Microsoft Previews End-to-End Encryption for Teams Calls
Microsoft recently announced that a public preview of end-to-end encryption is available for Microsoft Teams calls in person-to-person scenarios.
Calls made in Teams are already encrypted via Microsoft 365 encryption technologies. However, end-to-end encryption goes a step further, preventing man-in-the-middle interception scenarios.
Here's Microsoft's definition of end-to-end encryption for Teams:
End-to-end encryption, or E2EE, is the encryption of information at its origin and decryption at its intended destination without the ability for intermediate nodes or parties to decrypt.
Microsoft clarified that with this preview release, "only the real-time media flow, that is, video and voice data, for one-to-one Teams calls are end-to-end encrypted."
The Teams chat function uses Microsoft 365 encryption, instead of end-to-end encryption. In general, Microsoft 365 services use encryption for "chat, file sharing, presence, and other content in the call," the announcement explained.
Teams users are able to verify that end-to-end encryption is turned on via a lock plus shield icon, which appears on the top left portion of a screen. Participants in an end-to-end encryption call also will get a display showing a 20-digit number. If the number sequences on both ends don't match, it means the call was intercepted.
End-to-end encryption just is available for organizations when they use "the Teams desktop client for Windows or Mac," or a mobile device having the "latest update for iOS and Android."
Turned Off by Default
The end-to-end encryption feature is turned off by default for Teams users. Organizations wanting to use it need to turn it on for the tenancy. However, end users also need to turn end-to-end encryption for it to be enabled.
"Both parties must turn on this setting to enable end-to-end encryption," the announcement stated.
IT pros have a few options for enabling Teams end-to-end encryption, namely:
- The "IT Admin modern portal," where it's possible to set organization-wide policy for the feature or create custom policies and assign them to individual users.
- Group policy, where the policy can be applied to a group of users.
- Microsoft PowerShell, which allows policies to be set for "the tenant, users and groups."
- The Teams Admin Center, where the policy can be turned on and assigned to "users, groups or your entire tenant."
End-to-end encryption is still off by default even after enabling it for the tenant. End users also have to also turn it on using their Teams settings.
Certain Teams features won't be available when end-to-end encryption is turned on. Here's what won't work, per the announcement:
- Live caption and transcription
- Call transfer (blind, safe, and consult)
- Call Park
- Call Merge
- Call Companion and transfer to another device
- Add participant to make the one-to-one call a group call
However, if end users really need those features, it's possible for them to disable end-to-end encryption through Teams settings.
End-to-end encryption, now at preview, just works for person-to-person calls. It doesn't work for group audio and video calls. However, support for group calls is something Microsoft is working on for later delivery.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.