Microsoft Teams has become a critical platform for business communications, especially with the rise of remote and hybrid work models. With over 320 million monthly active users, Teams hosts sensitive conversations, file sharing, and collaborative work, necessitating a thorough understanding of how Teams protects data in transit and at rest. Encryption is essential for protecting sensitive communications and helping to ensure compliance with regulatory requirements. Organizations routinely exchange confidential information, including intellectual property, financial data, and personally identifiable information (PII). Without robust encryption, this information could be vulnerable to interception and unauthorized access.
Microsoft Teams employs multiple layers of encryption to protect different types of data throughout the communication process. These include transport layer encryption, platform-level encryption, service encryption, customer key encryption, and end-to-end encryption (E2EE). Standard encryption in Teams provides comprehensive protection for data in transit and at rest without requiring additional configuration by users or administrators. E2EE helps ensure that only the communicating parties can access the unencrypted content, providing additional protection for audio, video, and screen sharing capabilities in one-to-one calls and meetings configured to require E2EE. Organizations should develop a comprehensive encryption strategy that includes Microsoft Teams within their broader security architecture, balancing security needs with operational requirements to protect communications while maintaining essential collaboration capabilities.
Introduction
Microsoft Teams has become a critical platform for business communications, especially with the rise of remote and hybrid work models. With over 320 million monthly active users Teams hosts sensitive conversations, file sharing, and collaborative work, understanding how Teams protects data is important for some customers.
Importance of Encryption & Protecting Sensitive Communications
Encryption is essential for protecting sensitive communications and helping ensure compliance with regulatory requirements. Organizations routinely exchange confidential information, including intellectual property, financial data, and personally identifiable information (PII). Without robust encryption, this information could be vulnerable to interception and unauthorized access.
Compliance Requirements
Many regulatory frameworks explicitly mandate encryption for protecting sensitive data.
- The General Data Protection Regulation (GDPR) requires appropriate technical measures to help ensure data security, with encryption specifically mentioned as a recommended safeguard for protecting personal data.
- The Health Insurance Portability and Accountability Act (HIPAA) includes encryption as an addressable implementation specification for electronic protected health information, making it essential for healthcare organizations and their business associates.
- The Payment Card Industry Data Security Standard (PCI DSS) requires encryption of cardholder data transmitted over open, public networks to protect financial information.
- The California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), provide safe harbor provisions for encrypted data in certain circumstances, reducing liability in case of data breaches.
- The National Institute of Standards and Technology (NIST) Special Publication 800-53 includes numerous controls related to cryptographic protection of information, which many federal and commercial organizations use as a security baseline.
Microsoft Teams Encryption Overview
Microsoft Teams employs multiple layers of encryption to protect different types of data throughout the communication process. These include transport layer encryption, platform-level encryption, service encryption, customer key encryption, and end-to-end encryption (E2EE).
Standard Encryption in Microsoft Teams
In addition to supporting the compliance requirements listed above by default, Microsoft Teams standard encryption provides comprehensive protection for data in transit and at rest without requiring additional configuration by users or administrators. This includes:
- Transport Layer Security (TLS): Secures data in transit using TLS 1.2+ with AES-256, protecting information as it moves between devices and Microsoft's servers.
- Data at Rest Encryption: Protects data stored in Azure, SharePoint, OneDrive, and other Microsoft 365 services using a combination of BitLocker disk encryption and per-file encryption.
- Service Encryption: Provides an additional layer of security by encrypting Teams data before sending it to the data store using keys managed by Microsoft. Service encryption is available for Media Content now, and additional services are being explored.
- Customer Key Encryption: Bring Your Own Keys (BYOK), allows organizations to provide their own encryption keys, giving them greater control over their security posture. The ability to encrypt Teams files using customer-managed keys (BYOK) is supported through integration with Microsoft Purview Customer Key (as detailed in this documentation Overview of Customer Key - Microsoft Purview | Microsoft Learn) and can apply to Teams files, chat messages and other modalities.
End-to-End Encryption (E2EE) in Microsoft Teams
E2EE helps ensure that only the communicating parties can access the content. Key characteristics of E2EE in Teams include:
- Implementation: Encryption keys are generated on user devices and exchanged over a secure signaling session. This capability is available for one-to-one calls and meetings (if configured). See table below that outlines the communication modalities supported.
