Earlier this year we announced end-to-end encryption (E2EE) support for Microsoft Teams Calls. Today we are pleased to announce that we’re starting to roll out E2EE for Teams calls to public preview. Once you receive the latest update, IT admins in your organization will have the option to make the feature available for you. Here’s an overview of how E2EE for Teams calls works, details around how IT Admins and users can turn it on, and how it is implemented.

UPDATE: As of December 15, 2021 end-to-end encryption for one-to-one Microsoft Teams calls is now generally available.

Earlier this year we announced end-to-end encryption (E2EE) support for Microsoft Teams Calls. Today we are pleased to announce that we’re starting to roll out E2EE for Teams calls to public preview. Once you receive the latest update, IT admins in your organization will have the option to make the feature available for you. Here’s an overview of how E2EE for Teams calls works, details around how IT Admins and users can turn it on, and how it is implemented.

End-to-end encryption (E2EE)

End-to-end encryption, or E2EE, is the encryption of information at its origin and decryption at its intended destination without the ability for intermediate nodes or parties to decrypt.

We’re rolling out this preview of E2EE for unscheduled one-to-one calls today. When both parties in a one-to-one call turn on E2EE, the communication between those two parties in the call is encrypted from end-to-end. No other party, including Microsoft, has access to the decrypted conversation.

With this release, only the real-time media flow, that is, video and voice data, for one-to-one Teams calls are end-to-end encrypted. Both parties must turn on this setting to enable end-to-end encryption. Encryption in Microsoft 365 protects chat, file sharing, presence, and other content in the call. For more information, see Encryption in Microsoft 365.

How can IT Admins, make E2EE for Teams one-to-one calls available for their organization?

IT admins can set the E2EE policy for users, groups or tenant via PowerShell. Please see the following guide for PowerShell commands: https://docs.microsoft.com/en-us/powershell/module/teams/new-csteamsenhancedencryptionpolicy?view=teams-ps 

Soon the ability to set the settings will also be available in Teams Admin Center UI. Once that is rolled out following steps can be used to setup E2EE via Teams Admin Center UI. 

\n
1. Sign in to the Teams admin center and navigate to Other settings > Enhanced encryption policies.
\n
2. Name the new policy, then for End-to-end call encryption, choose users can turn it on, and then choose Save.
\n
3. Once you’ve finished creating the policy, assign the policy to users, groups, or your entire tenant the same way you manage other Teams policies.
\n

By default, end-to-end encryption isn’t available to users in your tenant. Once you’ve configured the policy, end-to-end encryption is still off by default for users when they make a Teams call. Users need to turn on end-to-end encryption in their Team settings.

Once IT Admin has set the enhanced encryption policy, do users automatically get E2EE in one-to-one calls?
No, after you’ve applied the policy, users will see a setting to turn on end-to-end encryption for their one-to-one calls. To turn on end-to-end encryption, users can follow these steps:

\n
1. On the top right of the Teams window, select the profile picture (or the ellipses next to the profile picture).
\n
2. Choose Settings > Privacy.
\n
3. Turn on end-to-end encrypted calls by toggling the switch.
\n

How can the two parties confirm they’re on an end-to-end encrypted call?

With this release, users will see the encryption indicator on the Teams call window in the upper left corner. This indicator shows that the call is encrypted. Microsoft 365 encryption technologies encrypt every Teams call. If a call is successfully end-to-end encrypted, both parties will see the end-to-end encryption indicator on the Teams call window. The Teams end-to-end encryption indicator is a shield with a lock.

Hover over the end-to-end encryption indicator to display confirmation the call is end-to-end encrypted. Teams also displays a security code for the call. To confirm that end-to-end encryption is working correctly, verify that the same security code appears for both parties in the call.

If IT Admins don’t enable E2EE or users don’t turn on the setting, does that mean Calls and Meetings in Microsoft Teams aren’t secure?

If you haven’t enabled end-to-end encryption, Teams still secures a call or meeting using encryption based on industry standards. Data exchanged during calls is always secure while in transit and at rest. For more information, see Media encryption for Teams.

Does this capability only exist in Teams Desktop?

End-to-end encrypted calls can be made between two parties when the parties are using the latest version of the Teams desktop client for Windows or Mac, or they are on a Mobile device with latest update for iOS and Android.

