SOLVED

TLS Deprecation Report

%3CLINGO-SUB%20id%3D%22lingo-sub-329144%22%20slang%3D%22en-US%22%3ETLS%20Deprecation%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329144%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20does%20the%20TLS%20Deprecation%20Report%20collect%20data%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358023%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%20Deprecation%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358023%22%20slang%3D%22en-US%22%3EI%20still%20wonder%20how%20the%20date%20in%20TLS%20deprecated%20report%20is%20collected.%20Referring%20to%20your%20guidance%2C%20I%20understand%20that%20the%20TLS%20connection%20of%20a%20client%20can%20be%20found%20by%20message%20trace%20log%2Fpowershell.%20I%20have%20check%20the%20TLS%20connection%20of%20all%20my%20users.%20They%20all%20using%20TLS1.2%20as%20found%20in%20message%20trace%20log%20similar%20to%20your%20screenshot.%3CBR%20%2F%3E%3CBR%20%2F%3EHowever%2C%20when%20I%20download%20the%20TLS%20Deprecation%20Report%20from%20Secure%20Score%20Dashboard%2C%20it%20still%20shows%20a%20number%20of%20users%20still%20using%20TLS1.0%2F1.1.%20I%20have%20no%20clue%20how%20to%20figure%20out%20how%20this%20data%20be%20collected.%20Please%20advise.%20Thanks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-329462%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%20Deprecation%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329462%22%20slang%3D%22en-US%22%3E%3CP%3ESadly%20no.%20There%20is%20no%20way%20to%20get%20detailed%20information%20about%20which%20messages%20correspond%20to%20the%20data%20from%20the%20TLS%20deprecation%20widget%2C%20and%20Microsoft%20has%20no%20plans%20on%20actually%20adding%20such.%20So%20the%20only%20method%20is%20to%20go%20over%20each%20of%20the%20events%20in%20the%20message%20trace%20and%20check%20the%20details%20there.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-329210%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%20Deprecation%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329210%22%20slang%3D%22en-US%22%3E%3CP%3ESorry%20that%20I%20didn't%20make%20the%20question%20clear.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20meant%20was%20how%20to%20get%2Ffilter%20TLS1.0%20users%20by%20Message%20Trace%20Logs%3F%26nbsp%3B%20We%20cannot%20get%20the%20information%20for%20every%20message.%26nbsp%3B%20Are%20there%20any%20ways%26nbsp%3Bwe%20can%20get%20TLS1.0%20users%20except%20Deprecation%20Report%3F%26nbsp%3B%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-329208%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%20Deprecation%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329208%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20what%20you%20mean%20by%20%22TLS%20users%22%2C%20but%20as%20I%20mentioned%20above%20every%20message%26nbsp%3Btrace%20event%26nbsp%3Bhas%20the%20corresponding%20information%20readily%20available%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EMessage%20Trace%20ID%20%3A%2021a25006-0ba9-4507-196a-08d688141c7f%0AMessage%20ID%20%20%20%20%20%20%20%3A%20%3CD2EA370052924CDC8CC1D6496CC2E062-JVKUGUBNKBZG6ZBNINMTE7CBKBCVQU2SIV6EM33SOVWXGTTPKJSXA3DZPRJW25DQ%3E%0ADate%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%2001%2F02%2F2019%2007%3A08%3A48%0AEvent%20%20%20%20%20%20%20%20%20%20%20%20%3A%20Receive%0AAction%20%20%20%20%20%20%20%20%20%20%20%3A%0ADetail%20%20%20%20%20%20%20%20%20%20%20%3A%20Message%20received%20by%3A%20DB7PR03MB3914%20using%20TLS1.2%20with%20AES256%0AData%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20%3CROOT%3E%3CMEP%20name%3D%22ConnectorId%22%20string%3D%22DB7PR03MB3914%5CDefault%20DB7PR03MB3914%22%3E%3C%2FMEP%3E%3CMEP%20name%3D%22ClientIP%22%20string%3D%222603%3A10a6%3A10%3A72%3A%3A16%22%3E%3C%2FMEP%3E%3CMEP%20name%3D%22ServerHostName%22%20string%3D%22DB7PR03MB3914%22%3E%3C%2FMEP%3E%3CMEP%20name%3D%22FirstForestHop%22%20string%3D%22DB7PR03MB3914.eurprd03.prod.outlook.com%22%3E%3C%2FMEP%3E%3CMEP%20name%3D%22DeliveryPriority%22%20string%3D%22Normal%22%3E%3C%2FMEP%3E%3CMEP%20name%3D%22ReturnPath%22%20string%3D%22maccount%40microsoft.com%22%3E%3C%2FMEP%3E%3CMEP%20name%3D%22CustomData%22%20blob%3D%22S%3AProxyHop1%3DAM5EUR02FT029.mail.protection.outlook.com(10.152.8.161)%3BS%3AProxyHop2%3DDB7PR03CA0075.outlook.office365.com(26%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2003%3A10a6%3A10%3A72%3A%3A16)%3B%26lt%3BSTRONG%26gt%3BS%3Atlsversion%3DSP_PROT_TLS1_2_SERVER%3BS%3Atlscipher%3DCALG_AES_256%26lt%3B%2FSTRONG%26gt%3B%3BS%3AProxiedClientIPAddress%3D207.46.200.12%3BS%3AProxiedClientHostname%3Dsmtpi.msn.com%22%3E%3C%2FMEP%3E%3CLINGO-SUB%20id%3D%22lingo-sub-329200%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%20Deprecation%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329200%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20can%20we%20get%20TLS%20users%20from%20Message%20Trace%20Log%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-329199%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%20Deprecation%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329199%22%20slang%3D%22en-US%22%3E%3CP%3EMagic.%20All%20the%20relevant%20information%20is%20already%20available%20in%20the%20message%20trace%20logs%2C%20the%20report%20is%20just%20summarizing%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FROOT%3E%3C%2FD2EA370052924CDC8CC1D6496CC2E062-JVKUGUBNKBZG6ZBNINMTE7CBKBCVQU2SIV6EM33SOVWXGTTPKJSXA3DZPRJW25DQ%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

