MC1155427 - Legacy TLS cipher suites will be deprecated in M365 services on October 20, 2025

Introduction

To strengthen encryption standards and uphold customer trust, Microsoft is deprecating support for legacy TLS cipher suites that do not offer forward secrecy. This change aligns with our ongoing commitment to security and data protection across Microsoft 365 services.

Starting October 20, 2025, Microsoft 365 services will enforce stricter TLS cipher suite policies.

Who is affected:

• Admins managing Microsoft 365 services across commercial, GCC, and GCC High tenants.
• Organizations using legacy operating systems or custom TLS configurations.

What will happen:

• Microsoft 365 services will only support the following TLS cipher suites:
• TLS 1.3
  • TLS_AES_256_GCM_SHA384
  • TLS_AES_128_GCM_SHA256
• TLS 1.2
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• Connections using deprecated cipher suites will fail.
• Clients supporting at least one listed TLS 1.2 cipher suite will continue to connect.

• Ensure all client systems are running supported operating systems that include the required cipher suites.
• Upgrade legacy systems (e.g., Windows 8, Windows Server 2012) to supported versions.
• Review and update Group Policy or security configurations to confirm required cipher suites are enabled.
• Communicate this change to helpdesk and infrastructure teams.
• Reference the following resources for configuration guidance:
  • Manage Transport Layer Security (TLS)
  • Technical reference details about encryption

No compliance considerations identified, review as appropriate for your organization.