Preparing for TLS 1.2 in Office 365 and Office 365 GCC

Summary

To provide the best-in-class encryption to our customers, Microsoft plans to discontinue the support for Transport Layer Security (TLS) versions 1.0 and 1.1 in Office 365 and Office 365 GCC as of June 2020.

We understand that the security of your data is important, and we're committed to transparency about changes that may affect your use of the TLS service.

The Microsoft TLS 1.0 implementation has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, we are discontinuing support for TLS 1.0 and 1.1 in Microsoft Office 365 and Office 365 GCC.

For information about how to remove TLS 1.0 and 1.1 dependencies, see the whitepaper Solving the TLS 1.0 problem.

More information

As of June 2020, Office 365 will begin deprecating TLS 1.0 and 1.1 in worldwide environments for commercial customers and in GCC environments for GCC customers. This means that starting in June 2020, any commercial and GCC clients, devices or services that connect to Office 365 by using TLS 1.0 and 1.1 will not succeed.

We recommend that all client-server and browser-server combinations use TLS 1.2 (or a later version) to maintain connection to Office 365 services. You might have to update certain client-server and browser-server combinations. 

The following clients are known to be unable to use TLS 1.2. Update these clients to ensure uninterrupted access to the service.

  • Android 4.3 and earlier versions
  • Firefox version 5.0 and earlier versions
  • Internet Explorer 8-10 on Windows 7 and earlier versions
  • Internet Explorer 10 on Windows Phone 8
  • Safari 6.0.4/OS X10.8.4 and earlier versions

TLS 1.2 for Microsoft Teams Rooms and Surface Hub

Microsoft Teams Rooms (previously known as Skype Room System V2 SRS V2) have supported TLS 1.2 since December 2018. We recommend that Rooms devices have Microsoft Teams Rooms app version 4.0.64.0 or later installed. For more information, see the Release notes. The changes are backward and forward compatible.

Surface Hub released TLS 1.2 support in May 2019.

TLS 1.2 support for Microsoft Teams Rooms and Surface Hub products also requires the following server-side code changes:

  • Skype for Business Online server changes were made live in April 2019. Now, Skype for Business Online supports connecting Microsoft Teams Rooms and Surface Hub devices by using TLS 1.2.

  • Skype for Business Server customers must install a cumulative update (CU) to use TLS 1.2 for Teams Rooms Systems and Surface Hub.

    • For Skype for Business Server 2015, CU9 is already released in May 2019.
    • For Skype for Business Server 2019, CU1 was previously planned for April 2019 but is delayed to June 2019.

    Note

    Skype for Business on-premises customers should not disable TLS 1.0/1.1 before installing specific CUs for Skype for Business Server.

If you are using any on-premises infrastructure for hybrid scenarios or Active Directory Federation Services, make sure that the infrastructure can support both inbound and outbound connections that use TLS 1.2.

References

The following resources provide guidance to help make sure that your clients are using TLS 1.2 or a later version and to disable TLS 1.0 and 1.1.