Preview Now, Available in November

Microsoft has been talking about end-to-end encryption (E2EE) for Teams calls for about six months. Now available to preview users, Microsoft says that they expect to roll-out E2EE to Office 365 tenants in November (MC259495, updated September 23, 2021). Hopefully, this is the last delay for the feature described in Microsoft 365 roadmap item 70780.

Microsoft’s definition is “End-to-end encryption is the encryption of information at its origin and decryption at its intended destination without the ability for intermediate nodes to decrypt.” Teams already encrypts its VOIP traffic for calls using the Transport Layer Security (TLS) protocol and Secure Real-Time Transport Protocol (SRTP). What changes in E2EE is that the devices involved in the call encrypt the information too. For this to happen, both sides in the conversation (who can be in different tenants) must be allowed by policy to use E2EE (we’ll explain how later) and enable the E2EE option in Teams client privacy settings (Figure 1). E2EE is supported using the Windows and Mac desktop clients, but not the Linux, browser, or mobile clients.

Enabling end to end encrypted calls in the Privacy section of Teams settings
Figure 1: Enabling end to end encrypted calls in the Privacy section of Teams settings

When everything is aligned, the negotiation to initiate a call between two parties agree on an encryption key to allow both sides to understand each other. The extra layer of encryption ensures more confidentiality for calls.

Locked Calls

During an encrypted call, Teams displays a lock icon in the upper left corner of the call window (beside the call duration). If participants click the lock, they’ll see a check number which should be the same for both parties (Figure 2).

The numbers prove that a Teams call is using end to end encryption
Figure 2: The numbers prove that a Teams call is using end to end encryption

Apart from the lock icon, the user interface for the call window changes to remove call features like live captions and transcription, adding extra participants, call transfer, consult then transfer, call merge, park call, and call recording. These features aren’t supported when end to end encryption secures calls.

Apart from the loss of features, I didn’t note any real difference in Teams encrypted calls over their regular counterparts. It’s still important to have reasonable bandwidth available and use good headsets. The workstations do some extra work to secure communications, but that shouldn’t be an issue for the kind of PCs and Macs available today.

Challenges for E2EE

As pointed out by Paul Robichaux (the happy camper shown in Figure 2) after Microsoft’s announcement of E2EE, the complexity involved in key management and making sure that everyone involved in a call can handle encrypted content is why Microsoft currently limits Teams E2EE to one-to-one or “ad-hoc” calls. However, as clear from their March announcement, Microsoft intends to bring E2EE to full online meetings in the future.

Key management creates other challenges too in terms of available functionality. Microsoft says that “E2EE calls [in the] first release will only support basic calling features and many advanced features like escalation, call transfer, recording, captions etc. will not be available…” Voice processing isn’t possible when only the clients involved in a call share the encryption key. For instance, Teams can generate live captions and meeting transcripts, but before the AI agents can process the audio stream to pick apart the individual spoken contributions, they must be able to access the data. The same is true for Teams meeting recordings, which rely on a bot to capture the audio and video streams for later processing and storage in OneDrive for Business. I guess if you’re having super-secret calls, you might not want to have transcripts and recordings available, so this probably doesn’t matter a great deal.

Meeting chat remains available during E2EE calls but isn’t protected by E2EE. Instead, chat messages are like other Teams data and protected in transit and at rest by its normal encryption capabilities (see notice in Figure 2).

Administrative Control

The Teams enhanced encryption policy assigned to user accounts controls whether users see the option to enable end to end encryption in calls. Because the option removes a substantial amount of functionality from Teams calls, the default is Disabled, meaning that users don’t see the end-to-end encryption setting in Teams settings.

If tenant administrators don’t want people to use E2EE, they can leave the default value set in the global Teams encryption policy. They could then create a custom policy to enable the capability and assign that policy to selected accounts. For example, this command allows users to turn on E2EE in Teams calls.

Set-CsTeamsEnhancedEncryptionPolicy -Identity Global -CallingEndtoEndEncryptionEnabledType DisabledUserOverride

Like changes to any Teams policy, it can take some time before the changes are effective. Microsoft says that policy control over Teams end to end encryption will be available in the Teams admin center soon.

Some Calls are More Important

There’s no doubt that some calls are more important and more confidential than others. People probably aren’t too concerned about encrypted communications for their run-of-the-mill check-in calls with co-workers. But when the time comes to discuss corporate secrets or other sensitive information, it’s nice to know that E2EE is available.

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.

Comments

  1. Christoph Weste

    Hey Tony,

    did you have any experience who long it takes until the teams client respect the changes? I changed it 12+ hours ago. Also trying to sign out / in to force the changes to the client did not help.

    But maybe I have just to wait a little bit longer ?

    Cheers

    Christoph

    1. Tony Redmond

      It all seemed to happen pretty quickly for me. Make sure that the following is done:

      1. Policy assigned to accounts (this is where the delay might be).
      2. Clients choose to enable E2EE in settings.
      3. Enable E2EE in 1:1 call

      1. Christoph Weste

        Ahh I found my mistake -_- it is necessary to switch into preview mode. After that the teams client showed the option do activate E2EE.

        Thx Tony

        Cheers

        Chris

Leave a Reply