|
| 1 | +--- |
| 2 | +title: Configure minimal TLS version - managed instance |
| 3 | +description: "Learn how to configure minimal TLS version for managed instance" |
| 4 | +services: sql-database |
| 5 | +ms.service: sql-database |
| 6 | +ms.subservice: security |
| 7 | +ms.custom: |
| 8 | +ms.topic: conceptual |
| 9 | +author: srdan-bozovic-msft |
| 10 | +ms.author: srbozovi |
| 11 | +ms.reviewer: |
| 12 | +ms.date: 05/25/2020 |
| 13 | +--- |
| 14 | +# Configure minimal TLS version in Azure SQL Managed Instance |
| 15 | +The Minimal [Transport Layer Security (TLS)](https://support.microsoft.com/help/3135244/tls-1-2-support-for-microsoft-sql-server) Version setting allows customers to control the version of TLS used by their Azure SQL Managed Instance. |
| 16 | + |
| 17 | +At present we support TLS 1.0, 1.1 and 1.2. Setting a Minimal TLS Version ensures that subsequent, newer TLS versions are supported. For example, e.g., choosing a TLS version greater than 1.1. means only connections with TLS 1.1 and 1.2 are accepted and TLS 1.0 is rejected. After testing to confirm your applications supports the it, we recommend setting minimal TLS version to 1.2 since it includes fixes for vulnerabilities found in previous versions and is the highest version of TLS supported in Azure SQL Managed Instance. |
| 18 | + |
| 19 | +For customers with applications that rely on older versions of TLS, we recommend setting the Minimal TLS Version per the requirements of your applications. For customers that rely on applications to connect using an unencrypted connection, we recommend not setting any Minimal TLS Version. |
| 20 | + |
| 21 | +For more information, see [TLS considerations for SQL Database connectivity](../database/connect-query-content-reference-guide.md#tls-considerations-for-sql-database-connectivity). |
| 22 | + |
| 23 | +After setting the Minimal TLS Version, login attempts from clients that are using a TLS version lower than the Minimal TLS Version of the server will fail with following error: |
| 24 | + |
| 25 | +```output |
| 26 | +Error 47072 |
| 27 | +Login failed with invalid TLS version |
| 28 | +``` |
| 29 | + |
| 30 | +## Set minimal TLS version via PowerShell |
| 31 | + |
| 32 | +[!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)] |
| 33 | +> [!IMPORTANT] |
| 34 | +> The PowerShell Azure Resource Manager module is still supported by Azure SQL Database, but all future development is for the Az.Sql module. For these cmdlets, see [AzureRM.Sql](https://docs.microsoft.com/powershell/module/AzureRM.Sql/). The arguments for the commands in the Az module and in the AzureRm modules are substantially identical. The following script requires the [Azure PowerShell module](/powershell/azure/install-az-ps). |
| 35 | +
|
| 36 | +The following PowerShell script shows how to `Get` and `Set` the **Minimal TLS Version** property at the instance level: |
| 37 | + |
| 38 | +```powershell |
| 39 | +#Get the Minimal TLS Version property |
| 40 | +(Get-AzSqlInstance -Name sql-instance-name -ResourceGroupName resource-group).MinimalTlsVersion |
| 41 | +
|
| 42 | +# Update Minimal TLS Version Property |
| 43 | +Set-AzSqlInstance -Name sql-instance-name -ResourceGroupName resource-group -MinimalTlsVersion "1.2" |
| 44 | +``` |
| 45 | + |
| 46 | +## Set Minimal TLS Version via Azure CLI |
| 47 | + |
| 48 | +> [!IMPORTANT] |
| 49 | +> All scripts in this section requires [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli). |
| 50 | +
|
| 51 | +### Azure CLI in a bash shell |
| 52 | + |
| 53 | +The following CLI script shows how to change the **Minimal TLS Version** setting in a bash shell: |
| 54 | + |
| 55 | +```azurecli-interactive |
| 56 | +# Get current setting for Minimal TLS Version |
| 57 | +az sql mi show -n sql-instance-name -g resource-group --query "minimalTlsVersion" |
| 58 | +
|
| 59 | +# Update setting for Minimal TLS Version |
| 60 | +az sql mi update -n sql-instance-name -g resource-group --set minimalTlsVersion="1.2" |
| 61 | +``` |
0 commit comments