draft complete

gitName · gitName · commit 7c5c808e1c2a · 2025-10-10T13:40:36.000-07:00
diff --git a/articles/api-management/TOC.yml b/articles/api-management/TOC.yml
@@ -356,6 +356,7 @@
     href: api-management-howto-ca-certificates.md
   - name: Manage protocols and ciphers
     href: api-management-howto-manage-protocols-ciphers.md
+    displayName: TLS, TLS 1.3
   - name: Protect with Defender for APIs
     href: protect-with-defender-for-apis.md
   - name: Mitigate OWASP API threats
diff --git a/articles/api-management/api-management-howto-manage-protocols-ciphers.md b/articles/api-management/api-management-howto-manage-protocols-ciphers.md
@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 10/08/2025
+ms.date: 10/10/2025
 ms.author: danlep
 ---
 
@@ -21,7 +21,7 @@ Azure API Management supports multiple versions of Transport Layer Security (TLS
 
 API Management also supports multiple cipher suites used by the API gateway.
 
-Depending on the service tier, API Management supports TLS versions up to 1.2 or TLS 1.3 for client and backend connectivity and several supported cipher suites. This guide shows you how to manage protocols and ciphers configuration for an Azure API Management instance.
+API Management supports TLS versions up to TLS 1.3 for client and backend connectivity and several supported cipher suites. This guide shows you how to manage protocols and ciphers configuration for an Azure API Management instance.
 
 :::image type="content" source="media/api-management-howto-manage-protocols-ciphers/api-management-protocols-ciphers.png" alt-text="Screenshot of managing protocols and ciphers in the Azure portal.":::
 
@@ -33,7 +33,6 @@ Depending on the service tier, API Management supports TLS versions up to 1.2 or
 > [!NOTE]
 > Depending on the API Management service tier, changes can take 15 to 45 minutes or longer to apply. An instance in the Developer service tier has downtime during the process. Instances in the Basic and higher tiers don't have downtime during the process.  
 
-
 ## Prerequisites
 
 * An API Management instance. [Create one if you haven't already](get-started-create-service-instance.md).
@@ -42,7 +41,7 @@ Depending on the service tier, API Management supports TLS versions up to 1.2 or
 
 ## How to manage TLS protocols and cipher suites
 
-1. In the left navigation of your API Management instance, under **Security**, select **Protocols + ciphers**.  
+1. In the sidebar of your API Management instance, under **Security**, select **Protocols + ciphers**.  
 1. Enable or disable desired protocols or ciphers.
 1. Select **Save**.
 
@@ -59,7 +58,7 @@ TLS 1.3 is a major revision of the TLS protocol that provides improved security
 
 TLS 1.3 doesn't support certificate renegotiation. Certificate renegotiation in TLS allows client and server to renegotiate connection parameters mid-session for authentication without terminating the connection.
 
-Services that we identified as reliant on client certificate renegotiation do not have TLS 1.3 enabled by default. 
+Services that API Management identifies as reliant on client certificate renegotiation do not have TLS 1.3 enabled by default. You can choose to enable TLS 1.3 manually. 
 
 > [!WARNING]
 > If your APIs are accessed by TLS-compliant clients that rely on certificate renegotiation, enabling TLS 1.3 for client-side connections will cause those clients to fail to connect. Review APIs that recently used certificate renegotiation before enabling client-side TLS 1.3 in any service that doesn't have it enabled by default.
@@ -68,15 +67,15 @@ To enable TLS 1.3 for client-side connections in these instances, configure sett
 
 1. On the **Protocols + ciphers** page, in the **Client protocol** section, next to **TLS 1.3**, select **View and manage configuration**.
 1. Review the list of **Recent client certificate renegotiations**. The list shows API operations where clients recently used client certificate renegotiation.
-1. If you choose to enable TLS 1.3 for client-side connections, select **Enable**.
+1. If you choose to enable TLS 1.3 for client-side connections, under **Change TLS 1.3 status**, select **Enable**.
 1. Select **Close**.
 
 After enabling TLS 1.3, review gateway request metrics or TLS-related exceptions in logs that indicate TLS connection failures. If necessary, disable TLS 1.3 for client-side connections and downgrade to TLS 1.2.
 
 If you need to disable TLS 1.3 for client-side connections in these instances, configure settings on the **Protocols + ciphers** page:
 
 1. On the **Protocols + ciphers** page, in the **Client protocol** section, next to **TLS 1.3**, select **View and manage configuration**.
-1. Select **Disable**.
+1. Under **Change TLS 1.3 status**, elect **Disable**.
 1. Select **Close**.
 
 ### Backend-side TLS 1.3
@@ -88,7 +87,8 @@ Enabling backend-side TLS 1.3 is optional. If you enable it, API Management uses
 
 You can enable backend-side TLS 1.3 from the **Protocols + ciphers** page:    
 
-1. On the **Protocols + ciphers** page, in the **Backend protocol** section, enable the **TLS 1.3** setting.
+1. On the **Protocols + ciphers** page, in the **Backend protocol** section, next to **TLS 1.3**, select **View and manage configuration**.
+1. Under **Change TLS 1.3 status**, select **Enable**.
 1. Select **Save**.
 
 ## Related content
