MicrosoftDocs
diff --git a/‎articles/iot-hub/iot-hub-tls-support.md
Lines changed: 55 additions & 23 deletions b/‎articles/iot-hub/iot-hub-tls-support.md
Lines changed: 55 additions & 23 deletions
diff --git a/‎articles/iot-hub/media/iot-hub-tls-support/tls-versions-support-metrics-filter.png
136 KB b/‎articles/iot-hub/media/iot-hub-tls-support/tls-versions-support-metrics-filter.png
136 KB
diff --git a/‎articles/iot-hub/media/iot-hub-tls-support/tls-versions-support-metrics.png
128 KB b/‎articles/iot-hub/media/iot-hub-tls-support/tls-versions-support-metrics.png
128 KB
@@ -15,19 +15,19 @@
 IoT Hub uses Transport Layer Security (TLS) to secure connections from IoT devices and services. 
 
 > [!NOTE]
-> Azure IoT Hub will end support for TLS 1.0 and 1.1 in alignment with the Azure wide service announcement for [TLS 1.0 and 1.1 retirement](https://azure.microsoft.com/updates?id=update-retirement-tls1-0-tls1-1-versions-azure-services) on **August 31, 2025**.
+> Azure IoT Hub will end support for TLS 1.0 and 1.1 in alignment with the Azure wide service announcement for [TLS 1.0 and 1.1 retirement](https://azure.microsoft.com/updates?id=update-retirement-tls1-0-tls1-1-versions-azure-services) on **August 31, 2025**. In addition, IoT Hub will no longer support weak cipher suites as of August 31, 2025. Only recommended strong cipher suites will be supported for both existing and new IoT Hubs. 
+> 
+> For customers using weak cipher suites prior to August 31, 2025, Cipher Suite Compatibility Mode may be enabled automatically to allow additional time to update devices to the recommended cipher suites. 
 >
 > It's therefore essential that you properly test and validate that *all* your IoT devices and services are compatible with TLS 1.2 and the [recommended ciphers](#cipher-suites) in advance. It's highly recommended to use the [minimum TLS enforcement feature](#enforce-iot-hub-to-use-tls-12-and-strong-cipher-suites) as the mechanism for testing and compliance.
 
 
 > [!IMPORTANT]
->  It’s important to distinguish between **TLS 1.2 support** and **TLS 1.2 enforcement**. TLS 1.2 is supported on all IoT Hubs, meaning that IoT Hubs can handle connections using the TLS 1.2 protocol. On the other hand, TLS 1.2 enforcement ensures that IoT Hub **only** accepts connections using TLS 1.2 or higher. When TLS 1.2 enforcement is enabled, the service also enforces the use of [strong cipher suites](#cipher-suites) as described above. Future updates will allow for the enforcement of TLS 1.2 while permitting non-recommended cipher suites. 
+>  It’s important to distinguish between **TLS 1.2 support** and **TLS 1.2 enforcement**. TLS 1.2 is supported on all IoT Hubs, meaning that IoT Hubs can handle connections using the TLS 1.2 protocol. On the other hand, TLS 1.2 enforcement ensures that IoT Hub **only** accepts connections using TLS 1.2 or higher. When TLS 1.2 enforcement is enabled, the service also enforces the use of [strong cipher suites](#cipher-suites) as described above.
 > 
 > Currently, TLS 1.2 enforcement is supported only in select regions: 
 > 
-> - East US 
-> - South Central US 
-> - West US 2 
+> - All public cloud regions
 > - US Gov Arizona 
 > - US Gov Virginia (Note: TLS 1.0/1.1 support isn't available in this region. TLS 1.2 enforcement must be enabled, or IoT Hub creation will fail). 
 >
@@ -58,6 +58,8 @@ Root CA migrations are rare. You should always prepare your IoT solution for the
 
 ## Cipher Suites
 
+Starting **August 31, 2025**, IoT Hub enforces the use of recommended strong cipher suites for all existing and new IoT Hubs. Non-recommended (weak) cipher suites aren't supported past this date.  
+
 To comply with Azure security policy for a secure connection, IoT Hub recommends the following RSA and ECDSA cipher suites that require minimum TLS 1.2 enforcement:
 
 * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
@@ -69,7 +71,7 @@ To comply with Azure security policy for a secure connection, IoT Hub recommends
 * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 
-The following cipher suites are currently allowed in IoT Hub. However, these cipher suites are no longer recommended by the Azure security guidelines. These cipher suites work with TLS versions 1.0, 1.1, and 1.2.
+The following non-recommended cipher suites are allowed until August 31, 2025: 
 
 * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
@@ -158,24 +160,54 @@ The created IoT Hub resource using this configuration refuses device and service
 > Upon failovers, the `minTlsVersion` property of your IoT Hub remains effective in the geo-paired region post-failover.
 