Does turning on end-to-end encryption on one device also turn it on for all my devices?
Yes, the setting will be synchronized across supported end points.

How do I enable end-to-end encryption from Mobile?
By following these steps:

\n
1. In Teams Mobile, go to settings > calling.
\n
2. Under Encryption, turn on End-to-end encrypted calls.
\n

How do I verify that I’m on an end-to-end encrypted call on Mobile?
The mobile call also shows a lock + shield icon. Tap on the encryption indicator to reveal the 20-digit security code for the call. Just like the desktop app, both the caller and callee can verify that the code matches to ensure that both parties are on an end-to-end encrypted call.

When end-to-end encryption isn’t turned on, the Teams encryption indicator is a regular shield icon without the lock. The regular shield confirms that call is protected by Microsoft 365 encryption and no end-to-end encryption security code will be shown.

What about PSTN calls?
End-to-end encryption isn’t available for PSTN calls.

How are calls end-to-end encrypted?
Call flows in Teams are based on the Session Description Protocol (SDP) [RFC 4566] offer/answer model over HTTPS. Once the callee accepts an incoming call, the session parameters are agreed between the caller and callee and encrypted media starts flowing between the caller and callee using secure real-time transport protocol (SRTP).

In normal call flows, negotiation of the encryption key occurs over the call signaling channel. In an end-to-end encrypted call, the signaling flow is the same as a regular one-to-one Teams call. However, Teams uses DTLS to derive an encryption key based on per-call certificates generated on both client endpoints. Since DTLS derives the key based on client certificates, the key is opaque to Microsoft. Once both clients agree upon the key, the media begins to flow using this DTLS-negotiated encryption key over SRTP.

To protect against a man-in-the-middle attack between the caller and callee, Teams derives a 20-digit security code from the SHA-256 thumbprints of the caller’s and callee’s endpoint call certificates. The caller and callee can validate the 20-digit security codes by reading them to each other to see if they match. If the codes don’t match, then the connection between the caller and callee has been intercepted by a man-in-the-middle attack. If the call has been compromised, users can terminate the call manually.

Is Chat also end-to-end encrypted during calls that are E2EE?
Chat for end-to-end calls is secured by Microsoft 365 encryption.

What features aren’t available with end-to-end encryption?
Some features aren’t available during encrypted one-to-one calls. These unavailable features include:

\n
• Recording
\n
• Live caption and transcription
\n
• Call transfer (blind, safe, and consult)
\n
• Call Park
\n
• Call Merge
\n
• Call Companion and transfer to another device
\n
• Add participant to make the one-to-one call a group call
\n

Can I turn E2EE on or off if I need to take advantage of features that are disabled in E2EE calls?
Absolutely, if you need these features in a call, go to Settings, and turn end-to-end encryption off the same way you turned it on.

What about group audio/video calls and Meetings?
Microsoft 365 encryption secures group audio/video calls. As we release end-to-end encryption for Teams one-to-one calls, we will continue to learn from customers how the scenarios address their needs. We will work to bring end-to-end encryption capabilities to online meetings later.

That's our overview and how-to for end-to-end encryption for one-to-one calls in Teams. Try it and let us know if you have any feedback. Remember to check for updates to make sure you have the latest client so you can turn on the feature after your IT admin has enabled it for you. Enjoy!

Resources

Use end-to-end encryption for one-to-one Microsoft Teams calls: https://aka.ms/e2ee

Encryption Documentation: https://aka.ms/encryption 

UPDATE: As of December 15, 2021 end-to-end encryption for one-to-one Microsoft Teams calls is now generally available.

Earlier this year we announced end-to-end encryption (E2EE) support for Microsoft Teams Calls. Today we are pleased to announce that we’re starting to roll out E2EE for Teams calls to public preview. Once you receive the latest update, IT admins in your organization will have the option to make the feature available for you. Here’s an overview of how E2EE for Teams calls works, details around how IT Admins and users can turn it on, and how it is implemented.

End-to-end encryption (E2EE)

End-to-end encryption, or E2EE, is the encryption of information at its origin and decryption at its intended destination without the ability for intermediate nodes or parties to decrypt.

We’re rolling out this preview of E2EE for unscheduled one-to-one calls today. When both parties in a one-to-one call turn on E2EE, the communication between those two parties in the call is encrypted from end-to-end. No other party, including Microsoft, has access to the decrypted conversation.

