20241209 TLS retirement

Author: WilliamDAssafMSFT

articles/synapse-analytics/guidance/security-white-paper-data-protection.md

@@ -6,7 +6,7 @@ ms.author: whhender
 ms.reviewer: whhender
 ms.service: azure-synapse-analytics
 ms.topic: conceptual
-ms.date: 01/14/2022
+ms.date: 12/09/2024
 ---
 
 # Azure Synapse Analytics security white paper: Data protection
@@ -54,7 +54,10 @@ While SSE forms the first layer of encryption, cautious customers can double enc
 
 Azure Synapse, dedicated SQL pool (formerly SQL DW), and serverless SQL pool use the [Tabular Data Stream (TDS)](/openspecs/windows_protocols/ms-tds/893fcc7e-8a39-4b3c-815a-773b7b982c50) protocol to communicate between the SQL pool endpoint and a client machine. TDS depends on Transport Layer Security (TLS) for channel encryption, ensuring all data packets are secured and encrypted between endpoint and client machine. It uses a signed server certificate from the Certificate Authority (CA) used for TLS encryption, managed by Microsoft. Azure Synapse supports data encryption in transit with TLS v1.2, using AES 256 encryption.
 
-Azure Synapse leverages TLS to ensure data is encrypted in motion. SQL dedicated pools support TLS 1.0, TLS 1.1, and TLS 1.2 versions for encryption wherein Microsoft-provided drivers use TLS 1.2 by default. Serverless SQL pool and Apache Spark pool use TLS 1.2 for all outbound connections.
+Azure Synapse leverages TLS to ensure data is encrypted in motion. Dedicated SQL pools support TLS 1.0, TLS 1.1, and TLS 1.2 versions for encryption wherein Microsoft-provided drivers use TLS 1.2 by default. Serverless SQL pool and Apache Spark pool use TLS 1.2 for all outbound connections.
+
+> [!IMPORTANT]
+> Azure will retire older TLS versions (TLS 1.0 and 1.1) starting in November 2024. Sign-in attempts from connections using a TLS version lower than 1.2 fail. Use TLS 1.2 or higher. Starting after March 31, 2025, you will no longer be able to set the minimal TLS version for Azure Synapse Analytics client connections below TLS 1.2. For more information, see [Announcement: Azure support for TLS 1.0 and TLS 1.1 will end](https://azure.microsoft.com/updates/azure-support-tls-will-end-by-31-october-2024-2/).
 
 ## Next steps
 

articles/synapse-analytics/migration-guides/oracle/3-security-access-operations.md

@@ -7,7 +7,7 @@ ms.topic: conceptual
 author: ajagadish-24
 ms.author: ajagadish
 ms.reviewer: wiassaf
-ms.date: 08/11/2022
+ms.date: 12/09/2024
 ---
 
 # Security, access, and operations for Oracle migrations
@@ -41,6 +41,9 @@ The Oracle system offers these authentication methods for database users:
 
 - **Global authentication and authorization**: with global authentication and authorization, you can centralize management of user-related information, including authorizations, in an LDAP-based directory service. Users are identified in the database as global users, which means they're authenticated by TLS/SSL and user management occurs outside the database. The centralized directory service performs user management. This approach provides strong authentication using TLS/SSL, Kerberos, or Windows-native authentication, and enables centralized management of users and privileges across the enterprise. Administration is easier because it's not necessary to create a schema for every user in every database in the enterprise. Single sign-on is also supported, so that users only need to sign in once to access multiple databases and services.
 
+   > [!IMPORTANT]
+   > Azure will retire older TLS versions (TLS 1.0 and 1.1) starting in November 2024. Sign-in attempts from connections using a TLS version lower than 1.2 fail. Use TLS 1.2 or higher. Starting after March 31, 2025, you will no longer be able to set the minimal TLS version for Azure Synapse Analytics client connections below TLS 1.2. For more information, see [Announcement: Azure support for TLS 1.0 and TLS 1.1 will end](https://azure.microsoft.com/updates/azure-support-tls-will-end-by-31-october-2024-2/).
+
 - **Proxy authentication and authorization**: you can designate a middle-tier server to proxy clients in a secure fashion. Oracle provides various options for proxy authentication, such as:
 
   - The middle-tier server can authenticate itself with the database server. A client, which in this case is an application user or another application, authenticates itself with the middle-tier server. Client identities can be maintained all the way through to the database. 

articles/synapse-analytics/security/connectivity-settings.md

@@ -4,7 +4,7 @@ description: Learn to configure connectivity settings in Azure Synapse Analytics
 author: danzhang-msft
 ms.author: danzhang
 ms.reviewer: wiassaf
-ms.date: 11/25/2024
+ms.date: 12/09/2024
 ms.service: azure-synapse-analytics
 ms.subservice: security
 ms.topic: conceptual
@@ -57,13 +57,17 @@ Selecting the **Disable** option will not apply any firewall rules that you migh
 The connection policy for Synapse SQL in Azure Synapse Analytics is set to *Default*. You cannot change this in Azure Synapse Analytics. For more information, see [Connectivity architecture](/azure/azure-sql/database/connectivity-architecture#connection-policy).
 
 ## Minimal TLS version
+
 The serverless SQL endpoint and development endpoint only accept TLS 1.2 and above.
 
 Since December 2021, a minimum level of TLS 1.2 is required for workspace-managed dedicated SQL pools in new Synapse workspaces. Sign-in attempts from connections using a TLS version lower than 1.2 fail. Customers can raise or lower this requirement using the [minimal TLS REST API](/rest/api/synapse/sqlserver/workspace-managed-sql-server-dedicated-sql-minimal-tls-settings/update) for both new Synapse workspaces or existing workspaces, so users who cannot use a higher TLS client version in the workspaces can connect. Customers can also raise the minimum TLS version to meet their security needs. 
 
+> [!IMPORTANT]
+> Azure will retire older TLS versions (TLS 1.0 and 1.1) starting in November 2024. Sign-in attempts from connections using a TLS version lower than 1.2 fail. Use TLS 1.2 or higher. Starting after March 31, 2025, you will no longer be able to set the minimal TLS version for Azure Synapse Analytics client connections below TLS 1.2. For more information, see [Announcement: Azure support for TLS 1.0 and TLS 1.1 will end](https://azure.microsoft.com/updates/azure-support-tls-will-end-by-31-october-2024-2/).
+
 ## Azure Policy
-Azure policy to prevent modifications to the networking settings in Synapse Workspace is not available as of today.
 
+Azure policy to prevent modifications to the networking settings in Synapse Workspace is not currently available.
 
 ## Related content