Server cipher suites and TLS requirements

A cipher suite is a set of cryptographic algorithms. This is used to encrypt messages between clients/servers and other servers.

Before a secure connection is established, the protocol and cipher are negotiated between server and client based on availability on both sides.

You can use your on-premises/local servers to integrate with the following Dataverse services:

  1. Syncing emails from your Exchange server.
  2. Running Outbound plug-ins.
  3. Running native/local clients to access your Dataverse environments.

To comply with our security policy for a secure connection, your server must have the following:

  1. Transport Layer Security (TLS) 1.2 compliance

  2. At least one of the following ciphers:

    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Important

Older TLS 1.0 & 1.1 and cipher suites, (for example TLS_RSA) have been deprecated; see the announcement.

Your servers must have the above security protocol to continue running the Dataverse services.

You may either upgrade the Windows version or update the Windows TLS registry to make sure that your server endpoint supports one of these ciphers.

To verify that your server complies with the security protocol, you can perform a test using a TLS cipher and scanner tool:

  1. Test your hostname using SSLLABS, or
  2. Scan your server using NMAP

See also

Connect to Exchange Server (on-premises)
Dynamics 365 Server-side sync
Exchange server TLS guidance
Cipher Suites in TLS/SSL (Schannel SSP)
Manage Transport Layer Security (TLS)
How to enable TLS 1.2