With this release, only the real-time media flow, that is, video and voice data, for one-to-one Teams calls are end-to-end encrypted. Both parties must turn on this setting to enable end-to-end encryption. Encryption in Microsoft 365 protects chat, file sharing, presence, and other content in the call. For more information, see Encryption in Microsoft 365.

How can IT Admins, make E2EE for Teams one-to-one calls available for their organization?

IT admins can set the E2EE policy for users, groups or tenant via PowerShell. Please see the following guide for PowerShell commands: https://docs.microsoft.com/en-us/powershell/module/teams/new-csteamsenhancedencryptionpolicy?view=teams-ps 

Soon the ability to set the settings will also be available in Teams Admin Center UI. Once that is rolled out following steps can be used to setup E2EE via Teams Admin Center UI. 

\n
1. Sign in to the Teams admin center and navigate to Other settings > Enhanced encryption policies.
\n
2. Name the new policy, then for End-to-end call encryption, choose users can turn it on, and then choose Save.
\n
3. Once you’ve finished creating the policy, assign the policy to users, groups, or your entire tenant the same way you manage other Teams policies.
\n

By default, end-to-end encryption isn’t available to users in your tenant. Once you’ve configured the policy, end-to-end encryption is still off by default for users when they make a Teams call. Users need to turn on end-to-end encryption in their Team settings.

Once IT Admin has set the enhanced encryption policy, do users automatically get E2EE in one-to-one calls?
No, after you’ve applied the policy, users will see a setting to turn on end-to-end encryption for their one-to-one calls. To turn on end-to-end encryption, users can follow these steps:

\n
1. On the top right of the Teams window, select the profile picture (or the ellipses next to the profile picture).
\n
2. Choose Settings > Privacy.
\n
3. Turn on end-to-end encrypted calls by toggling the switch.
\n

How can the two parties confirm they’re on an end-to-end encrypted call?

With this release, users will see the encryption indicator on the Teams call window in the upper left corner. This indicator shows that the call is encrypted. Microsoft 365 encryption technologies encrypt every Teams call. If a call is successfully end-to-end encrypted, both parties will see the end-to-end encryption indicator on the Teams call window. The Teams end-to-end encryption indicator is a shield with a lock.

Hover over the end-to-end encryption indicator to display confirmation the call is end-to-end encrypted. Teams also displays a security code for the call. To confirm that end-to-end encryption is working correctly, verify that the same security code appears for both parties in the call.

If IT Admins don’t enable E2EE or users don’t turn on the setting, does that mean Calls and Meetings in Microsoft Teams aren’t secure?

If you haven’t enabled end-to-end encryption, Teams still secures a call or meeting using encryption based on industry standards. Data exchanged during calls is always secure while in transit and at rest. For more information, see Media encryption for Teams.

Does this capability only exist in Teams Desktop?

End-to-end encrypted calls can be made between two parties when the parties are using the latest version of the Teams desktop client for Windows or Mac, or they are on a Mobile device with latest update for iOS and Android.

Does turning on end-to-end encryption on one device also turn it on for all my devices?
Yes, the setting will be synchronized across supported end points.

How do I enable end-to-end encryption from Mobile?
By following these steps:

\n
1. In Teams Mobile, go to settings > calling.
\n
2. Under Encryption, turn on End-to-end encrypted calls.
\n

How do I verify that I’m on an end-to-end encrypted call on Mobile?
The mobile call also shows a lock + shield icon. Tap on the encryption indicator to reveal the 20-digit security code for the call. Just like the desktop app, both the caller and callee can verify that the code matches to ensure that both parties are on an end-to-end encrypted call.

When end-to-end encryption isn’t turned on, the Teams encryption indicator is a regular shield icon without the lock. The regular shield confirms that call is protected by Microsoft 365 encryption and no end-to-end encryption security code will be shown.

What about PSTN calls?
End-to-end encryption isn’t available for PSTN calls.

How are calls end-to-end encrypted?
Call flows in Teams are based on the Session Description Protocol (SDP) [RFC 4566] offer/answer model over HTTPS. Once the callee accepts an incoming call, the session parameters are agreed between the caller and callee and encrypted media starts flowing between the caller and callee using secure real-time transport protocol (SRTP).

