Minimum TLS version

March 21, 2025 ยท View on GitHub

SYNOPSIS

IoT Hubs should reject TLS versions older than 1.2.

DESCRIPTION

The minimum version of TLS that IoT Hubs accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

RECOMMENDATION

Configure the minimum supported TLS version to be 1.2.

EXAMPLES

Configure with Azure template

To deploy IoT Hubs that pass this rule:

  • Set the properties.minTlsVersion property to 1.2.

For example:

{
  "type": "Microsoft.Devices/IotHubs",
  "apiVersion": "2022-04-30-preview",
  "name": "[parameters('iotHubName')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "S1",
    "capacity": 1,
  },
  "properties": {
    "minimumTlsVersion": "1.2",
  }
}

Configure with Bicep

To deploy IoT Hubs that pass this rule:

  • Set the properties.minTlsVersion property to 1.2.

For example:

resource IoTHub 'Microsoft.Devices/IotHubs@2022-04-30-preview' = {
  name: iotHubName
  location: location
  sku: {
    name: 'S1'
    capacity: 1
  }
  properties: {
    minTlsVersion: '1.2'
  }
}

NOTES

The minimum TLS version feature is currently only supported in these regions:

  • East US
  • South Central US
  • West US 2
  • US Gov Arizona
  • US Gov Virginia

The minTlsVersion property is read-only and cannot be changed once your IoT Hub resource is created. It is therefore important to properly test and validate that all oT devices and services are compatible with TLS 1.2 and the recommended ciphers in advance.