Introduction

To strengthen encryption standards and uphold customer trust, Microsoft is deprecating support for legacy TLS cipher suites that do not offer forward secrecy. This change aligns with their ongoing commitment to security and data protection across Microsoft 365 services.

A real-world example of this impact is that it could potentially impact client services such as multi-function printers or scanners that use a scan-to-email function that goes directly to Microsoft 365 if the MFP or scanner does not support the TLS cipher suites listed below.

When

Starting October 20, 2025, Microsoft 365 services will enforce stricter TLS cipher suite policies.

Who

Organizations using legacy operating systems or outdated TLS configurations will be affected.

What

  • Microsoft 365 services will only support the following TLS cipher suites:
    • TLS 1.3
      • TLS_AES_256_GCM_SHA384
      • TLS_AES_128_GCM_SHA256
    • TLS 1.2
      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
      • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • Connections using deprecated cipher suites will fail.
    • Clients supporting at least one listed TLS 1.2 cipher suite will continue to connect.