|
1 | 1 | --- |
2 | | -title: Configure minimal TLS version - managed instance |
3 | | -description: "Learn how to configure minimal TLS version for managed instance" |
| 2 | +title: Configure Minimal TLS Version - SQL Managed Instance |
| 3 | +description: "Learn how to configure minimal TLS version for a managed instance" |
4 | 4 | author: zoran-rilak-msft |
5 | 5 | ms.author: zoranrilak |
6 | | -ms.reviewer: mathoma |
7 | | -ms.date: 10/21/2022 |
| 6 | +ms.reviewer: mathoma, vanto |
| 7 | +ms.date: 07/17/2025 |
8 | 8 | ms.service: azure-sql-managed-instance |
9 | 9 | ms.subservice: security |
10 | 10 | ms.topic: how-to |
11 | | -ms.custom: devx-track-azurecli |
| 11 | +ms.custom: |
| 12 | + - devx-track-azurecli |
12 | 13 | ms.devlang: azurecli |
13 | 14 | --- |
14 | 15 | # Configure minimal TLS version in Azure SQL Managed Instance |
15 | | -> [!IMPORTANT] |
16 | | -> **Upcoming retirement changes** |
17 | | -> |
18 | | -> Azure has announced that support for older TLS versions (TLS 1.0, and 1.1) ends August 31, 2025. For more information, see [TLS 1.0 and 1.1 deprecation](https://azure.microsoft.com/updates/azure-support-tls-will-end-by-31-october-2024-2/). |
19 | | -> Starting November 2024, you will no longer be able to set the minimal TLS version for Azure SQL Managed Instance client connections below TLS 1.2. |
20 | 16 |
|
21 | | -The Minimal [Transport Layer Security (TLS)](/troubleshoot/sql/database-engine/connect/tls-1-2-support-microsoft-sql-server) Version setting allows customers to control the version of TLS used by their Azure SQL Managed Instance. |
| 17 | +> [!IMPORTANT] |
| 18 | +> **Retirement changes** |
| 19 | +> |
| 20 | +> Azure has announced that support for older TLS versions (TLS 1.0, and 1.1) ends August 31, 2025. For more information, see [TLS 1.0 and 1.1 deprecation](https://azure.microsoft.com/updates/azure-support-tls-will-end-by-31-october-2024-2/). |
| 21 | +> Starting November 2024, you'll no longer be able to set the minimal TLS version for Azure SQL Managed Instance client connections below TLS 1.2. |
22 | 22 |
|
23 | | -At present we support TLS 1.0, 1.1 and 1.2. Setting a Minimal TLS Version ensures that subsequent, newer TLS versions are supported. For example, e.g., choosing a TLS version greater than 1.1. means only connections with TLS 1.1 and 1.2 are accepted and TLS 1.0 is rejected. After testing to confirm your applications supports it, we recommend setting minimal TLS version to 1.2 since it includes fixes for vulnerabilities found in previous versions and is the highest version of TLS supported in Azure SQL Managed Instance. |
| 23 | +The Minimal [Transport Layer Security (TLS)](/troubleshoot/sql/database-engine/connect/tls-1-2-support-microsoft-sql-server) version setting allows customers to control the version of TLS used by their Azure SQL Managed Instance. |
24 | 24 |
|
25 | | -For customers with applications that rely on older versions of TLS, we recommend setting the Minimal TLS Version per the requirements of your applications. For customers that rely on applications to connect using an unencrypted connection, we recommend not setting any Minimal TLS Version. |
| 25 | +Setting **Minimum TLS version** to 1.2 is currently enforced for SQL Managed Instance. Setting a Minimal TLS version ensures that subsequent, newer TLS versions are supported. Only connections using TLS 1.2 or above are accepted. |
26 | 26 |
|
27 | 27 | For more information, see [TLS considerations for SQL Database connectivity](../database/connect-query-content-reference-guide.md#tls-considerations-for-database-connectivity). |
28 | 28 |
|
29 | | -After setting the Minimal TLS Version, login attempts from clients that are using a TLS version lower than the Minimal TLS Version of the server will fail with following error: |
| 29 | +After setting the Minimal TLS version, login attempts from clients that are using a TLS version lower than the Minimal TLS version of the server will fail with following error: |
30 | 30 |
|
31 | 31 | ```output |
32 | 32 | Error 47072 |
33 | 33 | Login failed with invalid TLS version |
34 | 34 | ``` |
35 | 35 |
|
36 | 36 | > [!NOTE] |
37 | | -> When you configure a minimum TLS version, that minimum version is enforced at the application layer. Tools that attempt to determine TLS support at the protocol layer may return TLS versions in addition to the minimum required version when run directly against the managed instance endpoint. |
| 37 | +> When you configure a minimum TLS version, that minimum version is enforced at the application layer. Tools that attempt to determine TLS support at the protocol layer might return TLS versions in addition to the minimum required version when run directly against the managed instance endpoint. |
38 | 38 |
|
39 | 39 | ## Set minimal TLS version via PowerShell |
40 | 40 |
|
@@ -71,3 +71,7 @@ az sql mi show -n sql-instance-name -g resource-group --query "minimalTlsVersion |
71 | 71 | # Update setting for Minimal TLS Version |
72 | 72 | az sql mi update -n sql-instance-name -g resource-group --set minimalTlsVersion="1.2" |
73 | 73 | ``` |
| 74 | + |
| 75 | +## Related content |
| 76 | + |
| 77 | +- [Connectivity architecture for Azure SQL Managed Instance](connectivity-architecture-overview.md) |
0 commit comments