Disabling TLS 1.0 and TLS 1.1 in Microsoft 365
Unlike many of the articles on this site, this article is written for “IT people” and relates to technical subject matter.
Only follow the below info if suitable to your specific situation and you understand and accept all risk.
Microsoft has been advising they will be disabling TLS 1.1 and below for some time now, at least since 2017. Recently they’ve released another change notification with the following information:
As previously communicated (MC126199 in Dec 2017, MC128929 in Feb 2018, MC186827 in July 2019, and MC218794 in July 2020), we are moving all our online services to Transport Layer Security (TLS) 1.2+ to provide best in class encryption, and to ensure our services is more secure by default. The changes to enforce TLS1.2+ in our service started on October 15, 2020 and will continue to propagate through all Microsoft 365 environments for the next few months. If you have not taken steps to prepare for this change, your connectivity to Microsoft 365 might be impacted.Microsoft – MC240160
If you’re not one to keep up to date with the latest encryption standards, all you need to know is TLS 1.1 is over 10 years old now and has been superseded by TLS 1.2 and TLS 1.3.
What do I need to do to prepare?
In short, anyone running up to date Windows 10, Office and a modern web browser will have no issues. So if your environment(s) are fairly modern, you’ve got little to fear from this change. Simply make sure everything is updating as expected.
Where you will encounter problems: Clients still running Windows 7, Office 2010 or below. Along with old printers, web servers and exchange servers.
Enabling Windows 7 / Server 2008 R2 Compatibility
There are two steps for Windows 7 to enabled TLS 1.2 functionality, First you need to install this update. This is a recommended update, so it may have already been installed. Then you either need to run the easy fix found on the page linked above or manually add the registry keys mentioned on that page.
This change will allow most older software to make use of TLS 1.2 without other changes. Such as the case for Outlook 2010. Though upgrading to a newer version is still a better option if available to you.
What else to keep an eye out for?
A lot of older printers sending via Microsoft 365 SMTP relay are likely to be using older protocols. If this is the case, upgrading firmware (If new firmware supports TLS 1.2 or above), using an alternative mail sending platform such as MailGun or SendGrid can get it working again.
Making sure your website hosting also supports TLS 1.2 or above is also important, any good modern web hosting platform should already have this, but if you self host you want to test as Microsoft also plants to disabled older TLS versions in their web browsers in the near future too.
The same goes if you’re running your own exchange server, though this article won’t got into the details around that.
How to check who’s connecting to 365 with TLS 1.1 or below?
Microsoft 365 has a report you can use to check if anyone is connecting to your tenancy with older versions of TLS. To access this simply logon to your tenancy with a global admin (IT providers will not be able to use partner access for this).
Once logged in you can use the link to go to the report directly:
Alternatively, you can go to securescore.office.com, click “score analyzer”, Locate the “Remove TLS 1.0/1.1” Listing, click learn more and then click Lunch Now. This will show you who has connected to the tenancy in the last few months using a one of these protocols.
- Transport Layer Security – Wikipedia
- Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows (microsoft.com)
- The End of Support for Older TLS Versions in Office 365 | Microsoft Docs
- Enabling TLS 1.1 and 1.2 in Outlook on Windows 7 | Microsoft Docs
- How to allow Outlook to connect over TLS 1.1/1.2 – Nexcess
- Office 365 TLS Deprecation Report – Preparing for TLS 1.2 Migration (o365reports.com)