Forum Discussion
End to end encryption with Microsoft Teams?
Jleebiker The mobile client supports App Protection Policies from InTune that would ensure that it's content is encrypted and users are authenticated on the end point device.
E2EE means something different. It means that the messages are encrypted on the senders device and can only be decrypted on the recipients device. All of the infrastructure in the middle is irrelevant as it can not decrypt the content at all. This is not how Teams works, while every stage of the journey is encrypted the service in the middle can decrypt content if it needs, for example to store data within the retention records or if you add a new person to the conversation. E2EE is only really relevant in apps which don't have any central services.
Jleebiker All Teams data is encrypted "in transit and at rest" see https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview.
I'm not really sure what E2EE would mean in a Teams context, it's typically for consumer type apps where the data is only decrypted on the end client devices. Teams can't be this, the data resides in Office 365 and is subject to retention and ediscovery.
StevenC365 Webex teams and Symphony both have end to end encryption which are not cunsomer types apps. Also for banking clients like us E2EE is more and more important . We moved from SFB to Webex teams our 100 K users and we also use symphony.
I don't see why MS teams cannot offer E2EE encryption , I am pretty sure even Zoom meetings and Chat along with Webex meetings offers E2EE now.
In banking you'll almost certainly have a requirement to retain messages for your regulators, for example in the US FINRA Rule 4511. If you had 'end-to-end' encryption of your messages only the sender and recipient could decrypt the messages, so you couldn't retain this data.
Meeting media could be E2E encrypted as long as there was no need to create a recording, If you look at Zoom as soon as you use their preview of E2E all recording is disabled, along with a whole pile of other features.
If you take a look at Teams, which is used by a number of Global Banks, it offers full encryption in transit and at rest, has a robust Customer Lockbox capability and now has a preview to allow organisations to BYOK.
StevenC365 Ecnryption in a teams context would look like this:
- end users would have keys that could be used to decrypt data- data would live encrypted in sharepoint
- users would decrypt at the time of reading/opening/viewing data
- content scanning, monitoring, indexing would be done on the endpoint, at the time of content creation/editing
- certain features may not be available for content encrypted this way
I think the lack of sound custody is probably the #1 reason organizations choose not to use cloud services in general, Teams included. E2E encryption would go a long way toward alleviating that.
cto-erik for your theoretical search index to work every client would need to download every message in every channel. Also not really sure how any web UI would work.
- I read that doc and am familiar with it. We use the mobile app and need to understand the E2EE part. I understand that Teams has encryption in transit and rest, but does that translate down to a mobile client? MS went to the trouble of incorporating Signal tech in Skype4Biz, does that mean it is an option for the Teams mobile app? Just trying to confirm.
Jleebiker The mobile client supports App Protection Policies from InTune that would ensure that it's content is encrypted and users are authenticated on the end point device.
E2EE means something different. It means that the messages are encrypted on the senders device and can only be decrypted on the recipients device. All of the infrastructure in the middle is irrelevant as it can not decrypt the content at all. This is not how Teams works, while every stage of the journey is encrypted the service in the middle can decrypt content if it needs, for example to store data within the retention records or if you add a new person to the conversation. E2EE is only really relevant in apps which don't have any central services.
