Azure SQL DB server minimum TLS version#
Security · SQL Database · Rule · 2020_09 · Critical
Azure SQL Database servers should reject TLS versions older than 1.2.
Description#
The minimum version of TLS that Azure SQL Database servers accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
When clients connect using an older version of TLS that is disabled, the connection will fail.
Recommendation#
Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.
Examples#
Configure with Azure template#
To deploy logical SQL Servers that pass this rule:
- Set the
properties.minimalTlsVersionto1.2.
For example:
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2022-11-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"publicNetworkAccess": "Disabled",
"minimalTlsVersion": "1.2",
"administrators": {
"azureADOnlyAuthentication": true,
"administratorType": "ActiveDirectory",
"login": "[parameters('adminLogin')]",
"principalType": "Group",
"sid": "[parameters('adminPrincipalId')]",
"tenantId": "[tenant().tenantId]"
}
}
}
Configure with Bicep#
To deploy logical SQL Servers that pass this rule:
- Set the
properties.minimalTlsVersionto1.2.
For example:
resource server 'Microsoft.Sql/servers@2022-11-01-preview' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
publicNetworkAccess: 'Disabled'
minimalTlsVersion: '1.2'
administrators: {
azureADOnlyAuthentication: true
administratorType: 'ActiveDirectory'
login: adminLogin
principalType: 'Group'
sid: adminPrincipalId
tenantId: tenant().tenantId
}
}
}
Configure with Azure Verified Modules
A pre-built module is avilable on the Azure Bicep public registry.
To reference the module, please use the following syntax: br/public:avm/res/sql/server:<version>
Configure with Azure Policy#
To address this issue at runtime use the following policies:
- Azure SQL Database should be running TLS version 1.2 or newer
/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf
Links#
- SE:07 Encryption
- DP-3: Encrypt sensitive data in transit
- Minimal TLS Version
- Preparing for TLS 1.2 in Microsoft Azure
- Azure deployment reference