End-to-End Encryption for Teams Calls


Microsoft recently announced that end-to-end encryption will be possible in person-to-person scenarios for Microsoft Teams Calls. 

Calls made in Teams are already encrypted by Microsoft 365 encryption technologies. However, end-to-end encryption goes a step further and prevents man-in-the-middle interception scenarios. 

Here’s Microsoft’s definition of end-to-end encryption for Teams: 

“End-to-end encryption, or E2EE, is the encryption of information at its origin and decryption at its intended destination without the ability for intermediate nodes or parties to decrypt.” 

Microsoft clarified that with this preview release, “only the real-time media flow, that is, video and voice data, for one-to-one Teams calls, are end-to-end encrypted.” 

The Teams chat function uses Microsoft 365 encryption rather than end-to-end encryption. All in all, Microsoft 365 services use encryption for chat, file sharing, presence, and other content in the call. 

Teams users can see that end-to-end encryption is enabled by the lock plus shield icon which appears near the top left of their screen. Participants of end-to-end encrypted calls also get a 20-digit number displayed, and any mismatch on both ends means someone tried to intercept the call. 

End-to-end encryption is available for organisations when they use the Teams, desktop client for Windows or the Teams app on their mobile device which has the latest software. 

Turned Off by Default

End-to-end encryption for Teams isn’t enabled by default. It’s left up to organisations to turn this feature on, but the end-user must enable it too if they want encryption. 

IT experts have a few options for enabling Teams end-to-end encryption, such as: 

The IT Admin modern portal provides organisations with the flexibility to create custom policies for all or select users. 

  • Group policy, where the policy can be applied to a group of users. 
  • Microsoft PowerShell allows policies to be set for tenants, users, and groups. 
  • The Teams Admin Center, where you can turn on and apply the policy to either users, groups, or your entire tenant. 

End-to-end encryption is by default turned off after enabling it for the tenant. The users also have to turn it on manually in their Teams settings. 

Disabled Features

Certain Teams features aren’t available when end-to-end encryption is enabled. Here’s what won’t work: 

  • Recording 
  • Live caption and transcription 
  • Call transfer (blind, safe, and consult) 
  • Call Park 
  • Call Merge 
  • Call Companion and transfer to another device 
  • Add participant to make the one-to-one call a group call 

However, if you need those features, you can disable end-to-end encryption through Teams settings. 

End-to-end encryption is now available for preview and will only work for person-to-person calls. It won’t work on group audio calls, but Microsoft is currently working on support for these features. 

If you’re looking to migrate over to Microsoft Teams, get in touch with our IT experts.

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp