Preview Now, Available in November
Microsoft has been talking about end-to-end encryption (E2EE) for Teams calls for about six months. Now available to preview users, Microsoft says that they expect to roll-out E2EE to Office 365 tenants in November (MC259495, updated September 23, 2021). Hopefully, this is the last delay for the feature described in Microsoft 365 roadmap item 70780.
Microsoft’s definition is “End-to-end encryption is the encryption of information at its origin and decryption at its intended destination without the ability for intermediate nodes to decrypt.” Teams already encrypts its VOIP traffic for calls using the Transport Layer Security (TLS) protocol and Secure Real-Time Transport Protocol (SRTP). What changes in E2EE is that the devices involved in the call encrypt the information too. For this to happen, both sides in the conversation (who can be in different tenants) must be allowed by policy to use E2EE (we’ll explain how later) and enable the E2EE option in Teams client privacy settings (Figure 1). E2EE is supported using the Windows and Mac desktop clients, but not the Linux, browser, or mobile clients.
When everything is aligned, the negotiation to initiate a call between two parties agree on an encryption key to allow both sides to understand each other. The extra layer of encryption ensures more confidentiality for calls.
During an encrypted call, Teams displays a lock icon in the upper left corner of the call window (beside the call duration). If participants click the lock, they’ll see a check number which should be the same for both parties (Figure 2).
Apart from the lock icon, the user interface for the call window changes to remove call features like live captions and transcription, adding extra participants, call transfer, consult then transfer, call merge, park call, and call recording. These features aren’t supported when end to end encryption secures calls.
Apart from the loss of features, I didn’t note any real difference in Teams encrypted calls over their regular counterparts. It’s still important to have reasonable bandwidth available and use good headsets. The workstations do some extra work to secure communications, but that shouldn’t be an issue for the kind of PCs and Macs available today.
Challenges for E2EE
As pointed out by Paul Robichaux (the happy camper shown in Figure 2) after Microsoft’s announcement of E2EE, the complexity involved in key management and making sure that everyone involved in a call can handle encrypted content is why Microsoft currently limits Teams E2EE to one-to-one or “ad-hoc” calls. However, as clear from their March announcement, Microsoft intends to bring E2EE to full online meetings in the future.
Key management creates other challenges too in terms of available functionality. Microsoft says that “E2EE calls [in the] first release will only support basic calling features and many advanced features like escalation, call transfer, recording, captions etc. will not be available…” Voice processing isn’t possible when only the clients involved in a call share the encryption key. For instance, Teams can generate live captions and meeting transcripts, but before the AI agents can process the audio stream to pick apart the individual spoken contributions, they must be able to access the data. The same is true for Teams meeting recordings, which rely on a bot to capture the audio and video streams for later processing and storage in OneDrive for Business. I guess if you’re having super-secret calls, you might not want to have transcripts and recordings available, so this probably doesn’t matter a great deal.
Meeting chat remains available during E2EE calls but isn’t protected by E2EE. Instead, chat messages are like other Teams data and protected in transit and at rest by its normal encryption capabilities (see notice in Figure 2).
The Teams enhanced encryption policy assigned to user accounts controls whether users see the option to enable end to end encryption in calls. Because the option removes a substantial amount of functionality from Teams calls, the default is Disabled, meaning that users don’t see the end-to-end encryption setting in Teams settings.
If tenant administrators don’t want people to use E2EE, they can leave the default value set in the global Teams encryption policy. They could then create a custom policy to enable the capability and assign that policy to selected accounts. For example, this command allows users to turn on E2EE in Teams calls.
Set-CsTeamsEnhancedEncryptionPolicy -Identity Global -CallingEndtoEndEncryptionEnabledType DisabledUserOverride
Like changes to any Teams policy, it can take some time before the changes are effective. Microsoft says that policy control over Teams end to end encryption will be available in the Teams admin center soon.
Some Calls are More Important
There’s no doubt that some calls are more important and more confidential than others. People probably aren’t too concerned about encrypted communications for their run-of-the-mill check-in calls with co-workers. But when the time comes to discuss corporate secrets or other sensitive information, it’s nice to know that E2EE is available.