%3CLINGO-SUB%20id%3D%22lingo-sub-1596262%22%20slang%3D%22en-US%22%3EEnd%20of%20support%20for%26nbsp%3Bnon-secure%20cipher%20suites%26nbsp%3Bin%20Microsoft%20Cloud%20App%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1596262%22%20slang%3D%22en-US%22%3E%3CP%3ECo-authored%20with%26nbsp%3B%40Itamar%20Falcon%3C%2FP%3E%0A%3CP%3EMicrosoft%20Cloud%20App%20Security%20is%26nbsp%3Bremoving%26nbsp%3Bnon-secure%20cipher%20suites%26nbsp%3Bto%20provide%20best-in-class%20encryption%2C%20and%20to%20ensure%20our%20service%20is%20more%20secure%20by%20default.%26nbsp%3BAs%20of%26nbsp%3BOct%201%2C%202020%2C%20%E2%80%AF%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fwhat-is-cloud-app-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Cloud%20App%20Security%3C%2FA%3E%E2%80%AFwill%20no%20longer%20support%20the%20following%20cipher%20suites.%26nbsp%3B%20From%20this%20date%20forward%2C%20any%20connection%20using%20these%20protocols%20will%20no%20longer%20work%20as%20expected%2C%20and%20no%20support%20will%20be%20provided.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENon-secure%20cipher%20suites%3A%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EECDHE-RSA-AES256-SHA%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EECDHE-RSA-AES128-SHA%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EAES256-GCM-SHA384%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EAES128-GCM-SHA256%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EAES256-SHA256%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%E2%80%AF%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EAES128-SHA256%E2%80%AF%E2%80%AF%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EAES256-SHA%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EAES128-SHA%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%E2%80%AF%3C%2FSTRONG%3ESupport%26nbsp%3Bwill%20continue%20for%20the%20following%20suites%3A%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EECDHE-ECDSA-AES256-GCM-SHA384%3A%E2%80%AF%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EECDHE-ECDSA-AES128-GCM-SHA256%3A%E2%80%AF%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EECDHE-RSA-AES256-GCM-SHA384%3A%E2%80%AF%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EECDHE-RSA-AES128-GCM-SHA256%3A%E2%80%AF%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EECDHE-ECDSA-AES256-SHA384%3A%E2%80%AF%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EECDHE-ECDSA-AES128-SHA256%3A%E2%80%AF%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EECDHE-RSA-AES256-SHA384%3A%E2%80%AF%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EECDHE-RSA-AES128-SHA256%E2%80%AF%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20do%20I%20need%20to%20do%20to%20prepare%20for%20this%20change%3F%3C%2FSTRONG%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECustomers%26nbsp%3Bshould%20ensure%20that%20all%20client-server%20and%20browser-server%20combinations%26nbsp%3Bare%20using%26nbsp%3Bsupported%26nbsp%3Bsuites%26nbsp%3Bin%20order%20to%20maintain%20the%20connection%20to%20Microsoft%20Cloud%20App%20Security.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EComponents%20that%20may%20be%20affected%20by%20this%20change%20include%3A%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3ESIEM%20Agent%26nbsp%3B%E2%80%93%26nbsp%3B%3C%2FSTRONG%3ECustomers%26nbsp%3Bcan%20use%20any%20supported%20cipher%20suite%20as%20described%20above.%26nbsp%3B%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EMicrosoft%20Cloud%20App%20Security%20API%3C%2FSTRONG%3E%E2%80%AF%E2%80%93%26nbsp%3BCustom%20applications%20and%20code%20that%20are%20utilizing%20the%20Microsoft%20Cloud%20App%20Security%20API%20must%26nbsp%3Butilize%26nbsp%3Bsupported%20suites%26nbsp%3Bto%20continue%20functioning.%20If%26nbsp%3Bunsure%20whether%20applications%26nbsp%3Bfunction%20with%26nbsp%3Ba%20supported%20suite%2C%26nbsp%3Bcustomers%26nbsp%3Bcan%20test%20by%20authenticating%20to%20our%20dedicated%20API%20endpoint%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftlsv12.portal-rs.cloudappsecurity.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftlsv12.portal-rs.cloudappsecurity.com%3C%2FA%3E.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EApps%20configured%20with%20Conditional%20Access%20App%20Control%3C%2FSTRONG%3E%E2%80%AF%E2%80%93%20If%26nbsp%3Bcustomers%26nbsp%3Bare%20using%E2%80%AF%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-intro-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConditional%20Access%20App%20Control%3C%2FA%3E%E2%80%AFfor%20any%20web%20or%20native%20client%20applications%2C%26nbsp%3Bthey%26nbsp%3Bmust%26nbsp%3Bverify%20that%20these%20applications%26nbsp%3Bare%20not%20using%20the%20deprecated%20suites%3B%26nbsp%3Baccess%20to%20apps%26nbsp%3Bthat%20use%20non-secure%20cipher%20suites%20and%26nbsp%3Brelevant%20controls%20will%20no%20longer%20work.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ELog%20collector%3C%2FSTRONG%3E%E2%80%AF%E2%80%93%20No%20changes%26nbsp%3Bare%26nbsp%3Bneeded%26nbsp%3Bif%26nbsp%3Bno%20modification%20was%20done%20to%20the%20provided%20docker.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%26nbsp%3Badditional%20inquiries%20please%20contact%20support.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-%26nbsp%3BMicrosoft%20Cloud%20App%20Security%20team%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1596262%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EMicrosoft%20Cloud%20App%20Security%20is%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eremoving%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Enon-%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Esecure%20cipher%20suites%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eto%20provide%20best-in-class%20encryption%2C%20and%20to%20ensure%20our%20service%20is%20more%20secure%20by%20default.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1596262%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECipher%20Suites%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMCAS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Co-authored with @Itamar Falcon

