diff --git a/modules/Microsoft.Sql/servers/.parameters/parameters.json b/modules/Microsoft.Sql/servers/.parameters/parameters.json
index 091333e683..13ec2f832b 100644
--- a/modules/Microsoft.Sql/servers/.parameters/parameters.json
+++ b/modules/Microsoft.Sql/servers/.parameters/parameters.json
@@ -27,6 +27,9 @@
         "location": {
             "value": "westeurope"
         },
+        "minimalTlsVersion": {
+            "value": "1.2"
+        },
         "roleAssignments": {
             "value": [
                 {
diff --git a/modules/Microsoft.Sql/servers/deploy.bicep b/modules/Microsoft.Sql/servers/deploy.bicep
index 91e1453530..63518b250e 100644
--- a/modules/Microsoft.Sql/servers/deploy.bicep
+++ b/modules/Microsoft.Sql/servers/deploy.bicep
@@ -46,6 +46,14 @@ param securityAlertPolicies array = []
 @description('Conditional. The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided.')
 param administrators object = {}
 
+@allowed([
+  '1.0'
+  '1.1'
+  '1.2'
+])
+@description('Optional. Minimal TLS version allowed.')
+param minimalTlsVersion string = '1.2'
+
 @description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
 param privateEndpoints array = []
 
@@ -90,6 +98,7 @@ resource server 'Microsoft.Sql/servers@2021-05-01-preview' = {
       tenantId: administrators.tenantId
     } : null
     version: '12.0'
+    minimalTlsVersion: minimalTlsVersion
   }
 }
 
diff --git a/modules/Microsoft.Sql/servers/readme.md b/modules/Microsoft.Sql/servers/readme.md
index c83c4d5229..529b1018b5 100644
--- a/modules/Microsoft.Sql/servers/readme.md
+++ b/modules/Microsoft.Sql/servers/readme.md
@@ -46,6 +46,7 @@ This module deploys a SQL server.
 | `firewallRules` | _[firewallRules](firewallRules/readme.md)_ array | `[]` |  | The firewall rules to create in the server. |
 | `location` | string | `[resourceGroup().location]` |  | Location for all resources. |
 | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. |
+| `minimalTlsVersion` | string | `'1.2'` | `[1.0, 1.1, 1.2]` | Minimal TLS version allowed. |
 | `privateEndpoints` | array | `[]` |  | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
 | `securityAlertPolicies` | _[securityAlertPolicies](securityAlertPolicies/readme.md)_ array | `[]` |  | The security alert policies to create in the server. |
@@ -405,6 +406,9 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = {
         "location": {
             "value": "westeurope"
         },
+        "minimalTlsVersion": {
+            "value": "1.2"
+        },
         "roleAssignments": {
             "value": [
                 {
@@ -504,6 +508,7 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = {
     administratorLogin: kv1.getSecret('administratorLogin')
     administratorLoginPassword: kv1.getSecret('administratorLoginPassword')
     location: 'westeurope'
+    minimalTlsVersion: '1.2'
     roleAssignments: [
       {
         roleDefinitionIdOrName: 'Reader'