doesn't mean Office 365 will block TLS 1.0 and 1.1 connections.There is no official date for disabling or removing TLS 1.0 and 1.1 in the TLSservice for customer connections. The eventual deprecation date will be determined by customertelemetry and is not yet known. After a decision is made, there will be an announcement six months in advance unless we become aware of a known compromise, in which case we may have to act in less than six months to protect customers who use the services.
You should make sure that all client-server and browser-server combinations use TLS 1.2 (or a later version) to maintain connection to Office 365 services. You may have to update certain client-server and browser-server combinations.
The following clients are known to be unable to use TLS 1.2. Update your clients to ensure uninterrupted access to the service.
- Android 4.3 and earlier versions
- Firefox version 5.0 and earlier versions
- Internet Explorer 8-10 on Windows 7 and earlier versions
- Internet Explorer 10 on Win Phone 8.0
- Safari 6.0.4/OS X10.8.4 and earlier versions
Microsoft Surface Hub and Skype Room Systems Version 2 (SRS v2) currently use TLS 1.0 or 1.1, and they will continue to work after October 31, 2018. Microsoft will update Surface Hub, Skype Room Systems V2, Skype for Business Online, and server products to support TLS 1.2 before TLS 1.0 and 1.1 are deprecated for Office 365. These products are expected to support TLS 1.2 by the first half of 2019. Skype for Business Online and on-premises customers should not disable TLS 1.0 and 1.1 until that time if they are using these meeting and calling devices.
If you are using any on-premises infrastructure for hybrid scenarios or Active Directory Federation Services, make sure that the infrastructure can support both inbound and outbound connections that use TLS 1.2.
We have identified protocol mismatch issues that are generated by on-premises servers that are running Windows Server 2008 and 2008 R2. You have to enable TLS 1.1 and 1.2 to let them continue to function after October 31, 2018. For more information, see the following articles:
- Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows
- Update to add support for TLS 1.1 and TLS 1.2 in Windows Server 2008 SP2, Windows Embedded POSReady 2009, and Windows Embedded Standard 2009
**Note **If you use TLS 1.2 in Office 365, this doesn't mean that you must disable TLS 1.0 and 1.1 in your environment by October 31, 2018. If parts of your environment require TLS 1.0 and 1.1 on or after October 31, 2018, you can leave the older protocol versions enabled.
The following resources provide guidance to help make sure that your clients are using TLS 1.2 or a later version and to disable TLS 1.0 and 1.1.
- If you have Windows 7 clients that connect to Office 365, make sure that TLS 1.2 is the default secure protocol in WinHTTP in Windows. For more information see KB 3140245 - Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows.
- To start addressing weak TLS use by removing TLS 1.0 and 1.1 dependencies, see TLS 1.2 support at Microsoft.
- New IIS functionality makes it easier to find clients on Windows Server 2012 R2 and Windows Server 2016 that connect to the service by using weak security protocols.
- Get more information about how to solve the TLS 1.0 problem.
- For general information about our approach to security, go to the Office 365 Trust Center.
- Enable TLS 1.1 and TLS 1.2 support in SharePoint Server 2016
- Enable TLS and SSL support in SharePoint 2013
- Enable TLS 1.1 and TLS 1.2 support in SharePoint Server 2010
- O365 Skype for Business – Prepare for TLS 1.0/1.1 Deprecation
- Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2
- Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It
- Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1
- Enable TLS 1.1 and TLS 1.2 support in Office Online Server
We will provide specific guidance about how to remove TLS 1.0 and 1.1 dependencies soon. Check back here for more information.
Send feedback about: