Technical reference details about encryption

Refer to this article to learn about certificates, technologies, and TLS cipher suites used for encryption in Office 365. This article also provides details about planned deprecations.

Microsoft Office 365 certificate ownership and management

You don't need to purchase or maintain certificates for Office 365. Instead, Office 365 uses its own certificates.

Current encryption standards and planned deprecations

To provide best-in-class encryption, Office 365 regularly reviews supported encryption standards. Sometimes, old standards are deprecated as they become out of date and less secure. This article describes currently supported cipher suites and other standards and details about planned deprecations.

FIPS compliance for Office 365

All cipher suites supported by Office 365 use algorithms acceptable under FIPS 140-2. Office 365 inherits FIPS validations from Windows (through Schannel). For information about Schannel, see Cipher Suites in TLS/SSL (Schannel SSP).

Versions of TLS supported by Office 365

TLS, and SSL that came before TLS, are cryptographic protocols that secure communication over a network by using security certificates to encrypt a connection between computers. Office 365 supports TLS version 1.2 (TLS 1.2).

TLS version 1.3 (TLS 1.3) is currently not supported.

Important

Be aware that TLS versions deprecate, and that deprecated versions should not be used where newer versions are available. If your legacy services do not require TLS 1.0 or 1.1 you should disable them.

Support for TLS 1.0 and 1.1 deprecation

Office 365 stopped supporting TLS 1.0 and 1.1 on October 31, 2018. We have completed disabling TLS 1.0 and 1.1 in GCC High and DoD environments. We began disabling TLS 1.0 and 1.1 for Worldwide and GCC environments beginning on October 15, 2020 and will continue with roll-out over the next weeks and months.

To maintain a secure connection to Office 365 and Microsoft 365 services, all client-server and browser-server combinations use TLS 1.2 and modern cipher suites. You might have to update certain client-server and browser-server combinations. For information about how this change impacts you, see Preparing for the mandatory use of TLS 1.2 in Office 365.

Deprecating support for 3DES

Since October 31, 2018, Office 365 no longer supports the use of 3DES cipher suites for communication to Office 365. More specifically, Office 365 no longer supports the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. Since February 28, 2019, this cipher suite has been disabled in Office 365. Clients and servers that communicate with Office 365 must support one or more of the supported ciphers. For a list of supported ciphers, see TLS cipher suites supported by Office 365.

Deprecating SHA-1 certificate support in Office 365

Since June 2016, Office 365 no longer accepts an SHA-1 certificate for outbound or inbound connections. Use SHA-2 (Secure Hash Algorithm 2) or a stronger hashing algorithm in the certificate chain.

TLS cipher suites supported by Office 365

TLS uses cipher suites, collections of encryption algorithms, to establish secure connections. Office 365 supports the cipher suites listed in the following table. The table lists the cipher suites in order of strength, with the strongest cipher suite listed first.

Office 365 responds to a connection request by first attempting to connect using the most secure cipher suite. If the connection doesn't work, Office 365 tries the second most secure cipher suite in the list, and so on. The service continues down the list until the connection is accepted. Likewise, when Office 365 requests a connection, the receiving service chooses whether TLS will be used and which cipher suite to use.

Cipher suite name Key exchange algorithm/strength Forward secrecy Cipher/strength Authentication algorithm/strength
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDH/192
Yes
AES/256
RSA/112
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDH/128
Yes
AES/128
RSA/112
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
ECDH/192
Yes
AES/256
RSA/112
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
ECDH/128
Yes
AES/128
RSA/112
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
ECDH/192
Yes
AES/256
RSA/112
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDH/128
Yes
AES/128
RSA/112
TLS_RSA_WITH_AES_256_GCM_SHA384
RSA/112
No
AES/256
RSA/112
TLS_RSA_WITH_AES_128_GCM_SHA256
RSA/112
No
AES/256
RSA/112

The following cipher suites supported TLS 1.0 and 1.1 protocols until their deprecation date. For GCC High and DoD environments that deprecation date was January 15, 2020. For Worldwide and GCC environments that date was October 15, 2020.

Protocols Cipher suite name Key exchange algorithm/strength Forward secrecy Cipher/strength Authentication algorithm/strength
TLS 1.0, 1.1, 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
ECDH/192
Yes
AES/256
RSA/112
TLS 1.0, 1.1, 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDH/128
Yes
AES/128
RSA/112
TLS 1.0, 1.1, 1.2
TLS_RSA_WITH_AES_256_CBC_SHA
RSA/112
No
AES/256
RSA/112
TLS 1.0, 1.1, 1.2
TLS_RSA_WITH_AES_128_CBC_SHA
RSA/112
No
AES/128
RSA/112
TLS 1.0, 1.1, 1.2
TLS_RSA_WITH_AES_256_CBC_SHA256
RSA/112
No
AES/256
RSA/112
TLS 1.0, 1.1, 1.2
TLS_RSA_WITH_AES_128_CBC_SHA256
RSA/112
No
AES/256
RSA/112

Certain Office 365 products (including Microsoft Teams) use Azure Front Door to terminate TLS connections and route network traffic efficiently. At least one of the cipher suites supported by Azure Front Door over TLS 1.2 must be enabled to successfully connect to these products. For Windows 10 and above, we recommend enabling one or both of the ECDHE cipher suites for better security. Windows 7, 8, and 8.1 are not compatible with Azure Front Door's ECDHE cipher suites and the DHE cipher suites have been provided for compatibility with those operating systems.

TLS Cipher Suites in Windows 10 v1903

Encryption in Office 365

Set up encryption in Office 365 Enterprise

Schannel implementation of TLS 1.0 in Windows security status update: November 24, 2015

TLS/SSL Cryptographic Enhancements (Windows IT Center)

Preparing for TLS 1.2 in Office 365 and Office 365 GCC

What are the current cipher suites supported by Azure Front Door?