![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 65%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 14.000000000000002%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Hi @PANNARAT, MASSATRON ,
Thank you for reaching out to Microsoft Q&A.
Azure API Management (APIM) allows customers to configure TLS protocols and cipher suites, including enabling or disabling certain cipher suites that are marked as weak (such as RSA-based or CBC-mode ciphers). However, based on currently available official documentation and public announcements, there is no explicit roadmap or confirmed timeline from Microsoft regarding the deprecation or removal of these weak or legacy cipher suites specifically within APIM. These weak cipher suites are still supported primarily to maintain backward compatibility with legacy clients and systems. At the same time, Microsoft strongly recommends using modern TLS versions (TLS 1.2 and TLS 1.3) and secure cipher suites. The lack of a formal deprecation timeline indicates that cipher retirement decisions are handled on a per-service basis and depend on ecosystem impact. Therefore, while these cipher suites are still available today, they should not be considered part of a long-term secure architecture, as future deprecation is highly likely but currently unspecified.
Refer below points to resolve this issue or this is the workaround
No official deprecation timeline is published
As of now, Microsoft has not announced any official deprecation schedule or roadmap for weak/legacy TLS cipher suites in Azure API Management. Customers should monitor Azure updates and service changelogs for any future announcements.
Weak cipher suites are provided for backward compatibility only
Cipher suites marked as weak are still available in APIM to support legacy clients, but they are not recommended for secure production use. These should be treated as temporary compatibility options rather than long-term solutions.
Follow Azure security best practices
Customers should proactively disable weak ciphers and enforce strong encryption standards:
- Disable CBC-based and RSA key exchange cipher suites
- Enforce minimum TLS version 1.2 or preferably TLS 1.3
- Prefer modern cipher suites such as GCM-based or TLS 1.3 ciphers
Expect advance notice before enforcement changes
Although no timeline is published, Microsoft typically provides advance notifications via Azure Service Health or official updates before enforcing breaking security changes. Any deprecation (if introduced) is expected to follow phased rollout practices.
Design for future compliance
To avoid future disruptions and compliance risks, ensure that all applications and connected clients support strong cipher suites and modern TLS versions, and avoid dependencies on weak/legacy cipher configurations.
Hope this helps!
If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.