Introduction #
By default, legacy TLS (1.0 and 1.1) are disabled as a security measure.
This setting helps to ensure that legacy TLS does not get enabled inadvertently and thus allow an insecure legacy protocol to be used.
However, in certain circumstances it may be necessary to override this setting and enable the legacy versions of TLS if there is no viable alternative.
In 2021 Microsoft announced that they would deprecate TLS 1.0 and 1.1 from Office 365 and Microsoft 365 (more info). For MSPs supporting legacy environments, there are often devices such as multi-function printers / scanners and legacy software applications which rely on TLS 1.0 and 1.1 to connect to Exchange Online via the SMTP email protocol.
Best practice would always say that disabling legacy TLS protocols is the ideal option and that is what we recommend.
User Impact #
High
Enabling legacy TLS exposes the tenant to vulnerabilities which exist in these protocols and may place the tenant at risk.
However, disabling legacy TLS protocols while they are still in use will prevent access to Exchange Online via SMTP for some devices and applications, which in turn will stop them from sending emails. The impact of this will vary but in most cases it will cause significant impact to the end users.
Parameters #
Legacy TLS Opt-in – Enabled/Disabled
Disabled is set by default and is recommended
Admin Portal Reference #
This setting cannot be configured using the admin portal.
PowerShell Reference #
To enabled Legacy TLS Opt-in
Set-TransportConfig -AllowLegacyTLSClients $true
To disable Legacy TLS Opt-in
Set-TransportConfig -AllowLegacyTLSClients $false
If Action is set to Notify #
When Legacy TLS Opt-In matches the enabled/disabled value provided by the parameter the setting will report as compliant.
When the Legacy TLS Opt-In does not match the enabled/disabled value provided by the parameter the setting will report as non-compliant.
If Action is set to Enforce #
When Legacy TLS Opt-In matches the enabled/disabled value provided by the parameter the setting will report as compliant.
When the Legacy TLS Opt-In does not match the enabled/disabled value provided by the parameter the setting will be updated to match the parameter and report as compliant-fixed.