End to end encryption with Microsoft Teams?

%3CLINGO-SUB%20id%3D%22lingo-sub-804842%22%20slang%3D%22en-US%22%3EEnd%20to%20end%20encryption%20with%20Microsoft%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-804842%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20aware%20that%20Microsoft%20Teams%20has%20data%20encryption%20at%20rest%20and%20in%20transit.%20But%20is%20there%20a%20way%20to%20use%20E2EE%3F%20If%20not%20is%20metadata%20at%20least%20encrypted%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E-%20Hayden%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-804842%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EChat%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESettings%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1013741%22%20slang%3D%22en-US%22%3ERe%3A%20End%20to%20end%20encryption%20with%20Microsoft%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013741%22%20slang%3D%22en-US%22%3EI%20am%20also%20interested%20in%20this%20issue.%20MS%20announced%20a%20partnership%20with%20Signal%20to%20use%20their%20tech%20to%20do%20E2E%20encryption%20for%20Skype%20for%20Biz%2C%20what%20is%20being%20done%20for%20Teams%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1013919%22%20slang%3D%22en-US%22%3ERe%3A%20End%20to%20end%20encryption%20with%20Microsoft%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013919%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F314501%22%20target%3D%22_blank%22%3E%40Jlee_Prosci%3C%2FA%3E%26nbsp%3BAll%20Teams%20data%20is%20encrypted%20%22in%20transit%20and%20at%20rest%22%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fsecurity-compliance-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fsecurity-compliance-overview%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20not%20really%20sure%20what%20E2EE%20would%20mean%20in%20a%20Teams%20context%2C%20it's%20typically%20for%20consumer%20type%20apps%20where%20the%20data%20is%20only%20decrypted%20on%20the%20end%20client%20devices.%20Teams%20can't%20be%20this%2C%20the%20data%20resides%20in%20Office%20365%20and%20is%20subject%20to%20retention%20and%20ediscovery.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1013927%22%20slang%3D%22en-US%22%3ERe%3A%20End%20to%20end%20encryption%20with%20Microsoft%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013927%22%20slang%3D%22en-US%22%3EI%20read%20that%20doc%20and%20am%20familiar%20with%20it.%20We%20use%20the%20mobile%20app%20and%20need%20to%20understand%20the%20E2EE%20part.%20I%20understand%20that%20Teams%20has%20encryption%20in%20transit%20and%20rest%2C%20but%20does%20that%20translate%20down%20to%20a%20mobile%20client%3F%20MS%20went%20to%20the%20trouble%20of%20incorporating%20Signal%20tech%20in%20Skype4Biz%2C%20does%20that%20mean%20it%20is%20an%20option%20for%20the%20Teams%20mobile%20app%3F%20Just%20trying%20to%20confirm.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1014433%22%20slang%3D%22en-US%22%3ERe%3A%20End%20to%20end%20encryption%20with%20Microsoft%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1014433%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F314501%22%20target%3D%22_blank%22%3E%40Jlee_Prosci%3C%2FA%3E%26nbsp%3BThe%20mobile%20client%20supports%20App%20Protection%20Policies%20from%20InTune%20that%20would%20ensure%20that%20it's%20content%20is%20encrypted%20and%20users%20are%20authenticated%20on%20the%20end%20point%20device.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EE2EE%20means%20something%20different.%20It%20means%20that%20the%20messages%20are%20encrypted%20on%20the%20senders%20device%20and%20can%20only%20be%20decrypted%20on%20the%20recipients%20device.%20All%20of%20the%20infrastructure%20in%20the%20middle%20is%20irrelevant%20as%20it%20can%20not%20decrypt%20the%20content%20at%20all.%20This%20is%20not%20how%20Teams%20works%2C%20while%20every%20stage%20of%20the%20journey%20is%20encrypted%20the%20service%20in%20the%20middle%20can%20decrypt%20content%20if%20it%20needs%2C%20for%20example%20to%20store%20data%20within%20the%20retention%20records%20or%20if%20you%20add%20a%20new%20person%20to%20the%20conversation.%20E2EE%20is%20only%20really%20relevant%20in%20apps%20which%20don't%20have%20any%20central%20services.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1014440%22%20slang%3D%22en-US%22%3ERe%3A%20End%20to%20end%20encryption%20with%20Microsoft%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1014440%22%20slang%3D%22en-US%22%3EThanks!%20Is%20InTune%20something%20we%20need%20to%20turn%20on%20manually%20and%20create%20a%20policy%20to%20manually%20add%20people%20to%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1016847%22%20slang%3D%22en-US%22%3ERe%3A%20End%20to%20end%20encryption%20with%20Microsoft%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016847%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F314501%22%20target%3D%22_blank%22%3E%40Jlee_Prosci%3C%2FA%3E%26nbsp%3BMore%20on%20App%20Protection%20Policies%20here%20-%26gt%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fapps%2Fapp-protection-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fapps%2Fapp-protection-policy%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1169870%22%20slang%3D%22en-US%22%3ERe%3A%20End%20to%20end%20encryption%20with%20Microsoft%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1169870%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F178440%22%20target%3D%22_blank%22%3E%40Steven%20Collier%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20there%20any%20plans%20for%20a%20service%20like%20EKM%20(Enterprise%20Key%20Management)%3F%26nbsp%3B%20Enterprise-side%20keys%20allow%20businesses%20to%20be%20100%25%20assured%20of%20confidentiality%20and%20can%20enable%20direct%20control%20and%20data%20portability.%26nbsp%3B%20Otherwise%2C%20customers%20may%20have%20to%20limit%20their%20usage%20of%20the%20platform.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1171404%22%20slang%3D%22en-US%22%3ERe%3A%20End%20to%20end%20encryption%20with%20Microsoft%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1171404%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F555109%22%20target%3D%22_blank%22%3E%40alexwall%3C%2FA%3E%26nbsp%3BAlready%20exists%20...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fcustomer-key-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fcustomer-key-overview%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1172179%22%20slang%3D%22en-US%22%3ERe%3A%20End%20to%20end%20encryption%20with%20Microsoft%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1172179%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20I%20wasn't%20aware%20that%20this%20level%20of%20encryption%20was%20available!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20says%20%22%3CSPAN%3EOffice%20365%20provides%20baseline%2C%20volume-level%20encryption%20enabled%20through%20BitLocker%20and%20Distributed%20Key%20Manager%20(DKM).%20Office%20365%20offers%20an%20added%20layer%20of%20encryption%20at%20the%20application%20level%20for%20your%20content.%20This%20content%20includes%20data%20from%20Exchange%20Online%2C%20Skype%20for%20Business%2C%20SharePoint%26nbsp%3BOnline%2C%26nbsp%3BOneDrive%26nbsp%3Bfor%26nbsp%3BBusiness%2C%26nbsp%3Band%26nbsp%3BTeams%26nbsp%3B%3CU%3E%3CSTRONG%3Efiles%3C%2FSTRONG%3E%3C%2FU%3E.%20This%20added%20layer%20of%20encryption%20is%20called%20service%20encryption.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAlso%2C%20although%20this%20is%20a%20robust%20system%20of%20end%20to%20end%20encryption%2C%20Microsoft%20retains%20an%20availability%20key%2C%20which%20means%20that%20Microsoft%20could%20access%20all%20customer%20data%26nbsp%3B%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fcustomer-key-availability-key-understand%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fcustomer-key-availability-key-understand%3C%2FA%3E)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20lack%20of%20encryption%20of%20Teams%20messages%20as%20well%20as%20the%20existence%20of%20an%20availability%20key%20for%20all%20services%20would%20be%20a%20concern%20for%20a%20customer%20that%20wants%20100%25%20security.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIt%20would%20be%20nice%20if%20Teams%20messages%20were%20also%20encrypted%20and%20if%20there%20were%20a%20tier%20of%20service%20that%20could%20provide%20that%20only%20the%20customer%20had%20the%20key%20to%20access%20(even%20though%20if%20the%20customer%20loses%20the%20key%2Fpassword%2C%20they%20would%20be%20out%20of%20luck).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F178440%22%20target%3D%22_blank%22%3E%40Steven%20Collier%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

