AzPolicyAdvertizer

last sync: 2025-Aug-13 17:22:53 UTC

Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode

3aa87b5a-7813-4b57-8a43-42dd9df5aaa7

Version

1.1.0
Details on versioning

Versioning

Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]

Category

Azure Active Directory
Microsoft Learn

Description

Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain.

Cloud environments

AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown

Available in AzUSGov

Unknown, no evidence if Policy definition is/not available in AzureUSGovernment

Mode

Indexed

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Audit
Allowed
Audit, Deny, Disabled

RBAC role(s)

none

Rule aliases

IF (1)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.AAD/domainServices/domainSecuritySettings.tlsV1	Microsoft.AAD	DomainServices	properties.domainSecuritySettings.tlsV1	True		True

Rule resource types

IF (1)

Microsoft.AAD/domainServices

Compliance

Not a Compliance control

Initiatives usage

none

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2021-05-18 14:34:48	change	Minor (1.0.0 > 1.1.0)
2021-04-21 13:28:46	add	3aa87b5a-7813-4b57-8a43-42dd9df5aaa7

JSON compare

compare mode: version left: version right:

1.0.0 → 1.1.0 RENAMED Viewed

@@ -3,9 +3,9 @@
     "policyType": "BuiltIn",
     "mode": "Indexed",
     "description": "Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain.",
     "metadata": {
-        "version": "1.0.0",
         "category": "Azure Active Directory"
     },
     "parameters": {
         "effect": {
@@ -15,8 +15,9 @@
                 "description": "Enable or disable the execution of the policy"
             },
             "allowedValues": [
                 "Audit",
                 "Disabled"
             ],
             "defaultValue": "Audit"
         }

     "policyType": "BuiltIn",
     "mode": "Indexed",
     "description": "Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain.",
     "metadata": {
+        "version": "1.1.0",
         "category": "Azure Active Directory"
     },
     "parameters": {
         "effect": {
                 "description": "Enable or disable the execution of the policy"
             },
             "allowedValues": [
                 "Audit",
+                "Deny",
                 "Disabled"
             ],
             "defaultValue": "Audit"
         }

JSON

api-version=2021-06-01
EPAC

{7 itemsdisplayName: "Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode",
policyType: "BuiltIn",
mode: "Indexed",
description: "Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain.",
metadata: {2 itemsversion: "1.1.0",
category: "Azure Active Directory"
},
parameters: {1 itemeffect: {4 itemstype: "String",
metadata: {2 itemsdisplayName: "Effect",
description: "Enable or disable the execution of the policy"
},
allowedValues: [3 items"Audit",
"Deny",
"Disabled"
],
defaultValue: "Audit"
}
},
policyRule: {2 itemsif: {1 itemallOf: [2 items{2 itemsfield: "type",
equals: "Microsoft.AAD/domainServices"
},
{2 itemsfield: "Microsoft.AAD/domainServices/domainSecuritySettings.tlsV1",
notEquals: "Disabled"
}
]
},
then: {1 itemeffect: "[parameters('effect')]"
}
}
}