How does the TLS Deprecation Report collect data?

6 Replies
Highlighted
Solution

Magic. All the relevant information is already available in the message trace logs, the report is just summarizing it.

Highlighted

How can we get TLS users from Message Trace Log?

Highlighted

Not sure what you mean by "TLS users", but as I mentioned above every message trace event has the corresponding information readily available:

 

Message Trace ID : 21a25006-0ba9-4507-196a-08d688141c7f
Message ID       : <d2ea370052924cdc8cc1d6496cc2e062-JVKUGUBNKBZG6ZBNINMTE7CBKBCVQU2SIV6EM33SOVWXGTTPKJSXA3DZPRJW25DQ@microsoft.com>
Date             : 01/02/2019 07:08:48
Event            : Receive
Action           :
Detail           : Message received by: DB7PR03MB3914 using TLS1.2 with AES256
Data             : <root><MEP Name="ConnectorId" String="DB7PR03MB3914\Default DB7PR03MB3914"/><MEP Name="ClientIP" String="2603:10a6:10:72::16"/><MEP Name="ServerHostName"
                   String="DB7PR03MB3914"/><MEP Name="FirstForestHop" String="DB7PR03MB3914.eurprd03.prod.outlook.com"/><MEP Name="DeliveryPriority" String="Normal"/><MEP Name="ReturnPath"
                   String="maccount@microsoft.com"/><MEP Name="CustomData" Blob="S:ProxyHop1=AM5EUR02FT029.mail.protection.outlook.com(10.152.8.161);S:ProxyHop2=DB7PR03CA0075.outlook.office365.com(26
                   03:10a6:10:72::16);S:tlsversion=SP_PROT_TLS1_2_SERVER;S:tlscipher=CALG_AES_256;S:ProxiedClientIPAddress=207.46.200.12;S:ProxiedClientHostname=smtpi.msn.com"/><MEP
                   Name="SequenceNumber" Long="0"/></root>
Highlighted

Sorry that I didn't make the question clear.

 

What I meant was how to get/filter TLS1.0 users by Message Trace Logs?  We cannot get the information for every message.  Are there any ways we can get TLS1.0 users except Deprecation Report?  Thanks.

Highlighted

Sadly no. There is no way to get detailed information about which messages correspond to the data from the TLS deprecation widget, and Microsoft has no plans on actually adding such. So the only method is to go over each of the events in the message trace and check the details there.

Highlighted
I still wonder how the date in TLS deprecated report is collected. Referring to your guidance, I understand that the TLS connection of a client can be found by message trace log/powershell. I have check the TLS connection of all my users. They all using TLS1.2 as found in message trace log similar to your screenshot.

However, when I download the TLS Deprecation Report from Secure Score Dashboard, it still shows a number of users still using TLS1.0/1.1. I have no clue how to figure out how this data be collected. Please advise. Thanks.