End-to-end encryption for Teams calls

Make Sure Your Confidential Teams Calls Are End-to-End Encrypted

On Day 14 of Cybersecurity awareness month, ensure to enable End-to-end Encryption for confidential Teams calls. Stay tuned for more blogs in the Office 365 Cybersecurity blog series.   

In recent times, Microsoft Teams has emerged as the ultimate workspace for real-time collaboration and communication. Since most of the business communication is carried out by MS teams, security has become a concern.  By default, Teams calls over VOIP are encrypted using Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP).  However, these protocols allow admins to configure automatic recording and transcription of calls. 

But there are times when heightened confidentiality is required. There comes the End-to-end encryption for Microsoft Teams where it secures 1:1 calls and helps meet privacy requirements for the organizations. 

“We need to think about encryption not as this sort of arcane, black art. It’s a basic protection!”     

– Edward Snowden 

What is End-to-end Encryption? 

End-to-end encryption (E2EE) is one of the most practical and reliable methods for protecting digital information. E2EE does not change the way communication is executed or transmitted. It simply acts as a shield of protection where decryption takes place at the said destination, not in the intermediaries.  

What Does End-to-End Encryption in Teams Calls Do?

The end-to-end encryption process encrypts content before it’s sent and only the intended recipient can decrypt it. It is not possible for anyone else to access the decrypted conversation, including Microsoft. Encryption is applied to basic call features like audio, video, screen share, and chat.  

While the end-to-end encryption is turned on, users won’t be able to avail the following settings. 

  • Call Recording 
  • Live caption and transcription 
  • Call Transfer 
  • Call Park 
  • Call Merge 
  • Call companion and transfer to another device 
  • Consult then transfer 
  • Add participant to make one-to-one call a group call 

Note- If users require these features in a one-to-one Teams call, then they need to turn off the end-to-end encryption manually. 

Prerequisites to Turn on End-to-end Encryption: 

  • Users on both sides should have the latest versions of the Teams desktop client for Windows or Mac. 
  • Users must have the latest version of the Teams app on their iOS and Android phones to enable the setting on their phones. 
  • Users can have Teams Rooms on Windows device with the latest update. 
  • End-to-end encryption won’t be available for Teams on the web. 

How to Enable End-to-end encryption for Microsoft Teams? 

End-to-end encryption policy for Microsoft Teams calls can be enabled through both the admin center and Microsoft PowerShell. 

Actions That Admins Need to Take

Using Admin Center:

The foremost step involves admins turning on the End-to-end encryption policy in the Teams admin center. Do note that it will take some time for the changes made in Teams policies to take effect. 

  • Open the Microsoft 365 Teams admin center
  • Select Enhanced encryption policy
  • Add a new policy and name it. 
  • By default, the end-to-end encryption policy will be disabled. Change it to Not enabled, but users can enable, and click Save
  • Select the policy and assign users for whom you want to enable the end-to-end encryption policy. 
Have you enabled End-to-end encryption for Teams calls?
End-to-end Encryption policy configuration

Using PowerShell:

After connecting to the Teams module,  

Case 1 – If you want to enable end-to-end encryption for the whole tenant, you can run the below cmdlet. 

Set-CsTeamsEnhancedEncryptionPolicy -Identity Global -CallingEndtoEndEncryptionEnabledType DisabledUserOverride 

The ‘DisabledUserOverride’ parameter means that E2EE is disabled by default, but users can override this default configuration to enable E2EE in their Teams settings. 

Case 2 – If you want to enable end-to-end encryption for a specific user, run the below cmdlet. You can provide the required user’s email address in the ‘Identity’ parameter. 

Grant-CsTeamsEnhancedEncryptionPolicy -Identity "Magnus@vioroly.onmicrosoft.com" -PolicyName "E2EUserPolicy" 

Actions That Users Need to Take

After the encryption policy is configured by the admin, the users will be able to see the end-to-end encryption option in their Teams settings. Users can enable this setting by using the steps mentioned below. 

  • Open the Microsoft Teams desktop app. 
  • Select More options next to the profile picture. 
  • Choose ‘Settings’ and go to ‘Privacy’. 
  • Turn on the ‘End-to-end encrypted calls’ setting. 
Enabling End-to-end Encryption in Microsoft Teams

How Can You Confirm if You Are on End-to-End Encrypted Teams Call? 

Once the setting is enabled, every Teams call is encrypted by Microsoft 365 encryption technologies. Users can see an encryption indicator (shield with a lock) in the upper left corner of the Teams call window.  If a Teams call is encrypted, users at both ends can see the same security numbers. 

Encrypted Teams calls

Even though users with routine check-in calls are likely not to be hampered by encrypted communication, it will play a significant role when you want to discuss corporate secrets and other sensitive information over MS Teams! Give it a try! 

Leave a Reply

Your email address will not be published. Required fields are marked *

Make Sure Your Confidential Teams Calls Are End-to-End Encrypted

time to read: 3 min
Follow us!