Forum Discussion
End to end encryption with Microsoft Teams?
- Nov 18, 2019
Jleebiker The mobile client supports App Protection Policies from InTune that would ensure that it's content is encrypted and users are authenticated on the end point device.
E2EE means something different. It means that the messages are encrypted on the senders device and can only be decrypted on the recipients device. All of the infrastructure in the middle is irrelevant as it can not decrypt the content at all. This is not how Teams works, while every stage of the journey is encrypted the service in the middle can decrypt content if it needs, for example to store data within the retention records or if you add a new person to the conversation. E2EE is only really relevant in apps which don't have any central services.
In banking you'll almost certainly have a requirement to retain messages for your regulators, for example in the US FINRA Rule 4511. If you had 'end-to-end' encryption of your messages only the sender and recipient could decrypt the messages, so you couldn't retain this data.
Meeting media could be E2E encrypted as long as there was no need to create a recording, If you look at Zoom as soon as you use their preview of E2E all recording is disabled, along with a whole pile of other features.
If you take a look at Teams, which is used by a number of Global Banks, it offers full encryption in transit and at rest, has a robust Customer Lockbox capability and now has a preview to allow organisations to BYOK.
You can still retain the data even if it is end to end encrypted, we are doing this today. You just need appropriate privilege to allow that integration between your archival platform and the application.
StevenC365 thanks for the insights on other banks using teams. I am curious if you can help me clarify few things as I am trying to learn more on teams security .
1) for data at rest , does Microsoft engineers has access to the encryption keys?
2) does Microsoft stores the data in shared database instance and have a common key?
3) how often does the key rotation happens?
- StevenC365Feb 22, 2021MVP
Deepak_Mehta wrote:
You can still retain the data even if it is end to end encrypted, we are doing this today. You just need appropriate privilege to allow that integration between your archival platform and the application.
If you are choosing to define your archival system as an endpoint then you are taking a fairly non standard definition of E2EE.
1) for data at rest , does Microsoft engineers has access to the encryption keys?
Microsoft engineers do not have standing access to any customer data, they have to use a process call LockBox to request access. This would normally be approved by suitably separated manager, but if you license the Customer Lockbox feature then you are part of that approval process as well.
2) does Microsoft stores the data in shared database instance and have a common key?
I've no idea, the internal architecture of how the service works are not part of how the service is described. This is a global service serving 115M daily active Teams users across the biggest companies in the world. There is not an 'instance' for each company, just like there is no an instance of Exchange or SharePoint per client.
3) how often does the key rotation happens?
No idea, again this is an operation process.
Microsoft make all the assessments and penetration test reports for Office 365 available to customers at https://servicetrust.microsoft.com/, read up on what you need. If you aren't a customer yet ask a Microsoft account team who will ensure the appropriate NDA is in place.
- DeletedFeb 22, 2021
Deepak_Mehta StevenC365 Hi customer key encryption at the tenant level which covers Teams chats and channel conversations is in public preview and due to be launched soon according to the roadmap feature id 68732
Here are the details of the public preview Customer Key for Microsoft 365 at the tenant level (public preview) - Microsoft 365 Compliance | Microsoft Docs