| title | description | author | ms.author | ms.reviewer | ms.date | ms.service | ms.subservice | ms.topic | ms.custom | ms.devlang |
|---|---|---|---|---|---|---|---|---|---|---|
Configure minimal TLS version - managed instance |
Learn how to configure minimal TLS version for managed instance |
zoran-rilak-msft |
zoranrilak |
mathoma |
10/21/2022 |
azure-sql-managed-instance |
security |
how-to |
devx-track-azurecli |
azurecli |
The Minimal Transport Layer Security (TLS) Version setting allows customers to control the version of TLS used by their Azure SQL Managed Instance.
At present we support TLS 1.0, 1.1 and 1.2. Setting a Minimal TLS Version ensures that subsequent, newer TLS versions are supported. For example, e.g., choosing a TLS version greater than 1.1. means only connections with TLS 1.1 and 1.2 are accepted and TLS 1.0 is rejected. After testing to confirm your applications supports it, we recommend setting minimal TLS version to 1.2 since it includes fixes for vulnerabilities found in previous versions and is the highest version of TLS supported in Azure SQL Managed Instance.
For customers with applications that rely on older versions of TLS, we recommend setting the Minimal TLS Version per the requirements of your applications. For customers that rely on applications to connect using an unencrypted connection, we recommend not setting any Minimal TLS Version.
For more information, see TLS considerations for SQL Database connectivity.
After setting the Minimal TLS Version, login attempts from clients that are using a TLS version lower than the Minimal TLS Version of the server will fail with following error:
Error 47072
Login failed with invalid TLS version
Note
When you configure a minimum TLS version, that minimum version is enforced at the application layer. Tools that attempt to determine TLS support at the protocol layer may return TLS versions in addition to the minimum required version when run directly against the managed instance endpoint.
[!INCLUDE updated-for-az]
Important
The PowerShell Azure Resource Manager module is still supported by Azure SQL Database, but all future development is for the Az.Sql module. For these cmdlets, see AzureRM.Sql. The arguments for the commands in the Az module and in the AzureRm modules are substantially identical. The following script requires the Azure PowerShell module.
The following PowerShell script shows how to Get and Set the Minimal TLS Version property at the instance level:
#Get the Minimal TLS Version property
(Get-AzSqlInstance -Name sql-instance-name -ResourceGroupName resource-group).MinimalTlsVersion
# Update Minimal TLS Version Property
Set-AzSqlInstance -Name sql-instance-name -ResourceGroupName resource-group -MinimalTlsVersion "1.2"Important
All scripts in this section requires Azure CLI.
The following CLI script shows how to change the Minimal TLS Version setting in a bash shell:
# Get current setting for Minimal TLS Version
az sql mi show -n sql-instance-name -g resource-group --query "minimalTlsVersion"
# Update setting for Minimal TLS Version
az sql mi update -n sql-instance-name -g resource-group --set minimalTlsVersion="1.2"