| title | Configure Minimal TLS Version - SQL Managed Instance | |
|---|---|---|
| description | Learn how to configure minimal TLS version for a managed instance | |
| author | zoran-rilak-msft | |
| ms.author | zoranrilak | |
| ms.reviewer | mathoma, vanto | |
| ms.date | 07/17/2025 | |
| ms.service | azure-sql-managed-instance | |
| ms.subservice | security | |
| ms.topic | how-to | |
| ms.custom |
|
|
| ms.devlang | azurecli |
Important
Retirement changes
Azure has announced that support for older TLS versions (TLS 1.0, and 1.1) ends August 31, 2025. For more information, see TLS 1.0 and 1.1 deprecation. Starting November 2024, you'll no longer be able to set the minimal TLS version for Azure SQL Managed Instance client connections below TLS 1.2.
The minimum Transport Layer Security (TLS) version setting allows customers to control the version of TLS used by their Azure SQL Managed Instance.
Setting Minimum TLS version to 1.2 is currently enforced for SQL Managed Instance. Setting a minimum TLS version ensures that subsequent, newer TLS versions are supported. Only connections using TLS 1.2 or above are accepted.
For more information, see TLS considerations for SQL Database connectivity.
After setting the Minimum TLS version, login attempts from clients that are using a TLS version lower than the minimum TLS version of the server will fail with following error:
Error 47072
Login failed with invalid TLS version
Note
- When you configure a minimum TLS version, that minimum version is enforced at the application layer. Tools that attempt to determine TLS support at the protocol layer might return TLS versions in addition to the minimum required version when run directly against the managed instance endpoint.
- TLS 1.0 and 1.1 is retired and no longer available.
[!INCLUDE updated-for-az]
Important
The PowerShell Azure Resource Manager (AzureRM) module was deprecated on February 29, 2024. All future development should use the Az.Sql module. Users are advised to migrate from AzureRM to the Az PowerShell module to ensure continued support and updates. The AzureRM module is no longer maintained or supported. The arguments for the commands in the Az PowerShell module and in the AzureRM modules are substantially identical. For more about their compatibility, see Introducing the new Az PowerShell module.
The following script requires the Azure PowerShell module.
The following PowerShell script shows how to Get and Set the Minimal TLS Version property at the instance level:
#Get the Minimal TLS Version property
(Get-AzSqlInstance -Name sql-instance-name -ResourceGroupName resource-group).MinimalTlsVersion
# Update Minimal TLS Version Property
Set-AzSqlInstance -Name sql-instance-name -ResourceGroupName resource-group -MinimalTlsVersion "1.2"Important
All scripts in this section require Azure CLI.
The following CLI script shows how to change the Minimal TLS Version setting in a bash shell:
# Get current setting for Minimal TLS Version
az sql mi show -n sql-instance-name -g resource-group --query "minimalTlsVersion"
# Update setting for Minimal TLS Version
az sql mi update -n sql-instance-name -g resource-group --set minimalTlsVersion="1.2"
[!INCLUDE tls-deprecation]