Azure AD – Ensure you have TLS 1.2 enabled on your on-premises systems interacting with Azure AD

As announced in early November 2020, support for old versions of TLS (TLS 1.0 and TLS 1.1) and ciphers (3DES cipher suite) are going to be deprecated and no longer supported starting June 30, 2021.

You have to ensure your on-premises systems interacting with Azure AD – such as Azure AD Connect, Azure AD Application Proxy, Active Directory Federation Services, NPS Extension for Azure AD MFA…) – have TLS 1.2 support enabled.

Windows Server 2012 R2 and later natively support TLS 1.2, unless you have explicitly disabled it. For older version, you need to have deployed the KB 3140245 (https://support.microsoft.com/help/3140245).

You can confirm you have TLS 1.2 support enabled by checking the below registry keys:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
• “DisabledByDefault”: 00000000
• “Enabled”: 00000001
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
• “DisabledByDefault”: 00000000
• “Enabled”: 00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
• “SchUseStrongCrypto”: 00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727
• “SystemDefaultTlsVersions”: 00000001
• “SchUseStrongCrypto”: 00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
• “SystemDefaultTlsVersions”: 00000001
• “SchUseStrongCrypto”: 00000001