- Enabling E2EE: IT administrators can configure the E2EE policy at the tenant level. E2EE for meetings is enabled by default, however users must also configure a meeting as an E2EE meeting when scheduling the meeting. E2EE for one-to-one calling is disabled by default, however IT administrators can enable for end users. If enabled, both users in a one-to-one call will also need to enable E2EE for one-to-one calls in their Teams client settings for their one-to-one calls to be E2EE.
- Technical Details: For E2EE calls and meetings Teams uses DTLS to encrypt the P2P media, and for meetings Teams uses a Group Key Manager Protocol (GKMP) to negotiate keys amongst all clients. All GKMP requests are distributed over channels secured with TLS 1.3 and we use GCM_AES_256 to encrypt the media. This encryption only covers audio video and video based screen sharing, it does not cover chat.
- Limitations: E2EE is available for one-to-one calls in Teams, as well as in meetings that have been configured to require E2EE (note that meeting support is a Teams Premium feature). E2EE provides additional protection for audio, video, and screen sharing capabilities in these experiences.
- Considerations: E2EE prevents the service from decrypting content, thereby disabling service-side processing capabilities such as translation, data loss prevention (DLP), eDiscovery, supervisory audit, and any other functionality that requires access to the content. It also reduces productivity features as users lose access to features such as recording, transcripts, and recaps. And it disables service-side protections such as anti-malware, anti-abuse, and anti-fraud, making it significantly harder - or sometimes impossible - to detect and block threats like spam, phishing, and impersonation, while delaying security actions until after delivery and limiting antivirus protection to slower, less consistent client-side scanning.
Different communication modalities within Teams have varying encryption capabilities:
|
Modalities & Features |
E2EE Available |
Standard Encryption |
|
One-to-one calls* |
Yes |
Yes |
|
Scheduled meetings |
Yes |
Yes |
|
Screen sharing |
Yes** (in E2EE-enabled meetings and one-to-one calls) |
Yes |
|
Video |
Yes** (in E2EE-enabled meetings and one-to-one calls) |
Yes |
|
Group calls |
No |
Yes |
|
Channel meetings |
No |
Yes |
|
Chat messages |
No |
Yes |
|
Shared files |
No |
Yes |
|
Meeting recordings |
No |
Yes |
* Microsoft Teams supports E2EE for eligible one-to-one VoIP calls. E2EE is not available for calls involving the Public Switched Telephone Network (PSTN).
**E2EE for this modality or feature is only available to Teams Premium users
Specific Questions Answered
1. Is end-to-end encryption for Teams calls available? Is it only for the paid version?
- End-to-end encryption (E2EE) for one-on-one calls made through Teams is available for commercial Teams users. Customers with a Teams Premium license can also use E2EE in scheduled Teams meetings.
2. Are there any other voice or messaging options that are encrypted?
- By default, all Teams communications, including voice calls, meetings, and chat, are encrypted using industry-standard technologies such as Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP).
3. Impact of E2EE on Product Functionality and Compliance
- While E2EE is a powerful tool for privacy and security, it can severely limit product functionality and overall value. It is not compatible with certain service-side functionality such as recording, transcription, and related AI-powered capabilities like intelligent meeting recap. It also limits data retention and records management capabilities that operate on the server side, like eDiscovery.
4. Security Concepts Embraced by Microsoft
- Microsoft embraces security concepts like Zero Trust and Least Privileged access, building on enterprise-grade authentication powered by Entra ID, and providing admins with options to customize policies to meet their organization’s needs. This includes Customer Key for data at rest in the cloud, which is built on service encryption that lets customers provide and control encryption keys, adding an extra layer of protection and control.
Selecting the Right Encryption Approach
Choosing between standard encryption and E2EE requires balancing security requirements with operational needs and compliance obligations. In general, E2EE is suitable for high-sensitivity scenarios – such as executive communications and regulated industries – where absolute privacy is required and absence of service-side processing (e.g., recording, transcription, DLP, or compliance) is acceptable, while standard encryption is appropriate for day-to-day operational discussions and team collaboration.
Considerations for Implementation
Organizations should develop a comprehensive encryption strategy that includes Microsoft Teams within their broader security architecture. This strategy should define how different types of communications will be protected based on sensitivity, regulatory requirements, and operational needs. One consideration is implementing a hybrid approach that uses standard encryption for general use and E2EE for specific high-sensitivity scenarios can balance security needs with operational requirements.
By taking a risk-based approach to implementing encryption in Teams, organizations can protect their communications while maintaining the collaboration capabilities essential to modern business operations.
For more detailed information and resources, please visit Microsoft Learn to explore further:
Overview of security and compliance – Microsoft Teams | Microsoft Learn
Microsoft