TLS 1.0 and 1.1 Are Retiring – Here’s What Entra Domain Services Customers Must Do Before August 31, 2025
TLS 1.0 and 1.1 Are Retiring – Here’s What Entra Domain Services Customers Must Do Before August 31, 2025
The clock is ticking for TLS 1.0 and 1.1 in Microsoft Entra Domain Services. As part of Microsoft's ongoing commitment to security, support for these legacy TLS protocols will be retired by August 31, 2025.
This change isn’t just another checkbox—it’s a vital step to protect your environment, maintain compliance, and embrace modern encryption standards like TLS 1.2, which brings perfect forward secrecy, stronger cipher suites, and better protection for your data in transit.
If you're still relying on TLS 1.0 or 1.1, now's the time to make the switch. Here’s everything you need to know—and do.
Why TLS 1.2 Matters
While TLS 1.0 and 1.1 haven’t been found vulnerable in Microsoft’s implementations, they lack modern security features. TLS 1.2 (and later versions) offers:
- Perfect forward secrecy
- Advanced cipher suites
- Improved compliance with industry standards (e.g., PCI DSS, NIST, HIPAA)
This move ensures your organization isn't just secure—but future-proof.
What’s Changing in Entra Domain Services?
As announced on November 10, 2023, the TLS roadmap for Domain Services is as follows:
- TLS 1.2 only mode is currently optional—but not for long.
- Microsoft will remove the ability to disable TLS 1.2 only mode.
- Once this happens, you won’t be able to switch back.
- The deadline to migrate is August 31, 2025.
After that, TLS 1.0 and 1.1 will be permanently disabled. If you're still using them, your services may stop functioning as expected.
How to Enable TLS 1.2 Only Mode
You can make the switch using Azure Portal or PowerShell—whichever suits your workflow.
Option 1: Using Azure Portal
- Go to your Domain Services instance in the Azure portal.
- Navigate to Security settings.
- If TLS 1.2 only mode is set to Disable, you're still using TLS 1.0/1.1.
- Set TLS 1.2 only mode to Enable.
- Click Save.
Note: It takes about 10 minutes for the changes to apply.
Option 2: Using PowerShell
- Install the required module:
-
- Install-Module -Name Az.ADDomainServices
- Connect to your Azure subscription:
-
- Connect-AzAccount -Subscription <your-subscription-id>
- Check your current TLS setting:
-
- Get-AzADDomainService -DomainSecuritySettingTlsV1
- If TLS 1.2 only mode is disabled, your instance is already compliant.
- If you need to enable TLS 1.2 only:
-
- Get your Domain Services name:
-
-
- Get-AzADDomainService -Name
-
-
- Get-AzADDomainService -ResourceGroupName
-
-
- Update-AzADDomainService -Name "<name>" -ResourceGroupName "<resourceGroup>" -DomainSecuritySettingTlsV1 Disabled
Again, allow about 10 minutes for the security updates to propagate.
Need Help?
If you encounter any issues during migration, don’t hesitate to open an Azure support request for assistance.
Mark Your Calendar: August 31, 2025
This isn’t a soft deadline. If TLS 1.0 or 1.1 is still active in your environment after this date, your services could break unexpectedly.
Make the move today—secure your environment, stay compliant, and join the growing number of customers future-proofing their Microsoft Entra Domain Services deployments.
Summary:
Microsoft Entra Domain Services will retire support for TLS 1.0 and 1.1 by August 31, 2025, as part of its ongoing security enhancements. Customers still using these older protocols must migrate to TLS 1.2 only mode, which offers improved encryption, perfect forward secrecy, and compliance with modern security standards. The change can be applied through the Azure Portal or PowerShell, and typically takes around 10 minutes to complete. After the deadline, TLS 1.0 and 1.1 will be permanently disabled, potentially disrupting services for non-compliant environments. Microsoft urges all customers to act now to ensure a secure and uninterrupted experience.