In normal call flows, negotiation of the encryption key occurs over the call signaling channel. In an end-to-end encrypted call, the signaling flow is the same as a regular one-to-one Teams call. However, Teams uses DTLS to derive an encryption key based on per-call certificates generated on both client endpoints. Since DTLS derives the key based on client certificates, the key is opaque to Microsoft. Once both clients agree upon the key, the media begins to flow using this DTLS-negotiated encryption key over SRTP.

To protect against a man-in-the-middle attack between the caller and callee, Teams derives a 20-digit security code from the SHA-256 thumbprints of the caller’s and callee’s endpoint call certificates. The caller and callee can validate the 20-digit security codes by reading them to each other to see if they match. If the codes don’t match, then the connection between the caller and callee has been intercepted by a man-in-the-middle attack. If the call has been compromised, users can terminate the call manually.

Is Chat also end-to-end encrypted during calls that are E2EE?
Chat for end-to-end calls is secured by Microsoft 365 encryption.

What features aren’t available with end-to-end encryption?
Some features aren’t available during encrypted one-to-one calls. These unavailable features include:

\n
• Recording
\n
• Live caption and transcription
\n
• Call transfer (blind, safe, and consult)
\n
• Call Park
\n
• Call Merge
\n
• Call Companion and transfer to another device
\n
• Add participant to make the one-to-one call a group call
\n

Can I turn E2EE on or off if I need to take advantage of features that are disabled in E2EE calls?
Absolutely, if you need these features in a call, go to Settings, and turn end-to-end encryption off the same way you turned it on.

What about group audio/video calls and Meetings?
Microsoft 365 encryption secures group audio/video calls. As we release end-to-end encryption for Teams one-to-one calls, we will continue to learn from customers how the scenarios address their needs. We will work to bring end-to-end encryption capabilities to online meetings later.

That's our overview and how-to for end-to-end encryption for one-to-one calls in Teams. Try it and let us know if you have any feedback. Remember to check for updates to make sure you have the latest client so you can turn on the feature after your IT admin has enabled it for you. Enjoy!

Resources

Use end-to-end encryption for one-to-one Microsoft Teams calls: https://aka.ms/e2ee

Encryption Documentation: https://aka.ms/encryption 

Earlier this year we announced end-to-end encryption (E2EE) support for Microsoft Teams Calls. Today we are pleased to announce that we’re starting to roll out E2EE for Teams calls to public preview. Once you receive the latest update, IT admins in your organization will have the option to make the feature available for you. Here’s an overview of how E2EE for Teams calls works, details around how IT Admins and users can turn it on, and how it is implemented.

After checking with MS support, E2EE doesn't work in VDI and Azure virtual desktop.

Hope that in the future will be implemented

Hello

Is E2EE supported for meetings with N participants (N=3, 4, 5, ...)

Under which conditions?

If it is not supported: When will it be supported?

Thanks in advance for you reply.

Best regards,

Diego

Japp, for those users I have in scope, recording will not be allowed. It's about sensitive patient data. Regulations in Germany a quite tough here...

Force enforce. 
Is this means that you are not allow your users to do recording ?

Mansoor Malik  Is there/will there be a way to enforce the usage of E2EE in the Teams Desktop client? I'd like to enable the switch and not leave it up to users to turn this on. Thanks!

Mansoor Malik Do you know when the security function \"E2EE\" will be available for all customers? Do you have informations about this?

Does E2E call encryption apply to all users including regular Teams account? I setup a Free teams account and I don't see \"Turn on end-to-end encrypted calls\" option under Settings > Privacy.

I don't see any indicator of any kind either on the call placed with another contact.

Andrew_Woo, rpodric Sorry for the inconvenience - the Teams Admin Center UI has not been rolled out yet however PowerShell can be used to set the policy. Included reference above in the article to make it clear. Here's the link as well: https://docs.microsoft.com/en-us/powershell/module/teams/new-csteamsenhancedencryptionpolicy?view=teams-ps 

Mansoor Malik I've long been in the Public Preview update policy, but I thought that merely pertained to allowing opt-in to the public preview client. Here though you seem to be saying that it's also needed in order to be able to see the new section of the admin area itself. I'm logged into admin with the same account, however, and it is not there.

Mansoor Malik , I would like to thank you for the verification.