 ## Checking TLS versions for IoT Hub devices
-Azure IoT Hub can provide diagnostic logs for several categories that can be analyzed using Azure Monitor Logs. In the connections log you can find the TLS Version for your IoT Hub devices.
 
-To view these logs, follow these steps:
+Azure IoT Hub provides the capability to check the TLS version and other device connection metrics to help monitor the security of IoT devices. You can either use IoT Hub metrics or diagnostic logs to track TLS version usage and other related properties like [Cipher Suites](#cipher-suites).
+
+### Checking TLS versions using IoT Hub metrics
+
+If you want to validate that device traffic to IoT Hub is utilizing TLSv1.2, you can check IoT Hub’s metrics. This allows you to filter by TLS version or Cipher Suite and check the number of successful connections. 
+
 1. In the [Azure portal](https://portal.azure.com), go to your IoT hub.
-2. In the resource menu under **Monitoring**,  select **Diagnostic settings**. Ensure diagnostic settings have "Connections" checkmarked.
-3. In the resource menu under **Monitoring**,  select **Logs**.
-4. Enter the following query:
-```azurecli
-AzureDiagnostics
-| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS"
-| where Category == "Connections"
-| where OperationName == "deviceConnect"
-| extend props_json = parse_json(properties_s)
-| project DeviceId = props_json.deviceId, TLSVersion = props_json.tlsVersion
-```
-5. An example of the query results looks like:
-:::image type="content" source="./media/iot-hub-tls-support/query-result.png" alt-text="Diagram showing the query for device TLS version.":::
-6. Note: TLS version query is not available for devices using HTTPS connections. 
+1. In the left-side menu under **Monitoring**,  select **Metrics**.
+1. Add the metric **Successful Connects**.
+
+    :::image type="content" source="./media/iot-hub-tls-support/tls-versions-support-metrics.png" alt-text="Screenshot showing how to add the Successful Connects metric.":::
+
+1. Filter by TLS Version or Cipher Suite by selecting the **Add filter** button and choosing the appropriate property, TLS Version or Cipher Suite, operator, for example "=", and value, for example, TLSv1.2.
+
+    :::image type="content" source="./media/iot-hub-tls-support/tls-versions-support-metrics-filter.png" alt-text="Screenshot showing how to filter by TLS Version or Cipher Suite.":::
+
+1. After applying the filter, you see the sum of devices with successful IoT Hub connections based on the filtered property and value(s).  
+
+> [!NOTE]
+> TLS version query isn't available for devices using HTTPS connections.
+
+### Checking TLS versions using IoT Hub diagnostic logs
+
+Azure IoT Hub can provide diagnostic logs for several categories that can be analyzed using Azure Monitor Logs. In the connections log you can find the TLS version for your IoT Hub devices. 
+
+To view these logs, follow these steps: 
+
+1. In the [Azure portal](https://portal.azure.com), go to your IoT hub.
+1. In the left-side menu under **Monitoring**,  select **Diagnostic settings**. Ensure diagnostic settings have "Connections" checked.
+1. In the left-side menu under **Monitoring**,  select **Logs**.
+1. Enter the following query:
+
+    ```kusto
+    AzureDiagnostics
+    | where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS"
+    | where Category == "Connections"
+    | where OperationName == "deviceConnect"
+    | extend props_json = parse_json(properties_s)
+    | project DeviceId = props_json.deviceId, TLSVersion = props_json.tlsVersion
+    ```
+
+1. An example of the query results looks like this:
+
+    :::image type="content" source="./media/iot-hub-tls-support/query-result.png" alt-text="Diagram showing the query for device TLS version.":::
+
+> [!NOTE]
+> TLS version query isn't available for devices using HTTPS connections.
 
 
 ## TLS configuration for SDK and IoT Edge
@@ -188,7 +220,7 @@ Use the following links to configure TLS 1.2 and allowed ciphers in IoT Hub clie
 | Python   | Version 2.0.0 or newer             | [Link](https://aka.ms/Tls_Python_SDK_IoT) |
 | C#       | Version 1.21.4 or newer            | [Link](https://aka.ms/Tls_CSharp_SDK_IoT) |
 | Java     | Version 1.19.0 or newer            | [Link](https://aka.ms/Tls_Java_SDK_IoT) |
-| Node.js   | Version 1.12.2 or newer            | [Link](https://aka.ms/Tls_Node_SDK_IoT) |
+| Node.js  | Version 1.12.2 or newer            | [Link](https://aka.ms/Tls_Node_SDK_IoT) |
 
 IoT Edge devices can be configured to use TLS 1.2 when communicating with IoT Hub. For this purpose, use the [IoT Edge documentation page](https://github.com/Azure/iotedge/blob/master/edge-modules/edgehub-proxy/README.md).