Earlier this year we announced end-to-end encryption (E2EE) support for Microsoft Teams Calls. Today we are pleased to announce that we’re starting to roll out E2EE for Teams calls to public preview. Once you receive the latest update, IT admins in your organization will have the option to make the feature available for you. Here’s an overview of how E2EE for Teams calls works, details around how IT Admins and users can turn it on, and how it is implemented.
End-to-end encryption (E2EE)
End-to-end encryption, or E2EE, is the encryption of information at its origin and decryption at its intended destination without the ability for intermediate nodes or parties to decrypt.
We’re rolling out this preview of E2EE for unscheduled one-to-one calls today. When both parties in a one-to-one call turn on E2EE, the communication between those two parties in the call is encrypted from end-to-end. No other party, including Microsoft, has access to the decrypted conversation.
With this release, only the real-time media flow, that is, video and voice data, for one-to-one Teams calls are end-to-end encrypted. Both parties must turn on this setting to enable end-to-end encryption. Encryption in Microsoft 365 protects chat, file sharing, presence, and other content in the call. For more information, see Encryption in Microsoft 365.
How can IT Admins, make E2EE for Teams one-to-one calls available for their organization?
Soon the ability to set the settings will also be available in Teams Admin Center UI. Once that is rolled out following steps can be used to setup E2EE via Teams Admin Center UI.
Sign in to the Teams admin center and navigate to Other settings > Enhanced encryption policies.
Name the new policy, then for End-to-end call encryption, choose users can turn it on, and then choose Save.
Once you’ve finished creating the policy, assign the policy to users, groups, or your entire tenant the same way you manage other Teams policies.
By default, end-to-end encryption isn’t available to users in your tenant. Once you’ve configured the policy, end-to-end encryption is still off by default for users when they make a Teams call. Users need to turn on end-to-end encryption in their Team settings.
Once IT Admin has set the enhanced encryption policy, do users automatically get E2EE in one-to-one calls? No, after you’ve applied the policy, users will see a setting to turn on end-to-end encryption for their one-to-one calls. To turn on end-to-end encryption, users can follow these steps:
On the top right of the Teams window, select the profile picture (or the ellipses next to the profile picture).
Choose Settings > Privacy.
Turn on end-to-end encrypted calls by toggling the switch.
How can the two parties confirm they’re on an end-to-end encrypted call?
With this release, users will see the encryption indicator on the Teams call window in the upper left corner. This indicator shows that the call is encrypted. Microsoft 365 encryption technologies encrypt every Teams call. If a call is successfully end-to-end encrypted, both parties will see the end-to-end encryption indicator on the Teams call window. The Teams end-to-end encryption indicator is a shield with a lock.
Hover over the end-to-end encryption indicator to display confirmation the call is end-to-end encrypted. Teams also displays a security code for the call. To confirm that end-to-end encryption is working correctly, verify that the same security code appears for both parties in the call.
If IT Admins don’t enable E2EE or users don’t turn on the setting, does that mean Calls and Meetings in Microsoft Teams aren’t secure?
If you haven’t enabled end-to-end encryption, Teams still secures a call or meeting using encryption based on industry standards. Data exchanged during calls is always secure while in transit and at rest. For more information, see Media encryption for Teams.
Does this capability only exist in Teams Desktop?
End-to-end encrypted calls can be made between two parties when the parties are using the latest version of the Teams desktop client for Windows or Mac, or they are on a Mobile device with latest update for iOS and Android.
Does turning on end-to-end encryption on one device also turn it on for all my devices? Yes, the setting will be synchronized across supported end points.
How do I enable end-to-end encryption from Mobile? By following these steps:
In Teams Mobile, go to settings > calling.
Under Encryption, turn on End-to-end encrypted calls.
How do I verify that I’m on an end-to-end encrypted call on Mobile? The mobile call also shows a lock + shield icon. Tap on the encryption indicator to reveal the 20-digit security code for the call. Just like the desktop app, both the caller and callee can verify that the code matches to ensure that both parties are on an end-to-end encrypted call.
When end-to-end encryption isn’t turned on, the Teams encryption indicator is a regular shield icon without the lock. The regular shield confirms that call is protected by Microsoft 365 encryption and no end-to-end encryption security code will be shown.
What about PSTN calls? End-to-end encryption isn’t available for PSTN calls.
How are calls end-to-end encrypted? Call flows in Teams are based on the Session Description Protocol (SDP) [RFC 4566] offer/answer model over HTTPS. Once the callee accepts an incoming call, the session parameters are agreed between the caller and callee and encrypted media starts flowing between the caller and callee using secure real-time transport protocol (SRTP).
In normal call flows, negotiation of the encryption key occurs over the call signaling channel. In an end-to-end encrypted call, the signaling flow is the same as a regular one-to-one Teams call. However, Teams uses DTLS to derive an encryption key based on per-call certificates generated on both client endpoints. Since DTLS derives the key based on client certificates, the key is opaque to Microsoft. Once both clients agree upon the key, the media begins to flow using this DTLS-negotiated encryption key over SRTP.
To protect against a man-in-the-middle attack between the caller and callee, Teams derives a 20-digit security code from the SHA-256 thumbprints of the caller’s and callee’s endpoint call certificates. The caller and callee can validate the 20-digit security codes by reading them to each other to see if they match. If the codes don’t match, then the connection between the caller and callee has been intercepted by a man-in-the-middle attack. If the call has been compromised, users can terminate the call manually.
Is Chat also end-to-end encrypted during calls that are E2EE? Chat for end-to-end calls is secured by Microsoft 365 encryption.
What features aren’t available with end-to-end encryption? Some features aren’t available during encrypted one-to-one calls. These unavailable features include:
Live caption and transcription
Call transfer (blind, safe, and consult)
Call Companion and transfer to another device
Add participant to make the one-to-one call a group call
Can I turn E2EE on or off if I need to take advantage of features that are disabled in E2EE calls? Absolutely, if you need these features in a call, go to Settings, and turn end-to-end encryption off the same way you turned it on.
What about group audio/video calls and Meetings? Microsoft 365 encryption secures group audio/video calls. As we release end-to-end encryption for Teams one-to-one calls, we will continue to learn from customers how the scenarios address their needs. We will work to bring end-to-end encryption capabilities to online meetings later.
That's our overview and how-to for end-to-end encryption for one-to-one calls in Teams. Try it and let us know if you have any feedback. Remember to check for updates to make sure you have the latest client so you can turn on the feature after your IT admin has enabled it for you. Enjoy!