Strengthening Security in Azure IoT Hub: Transitioning to TLS 1.2+ and Planning for TLS 1.3
To align with the broader Azure effort for all services to adopt TLS 1.2+, Azure IoT Hub will officially remove support for Transport Layer Security (TLS) 1.0 and 1.1 starting July 1st, 2025. Although Microsoft’s implementation of older TLS versions is not known to be vulnerable, the adoption of TLS 1.2 and later versions brings significant improvements to security through stronger cryptographic algorithms, perfect forward secrecy, and more resilient cipher suites.
Why TLS 1.2 and Beyond?
TLS 1.2 offers substantial benefits over older versions:
Perfect Forward Secrecy (PFS): PFS helps ensure that even if long-term keys are compromised, past communications remain secure.
Stronger Cipher Suites: TLS 1.2 helps support more modern and robust cryptographic algorithms, helping to make your data and device connections more resistant to potential attacks.
Better Performance: TLS 1.2 is designed to be faster and more efficient, helping reduce latency for secure communications.
Additionally, we are committed to helping support TLS 1.3 in the upcoming calendar year (2025), bringing even more secure cipher suites and faster handshakes. This forward-looking investment will ensure Azure IoT Hub remains ahead of evolving security threats, delivering faster, more secure, and more efficient communication for your IoT devices. This means that customers who transition to TLS 1.2 now will be well-positioned for the future as we roll out TLS 1.3 support across the service.
Recommended Actions
To avoid potential service disruptions after July 1st, 2025, please confirm that devices connected with Azure IoT Hub are using TLS 1.2 or later. Then:
If devices are already exclusively using TLS 1.2 or later, no further action needs to be taken.
If devices still have a dependency on TLS 1.0 or 1.1, transition them to TLS 1.2 or later by July 1st, 2025.
Monitoring and Analyzing TLS Versions
Azure IoT Hub emits resource logs for several categories that can be analyzed using Azure Monitor Logs. And to assist with this transition, Azure IoT Hub provides insights into client connections, allowing you to monitor the TLS versions in use by your devices. You may utilize this feature to determine the impact of this change in your IoT solution.
To view these logs, follow these steps:
1. Enable diagnostic settings under Monitoring section for your Azure IoT Hub . Ensure “Connections” category is checkmarked.
2. Navigate to Logs and use the following query to find the devices that recently connected and their respective TLS version, an example of the query is shown in the screenshot below:
Note: HTTPS connections will not generate an event in Azure Monitor logs.
For more information on Azure IoT Hub TLS support, refer to Azure IoT Hub TLS support | Microsoft Learn.
Microsoft Tech Community – Latest Blogs –Read More