On August 31, 2025, Microsoft finished retiring TLS 1.0/1.1 across Azure. If any caller still negotiates those protocols, Azure SQL (DB or MI) will refuse the handshake until the client stack is modernized. Good. It’s time.
Read this: Azure's TLS retirement
Why DBAs should care
-
Minimum TLS 1.2 is table stakes. You set it per logical server in the portal.
-
Finding the laggards is easy: enable Azure SQL Auditing and check
client_tls_version_n. That’s your hit list. -
Drivers aren’t the villain: modern ODBC 17/18 and Microsoft.Data.SqlClient already speak TLS 1.2+. The risk is that one dusty Windows service from 2012. (Upgrade it.)
Do this now
-
Enforce TLS ≥ 1.2
Azure portal → SQL logical server → Networking → Connectivity → Minimum TLS version = 1.2 (or 1.3) → Save. Azure Connectivity -
Modernize client stacks
Move to ODBC 17/18 or Microsoft.Data.SqlClient; retire SQL Native Client. -
Prove you’re clean
Query audit logs forclient_tls_version_nand chase anything < 1.2. Keep a short “offenders” list for the next patch window.
Curiosity corner: TLS 1.3 is supported with TDS 8.0 on SQL Server 2022/Azure SQL—but don’t disable TLS 1.2 yet; some satellite services still need it. TLS 1.3 Support
Patch-window PSA
SQL Server 2022 CU21 (Sept 2025) is out; it includes fixes and a known issue with SESSION_CONTEXT in parallel plans.
Read these notes before you blanket-roll to prod. CU Details
And more. Azure Database Support
No comments:
Post a Comment