Office 365 TLS Deprecation Report – Preparing for TLS 1.2 Migration

Recently, Microsoft announced a significant update: “We’re retiring 3DES (Triple Data Encryption Standard) in Office 365”.

3DES cipher is mostly used for TLS/SSL to encrypt HTTPS and SSH traffic. Since 2016, it has been marked as vulnerable due to SWEET32 attack (Attackers recovered small portions of plaintext when encrypted with 3DES) and planned complete usage deprecation before 2023. To provide security to data, Microsoft made changes in TLS service.

Before moving into how to plan for 3DES removal, let’s see about TLS and how 3DES removal impacts TLS.

What is TLS?

Transport Layer Security (TLS) is a cryptographic protocol that provides secure communication over a network. For ex, Websites uses TLS to secure all communications between their servers and browsers/clients. There are currently four versions of TLS protocol in use today: TLS 1.0,1.1,1.2 and 1.3

Why Office 365 moving to TLS 1.2?

Microsoft is planning to move all of its online services to TLS 1.2 or a later version to provide best-in-class encryption to its customers.  As of February 28, 2019, Microsoft will begin retiring 3DES. As a result, if your connections are currently using a 3DES cipher suite, they will fail when 3DES cipher suites are disabled. TLS versions 1.0 and 1.1 include cipher suites based on the 3DES algorithm. So,  all client-server and browser-server combinations must use TLS 1.2 or 1.2+ to maintain a connection to Office 365 services.

How does this affect me?

Office 365 stopped support for TLS 1.0 and 1.1. Hence Microsoft will not fix new issues that are found when connecting Office 365 by using TLS 1.0/1.1. To ensure uninterrupted access to the Office 365  services, you need to update TLS to 1.2 or later version. If you want to get a list of users who uses TLS 1.0/1.1, you can make use of Microsoft’s TLS deprecation report.

 

Office 365 TLS Deprecation Report:

Office 365 will retire TLS 1.0 and 1.1 starting June 1st, 2020 in Worldwide and GCC Environments

To ease your work, Microsoft has provided a new report to track users, devices or applications that use TLS 1.0/1.1 or 3DES. You need to be a tenant administrator to generate a TLS deprecation report. The report gives the following information

  • Usernames/IP addresses of the users/devices connecting to Exchange using TLS 1.0/1.1 or 3DES
  • Protocol/cipher used for the connection – this will either be TLS 1.0/1.1 or 3DES
  • The user agent string that is being used for this connection – this gives information about the type of device used for the connection

To download TLS deprecation report directly, you can use this Microsoft’s quick link: https://servicetrust.microsoft.com/AdminPage/TlsDeprecationReport/Download.

Alternatively, to download the TLS deprecation report through Microsoft secure score portal, follow the below steps.

Step1: Login to Microsoft’s secure score: https://securescore.office.com and click on “Score Analyzer”.

TLS_Microsoft_Secure_Score_Analyzer

Step2: Scroll down to ‘All Actions’ . Search for “Remove TLS 1.0/1.1 and 3DES Dependencies” in Completed actions/Incomplete Actions. If you scored 5/5, You have already moved to TLS 1.2. Else, you need to plan for a migration.

Remove_TLS1.0_1.1_3DES_Dependencies

Step3: Click on the ‘Learn more’ button to get details on who is connecting using TLS 1.0/1.1 or 3DES. It will launch a flyout where you can click on ‘Launch now’.

 

Remove_TLS1.0 1.1_3DES_Dependencies

Step4: ‘Launch Now’ will take you to the Secure Trust Portal (http://servicetrust.microsoft.com). Login and then click ‘Download’ to get TLS-Deprecation-Report.csv. Or you can use quick link to download Office 365 TLS deprecation report.

Microsoft Service Trust Portal Login

TLS deprecation report

Step5:  If you have users or devices listed under TLS1.0/1.1, start planning for an upgrade.

TLS 1.0 1.1 and 3DES Usage Report

The TLS deprecation report is refreshed daily. If you have made any changes and updated any clients/devices, you would need to wait for 24hrs to see this change in the reports.

 

Updated 07/29/2019

Recently Microsoft announced the update about TLS: “Office 365 will retire TLS 1.0 and 1.1 starting June 1st, 2020 in Worldwide and GCC Environments” which means that all connections to Office 365 using the protocols TLS 1.0 and TLS 1.1 will not work After June 1st. So, you must migrate clients and devices to TLS 1.2 or TLS 1.2+ prior to June 1, 2020.

As already mentioned, you can get a TLS usage report using TLS deprecation report. If you need more detailed TLS usage report for SMTP in Exchange Online, you can use a TLS usage report from the Security & Compliance Center.

TLS Usage Report for SMTP in Exchange Online

Email clients uses different protocols to submit email messages. The SMTP Auth (SMTP Authenticated Submission) protocol is primarily used by devices and applications that send automated messages on behalf of customers. To protect against the disclosure of credentials, TLS is mandatory for SMTP Auth. So, when TLS 1.0 is disabled, no messages can be sent from devices or clients that do not support TLS 1.2.

You can use SMTP Auth Clients Reports to know which users are using this protocol, the volume of message sent, and the version of TLS used to connect to Office 365. Using these data, you can determine which clients and servers are still using TLS1.0 and TLS1.1 to connect to the various email protocol endpoints in Exchange Online.

SMTP Auth Clients Reports – TLS 1.0 Deprecation

1.To download SMTP Auth Clients Reports, you can go here: “Security & Compliance > Mail Flow > Dashboard- for SMTP Auth Clients Report.”

Alternatively, you can go directly using link: https://protection.office.com/mailflow/dashboard

Office 365 TLS report

 

2. Click ‘SMTP Auth Clients‘, it will show pivot for TLS version usage.

SMTP Auth Client Report

 

3. Click ‘report’ link as shown in above screenshot.

TLS Usage report

The TLS pivot shows the summary of TLS usage for your organization. Click ‘View details table’. It will show TLS usage per user.

 

SMTP Auth Client reports apply to SMTP related mail flow and submission alone. For other protocols, you need to refer TLS deprecation report.

 

If you are reading this blog because you are planning to migrate TLS to 1.2, chances are you already read and executed the Microsoft guidance to make your connection guarded. If so, please share your experience/difficulties during TLS 1.2 migration in the comment section to assist other admins.

Note: