Logical SQL Servers accepts insecure TLS versions
March 21, 2025 ยท View on GitHub
SYNOPSIS
Azure SQL Database servers should reject TLS versions older than 1.2.
DESCRIPTION
The minimum version of TLS that Azure SQL Database servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS versions 1.0, 1.1, 1.2, and 1.3 are accepted.
When clients connect using an older version of TLS that is disabled, the connection will fail.
RECOMMENDATION
Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.
EXAMPLES
Configure with Bicep
To deploy logical SQL Servers that pass this rule:
- Set the
properties.minimalTlsVersionproperty to1.2or1.3.
For example:
resource server 'Microsoft.Sql/servers@2024-05-01-preview' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
publicNetworkAccess: 'Disabled'
minimalTlsVersion: '1.2'
administrators: {
azureADOnlyAuthentication: true
administratorType: 'ActiveDirectory'
login: adminLogin
principalType: 'Group'
sid: adminPrincipalId
tenantId: tenant().tenantId
}
}
}
Configure with Azure template
To deploy logical SQL Servers that pass this rule:
- Set the
properties.minimalTlsVersionproperty to1.2or1.3.
For example:
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2024-05-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"publicNetworkAccess": "Disabled",
"minimalTlsVersion": "1.2",
"administrators": {
"azureADOnlyAuthentication": true,
"administratorType": "ActiveDirectory",
"login": "[parameters('adminLogin')]",
"principalType": "Group",
"sid": "[parameters('adminPrincipalId')]",
"tenantId": "[tenant().tenantId]"
}
}
}
Configure with Azure Policy
To address this issue at runtime use the following policies:
- Azure SQL Database should be running TLS version 1.2 or newer
/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf