We have deprecated the use of legacy TLS for all Exchange Online endpoints. If TLS 1.2 is not enabled on your servers that are running Exchange Online, and you are still using a hybrid Exchange Server environment, you will experience the following issues:
-
Inability to access free/busy information of Exchange Online mailboxes
-
Inability to access cloud archives by users whose primary mailbox is on-premises
TLS deprecation will also affect users when they create a federation trust manually or by using the Hybrid Configuration Wizard (HCW) if TLS 1.2 is not configured.
-
When you create a federation trust manually, you may experience the following issue when you run the Set-FederatedOrganizationIdentifier cmdlet:
Set-FederatedOrganizationIdentifier
-DelegationFederationTrust 'Microsoft Federation Gateway'
-AccountNamespace <account namespace>
-Enabled $True
-Verbose
Error:
An error occurred while attempting to provision Exchange to the Partner STS.
Detailed Information:
"An error occurred accessing Windows Live".
"The underlying connection was closed: An unexpected error occurred on a send."." -
If you are using the HCW to configure a hybrid environment between Microsoft Exchange Server 2010 and Exchange Online, and the wizard is stuck at the domain verification stage, this situation might be caused by the same issue. You can verify this by looking at the HCW logs.
Resolution
To resolve this issue, make sure that your on-premises environment supports TLS 1.2. We have deprecated TLS protocols 1.0 and 1.1 for Microsoft Office 365. The following articles include steps about how to implement TLS 1.2:
-
Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2
-
Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It
-
Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1
-
If you are using Microsoft Exchange Server 2010 Service Pack 2 (SP2), see Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1.
After you enable TLS 1.2, enable the federation trust manually or by using HCW. If the issue persists, run the following commands in the Exchange Management Shell before you use Set-FederatedOrganizationIdentifier:
-
Add-PSSnap in Microsoft.Exchange.Management.PowerShell.E2010
- [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-
Set-FederatedOrganizationIdentifier
-DelegationFederationTrust 'Microsoft Federation Gateway'
-AccountNamespace <account namespace>
-Enabled $True
-verbose