Minimum TLS version
March 21, 2025 ยท View on GitHub
SYNOPSIS
IoT Hubs should reject TLS versions older than 1.2.
DESCRIPTION
The minimum version of TLS that IoT Hubs accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
RECOMMENDATION
Configure the minimum supported TLS version to be 1.2.
EXAMPLES
Configure with Azure template
To deploy IoT Hubs that pass this rule:
- Set the
properties.minTlsVersionproperty to1.2.
For example:
{
"type": "Microsoft.Devices/IotHubs",
"apiVersion": "2022-04-30-preview",
"name": "[parameters('iotHubName')]",
"location": "[parameters('location')]",
"sku": {
"name": "S1",
"capacity": 1,
},
"properties": {
"minimumTlsVersion": "1.2",
}
}
Configure with Bicep
To deploy IoT Hubs that pass this rule:
- Set the
properties.minTlsVersionproperty to1.2.
For example:
resource IoTHub 'Microsoft.Devices/IotHubs@2022-04-30-preview' = {
name: iotHubName
location: location
sku: {
name: 'S1'
capacity: 1
}
properties: {
minTlsVersion: '1.2'
}
}
NOTES
The minimum TLS version feature is currently only supported in these regions:
- East US
- South Central US
- West US 2
- US Gov Arizona
- US Gov Virginia
The minTlsVersion property is read-only and cannot be changed once your IoT Hub resource is created.
It is therefore important to properly test and validate that all oT devices and services are compatible with TLS 1.2 and the recommended ciphers in advance.