With the announcement of end to end encryption (E2EE) being available now in public preview i wanted to take a closer look so here are my notes for enablement and experiences so far. Please at time of writing this post E2EE is in public preview so things could change when GA.
What is E2EE?
E2EE the encryption of information in this case Audio and Video at its origin (Sender) and decryption at its intended destination (Receiver) without the ability for intermediate nodes or parties to decrypt. No man in the middle thank you!
What’s available now?
With this preview for Teams one to one calls only Voice (Audio) and Video is encrypted end to end for Microsoft Teams call only. Both parties must have E2EE enabled via policy, be enabled for public preview and be enabled client side as well. The article below notes M365 encryption is still in place for chats, files, presence and other content shared on the call.
This is available with the latest version of the Teams desktop client for Windows or Mac, or they are on a Mobile device with latest update for iOS and Android.
IMPORTANT – Your users need to be enabled for Public Preview features for Teams as well otherwise the client settings to enable E2EE wont appear. This isnt clear on the Tech Community blog but is listed on the How to use E2EE article on Msft support.
Microsoft Teams – How to join and enable Public Preview for your users Please see my post on enabling public preview if you need to do this.
If you don’t enable E2EE then what happens now ?
Teams still secures a call or meeting using encryption based on industry standards. Data exchanged during calls is always secure while in transit and at rest. For more information, see Media encryption for Teams.
Enablement via PowerShell
The Tech community article reference enabling in the Teams Admin Center but this isn’t available yet for me so i have to refer to the admin doc and enable via PowerShell for the moment.
By default the following policies already existed in my tenant
Get-CsTeamsEnhancedEncryptionPolicy
So global is disabled, disabled is disabled but userControlled already allows a user to choose if to use E2EE
So i can create a new custom one or it seems i can grant the existed UserControlled to a user.
To create custom policy and enable the option for the user to turn on E2EE i use
New-CsTeamsEnhancedEncryptionPolicy -Identity ContosoPartnerTeamsEnhancedEncryptionPolicy -CallingEndtoEndEncryptionEnabledType DisabledUserOverride
Grant EnhancedEncryption policy to a user (remember both users require this so i need to enable at least 2)
Again i have to use PowerShell as i cant grant this type of policy in the Teams Admin Centre yet.
Grant-CsTeamsEnhancedEncryptionPolicy -PolicyName UserControlled -Identity AlexW@M365x881502.OnMicrosoft.com
Grant-CsTeamsEnhancedEncryptionPolicy -PolicyName UserControlled -Identity admin@M365x881502.OnMicrosoft.com
we can check its been assigned with get-csonlineuser
User Enablement in Clients
Your users must be part of the public preview program otherwise the client settings will not appear. To check this quickly in your click check if you have a P in the top right of your profile picture.
With public preview enabled in the Teams client, configuring and granting a policy to your users, your users are still required to enable this in their client before E2EE is enabled. (Your client need Public preview enabled at this time)
Go to Settings > Privacy
Enable End-to-end encrypted calls
Without E2EE
Without E2EE enabled the shield is displayed without a padlock. If this appears and your testing E2EE this means at least one of the parties doesn’t have E2EE enabled either in the client or its not enabled by your admin. The shield is the default Teams encryption.
With E2EE enabled
Once both parties have enabled E2EE in the desktop client then lets try it out and see what happens.
Alex called another user and in the call window we now see a shield with a padlock.
if you hover over it shows E2EE enabled for this call
It display some numbers which can be used to verify against both parties which were the same as expected.
and thats it.
Point to note – users need to be enabled for Teams Public Preview, desktop clients only, admin needs to assign policy to users, both users require E2EE enabled.
Articles to learn more
Client How to use Information
https://support.microsoft.com/en-gb/office/use-end-to-end-encryption-for-teams-calls-1274b4d2-b5c5-4b24-a376-606fa6728a90
How to enable Public Preview for Teams
Microsoft Teams – How to join and enable Public Preview for your users
Martin Boam's Microsoft Blog 