I am aware that Microsoft Teams has data encryption at rest and in transit. But is there a way to use E2EE? If not is metadata at least encrypted?

Thanks

- Hayden

9 Replies
Highlighted
I am also interested in this issue. MS announced a partnership with Signal to use their tech to do E2E encryption for Skype for Biz, what is being done for Teams?
Highlighted

@Jlee_Prosci All Teams data is encrypted "in transit and at rest" see https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview.

 

I'm not really sure what E2EE would mean in a Teams context, it's typically for consumer type apps where the data is only decrypted on the end client devices. Teams can't be this, the data resides in Office 365 and is subject to retention and ediscovery. 

Highlighted
I read that doc and am familiar with it. We use the mobile app and need to understand the E2EE part. I understand that Teams has encryption in transit and rest, but does that translate down to a mobile client? MS went to the trouble of incorporating Signal tech in Skype4Biz, does that mean it is an option for the Teams mobile app? Just trying to confirm.
Highlighted

@Jlee_Prosci The mobile client supports App Protection Policies from InTune that would ensure that it's content is encrypted and users are authenticated on the end point device.

 

E2EE means something different. It means that the messages are encrypted on the senders device and can only be decrypted on the recipients device. All of the infrastructure in the middle is irrelevant as it can not decrypt the content at all. This is not how Teams works, while every stage of the journey is encrypted the service in the middle can decrypt content if it needs, for example to store data within the retention records or if you add a new person to the conversation. E2EE is only really relevant in apps which don't have any central services.

Highlighted
Thanks! Is InTune something we need to turn on manually and create a policy to manually add people to?
Highlighted
Highlighted

@Steven Collier 

 

Are there any plans for a service like EKM (Enterprise Key Management)?  Enterprise-side keys allow businesses to be 100% assured of confidentiality and can enable direct control and data portability.  Otherwise, customers may have to limit their usage of the platform.

Highlighted

Thanks, I wasn't aware that this level of encryption was available!

 

It says "Office 365 provides baseline, volume-level encryption enabled through BitLocker and Distributed Key Manager (DKM). Office 365 offers an added layer of encryption at the application level for your content. This content includes data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Teams files. This added layer of encryption is called service encryption."

 

Also, although this is a robust system of end to end encryption, Microsoft retains an availability key, which means that Microsoft could access all customer data  (https://docs.microsoft.com/en-us/microsoft-365/compliance/customer-key-availability-key-understand)

 

The lack of encryption of Teams messages as well as the existence of an availability key for all services would be a concern for a customer that wants 100% security.  

 

It would be nice if Teams messages were also encrypted and if there were a tier of service that could provide that only the customer had the key to access (even though if the customer loses the key/password, they would be out of luck).

 

@Steven Collier