Microsoft Cloud App Security is removing non-secure cipher suites to provide best-in-class encryption, and to ensure our service is more secure by default. As of Oct 1, 2020,  Microsoft Cloud App Security will no longer support the following cipher suites.  From this date forward, any connection using these protocols will no longer work as expected, and no support will be provided. 

 

Non-secure cipher suites: 

  • ECDHE-RSA-AES256-SHA       
  • ECDHE-RSA-AES128-SHA       
  • AES256-GCM-SHA384       
  • AES128-GCM-SHA256       
  • AES256-SHA256       
  • AES128-SHA256   
  • AES256-SHA 
  • AES128-SHA 

 

Support will continue for the following suites: 

  • ECDHE-ECDSA-AES256-GCM-SHA384:  
  • ECDHE-ECDSA-AES128-GCM-SHA256:  
  • ECDHE-RSA-AES256-GCM-SHA384:  
  • ECDHE-RSA-AES128-GCM-SHA256:  
  • ECDHE-ECDSA-AES256-SHA384:  
  • ECDHE-ECDSA-AES128-SHA256:  
  • ECDHE-RSA-AES256-SHA384:  
  • ECDHE-RSA-AES128-SHA256  

 

What do I need to do to prepare for this change? 

Customers should ensure that all client-server and browser-server combinations are using supported suites in order to maintain the connection to Microsoft Cloud App Security. 

 

Components that may be affected by this change include: 

  • SIEM Agent – Customers can use any supported cipher suite as described above.  
  • Microsoft Cloud App Security API – Custom applications and code that are utilizing the Microsoft Cloud App Security API must utilize supported suites to continue functioning. If unsure whether applications function with a supported suite, customers can test by authenticating to our dedicated API endpoint: https://tlsv12.portal-rs.cloudappsecurity.com
  • Apps configured with Conditional Access App Control – If customers are using Conditional Access App Control for any web or native client applications, they must verify that these applications are not using the deprecated suites; access to apps that use non-secure cipher suites and relevant controls will no longer work. 
  • Log collector – No changes are needed if no modification was done to the provided docker. 

 

For additional inquiries please contact support. 

- Microsoft Cloud App Security team