Use end-to-end encryption for one-to-one Microsoft Teams calls
By Mansoor Malik, Microsoft
October 25, 2021
Earlier this year we announced end-to-end encryption (E2EE) support for Microsoft Teams Calls. Today we are pleased to announce that weíre starting to roll out E2EE for Teams calls to public preview. Once you receive the latest update, IT admins in your organization will have the option to make the feature available for you. Hereís an overview of how E2EE for Teams calls works, details around how IT Admins and users can turn it on, and how it is implemented.
End-to-end encryption (E2EE)
End-to-end encryption, or E2EE, is the encryption of information at its origin and decryption at its intended destination without the ability for intermediate nodes or parties to decrypt.
Weíre rolling out this preview of E2EE for unscheduled one-to-one calls today. When both parties in a one-to-one call turn on E2EE, the communication between those two parties in the call is encrypted from end-to-end. No other party, including Microsoft, has access to the decrypted conversation.
With this release, only the real-time media flow, that is, video and voice data, for one-to-one Teams calls are end-to-end encrypted. Both parties must turn on this setting to enable end-to-end encryption. Encryption in Microsoft 365 protects chat, file sharing, presence, and other content in the call. For more information, see Encryption in Microsoft 365.
How can IT Admins, make E2EE for Teams one-to-one calls available for their organization?
You can also manage end-to-end encryption policies using Microsoft PowerShell. With Microsoft PowerShell, you can apply policies to the tenant, users, and groups.
To make end-to-end encryption calls available by using the Teams admin center:
By default, end-to-end encryption isnít available to users in your tenant. Once youíve configured the policy, end-to-end encryption is still off by default for users when they make a Teams call. Users need to turn on end-to-end encryption in their Team settings.
Once IT Admin has set the enhanced encryption policy, do users automatically get E2EE in one-to-one calls?
How can the two parties confirm theyíre on an end-to-end encrypted call?
With this release, users will see the encryption indicator on the Teams call window in the upper left corner. This indicator shows that the call is encrypted. Microsoft 365 encryption technologies encrypt every Teams call. If a call is successfully end-to-end encrypted, both parties will see the end-to-end encryption indicator on the Teams call window. The Teams end-to-end encryption indicator is a shield with a lock.
Hover over over the end-to-end encryption indicator to display confirmation the call is end-to-end encrypted. Teams also displays a security code for the call. To confirm that end-to-end encryption is working correctly, verify that the same security code appears for both parties in the call.
If IT Admins donít enable E2EE or users donít turn on the setting, does that mean Calls and Meetings in Microsoft Teams arenít secure?
If you havenít enabled end-to-end encryption, Teams still secures a call or meeting using encryption based on industry standards. Data exchanged during calls is always secure while in transit and at rest. For more information, see Media encryption for Teams.
Does this capability only exist in Teams Desktop?
End-to-end encrypted calls can be made between two parties when the parties are using the latest version of the Teams desktop client for Windows or Mac, or they are on a Mobile device with latest update for iOS and Android.
How do I enable end-to-end encryption from Mobile?
How do I verify that Iím on an end-to-end encrypted call on Mobile?
When end-to-end encryption isnít turned on, the Teams encryption indicator is a regular shield icon without the lock. The regular shield confirms that call is protected by Microsoft 365 encryption and no end-to-end encryption security code will be shown.
What about PSTN calls?
How are calls end-to-end encrypted?
In normal call flows, negotiation of the encryption key occurs over the call signaling channel. In an end-to-end encrypted call, the signaling flow is the same as a regular one-to-one Teams call. However, Teams uses DTLS to derive an encryption key based on per-call certificates generated on both client endpoints. Since DTLS derives the key based on client certificates, the key is opaque to Microsoft. Once both clients agree upon the key, the media begins to flow using this DTLS-negotiated encryption key over SRTP.
To protect against a man-in-the-middle attack between the caller and callee, Teams derives a 20-digit security code from the SHA-256 thumbprints of the callerís and calleeís endpoint call certificates. The caller and callee can validate the 20-digit security codes by reading them to each other to see if they match. If the codes donít match, then the connection between the caller and callee has been intercepted by a man-in-the-middle attack. If the call has been compromised, users can terminate the call manually.
Is Chat also end-to-end encrypted during calls that are E2EE?
What features arenít available with end-to-end encryption?
Can I turn E2EE on or off if I need to take advantage of features that are disabled in E2EE calls?
What about group audio/video calls and Meetings?
That's our overview and how-to for end-to-end encryption for one-to-one calls in Teams. Try it and let us know if you have any feedback. Remember to check for updates to make sure you have the latest client so you can turn on the feature after your IT admin has enabled it for you. Enjoy!