Now in public preview: End-to-end encryption for one-to-one Microsoft Teams calls

Microsoft

Description
By default, Teams encrypts all communication using industry-standard technologies such as Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP). If your IT admin has enabled end-to-end encryption (E2EE) for your team, you can use it to further increase the confidentiality of your one-on-one calls. Please note that both people on the call must turn on E2EE for the technology to work.

 

KaushalMehtaLYNC_0-1635437327754.png

 

Current capabilities

During an E2EE call, Teams secures the following features:

  • Audio
  • Video
  • Screen sharing

You will also be able to chat in these calls, but Microsoft 365 secures your chat sessions. 

Advanced features, including the following, will not be available during an E2EE call in this release:

  • Recording
  • Live captions and transcription
  • Call transfer
  • Call merge
  • Call park
  • Consult then transfer
  • Call companion and transfer to another device
  • Adding a participant

If your organization uses compliance recording (enterprise call recording that helps businesses meet specific regulatory requirements), E2EE won’t be available. For more info on how Teams supports compliance recording, see Introduction to Teams policy-based recording for callings & meetings.

Flighting status

Started flighting. Rollout estimated to be complete by Tuesday October 26th 2021.

 

How to enable

Please note that at his moment it is only possible to allow end-to-end encryption (E2EE) using PowerShell and E2EE is only available for Teams Desktop clients. In the future it will be possible to configure the E2EE policy from Teams Admin Center. To configure the policy, follow these steps:

 

Use PowerShell to connect to MicrosoftTeams module, the module version must be at least 2.5.2

 

After changing the username, run the following command:

 

Grant-CsTeamsEnhancedEncryptionPolicy -identity "john@contoso.com" -policyname Tag:UserControlled

 

Optionally you can enable the E2EE toggle for the entire tenant by running the following command:

Set-CsTeamsEnhancedEncryptionPolicy -Identity Global -CallingEndtoEndEncryptionEnabledType DisabledUserOverride

 

After the policy is applied, you will be able to see the E2EE toggle under the Privacy section in Microsoft Teams desktop client settings (see picture bellow).

 

KaushalMehtaLYNC_1-1635437486378.png

 

Verify that E2EE is working:

When the call is connected, do the following:

Look for a shield with a lock Shield with a lock in the top left corner of the call window. This indicates that E2EE is turned on for both parties.

 

KaushalMehtaLYNC_2-1635437552786.png

 

Note: If the shield looks like this Shield without a lock, E2EE is not turned on for at least one of the parties but your call is still encrypted by Microsoft 365.

Point to the shield with a lock to view the security code and compare it with the code that the other person sees.

 

KaushalMehtaLYNC_3-1635437574757.png

 

If both people on the call see the same code, E2EE is working properly.

 

 

 

To disable the feature for a particular user, run this command:

Grant-CsTeamsEnhancedEncryptionPolicy -identity "john@contoso.com" -policyname Tag:Disabled

 

If you want to disable E2E encryption for the whole tenant, use this command:

Set-CsTeamsEnhancedEncryptionPolicy -Identity global -CallingEndtoEndEncryptionEnabledType Disabled

 

Note 1: If you need information about enabling the public preview itself, see “Enable the public preview for Teams” below.

Note 2: See https://support.microsoft.com/en-us/office/use-end-to-end-encryption-for-teams-calls-1274b4d2-b5c5-4... for feature details.

Note 3: See https://docs.microsoft.com/en-us/powershell/module/teams/new-csteamsenhancedencryptionpolicy?view=te... for New-CsTeamsEnhancedEncryptionPolicy cmdlet details.

 

Microsoft 365 workloads and dependencies

 

Product, workload, or area

Dependency (Yes/No)

If yes, version requirements and other dependencies

Exchange

No

 

Sharepoint, files

No

 

Skype for Business

No

 

Outlook add-in

No

 

Azure AD

No

 

OneDrive

No

 

Office

No

 

PowerShell

Yes

PowerShell MicrosoftTeams module version must be at least 2.5.2

 

Supported clients and platforms

 

Windows 10

macOS

iOS

Android

Linux

Chrome

Firefox

Safari

Edge

Internet Explorer

Yes

Yes

 

 

 

 

 

 

 

 

 

How does this feature impact the existing experience?

Unless enabled by IT admins, there is no impact.

Known issues

None.

Known limitations

None.

 

Enable your Teams client for the public preview 

 

  1. First, IT admins need to set an update policy that turns on Show preview features. Learn how at Public preview in Microsoft Teams - Microsoft Teams | Microsoft Docs.  
  2. Users then choose to join the public preview individually. See Get early access to new Teams features - Office Support (microsoft.com) for instructions. 

Summary of public preview features

For a history of features in the Office and Teams public previews, see Release Notes Current Channel (Preview) - Office release notes | Microsoft Docs.

 

Send us your feedback 

Got feedback on features in the public preview or other areas of Teams? Let us know straight from Teams via Help Give feedback This is on the bottom left of the your client.

 

KaushalMehtaLYNC_4-1635437770519.png

 

Thank you,

Preview Team, @Miroslav_Dvorak 

Quality & Customer Obsession, Microsoft Teams

 

1 Reply

Here's my demo of this feature