While conducting your business over calls, security concerns are certainly not blown up. It’s completely normal to worry about compromised security. But if you use Microsoft Teams, you can bid adieu to some of those worries now.
Microsoft Teams now has End-to-End Encryption (E2EE) for certain calls. End-to-End Encryption on calls means that the calls will be encrypted on the origin point and decrypted only on the destination. No one in the middle will have access to your call data, and that includes Microsoft as well. Let’s dive into the complete details regarding this feature and how you can use it.
How will End-to-End Encryption Work in Teams?
Currently, End-to-End Encryption is only coming for impromptu 1:1 calls. That means any scheduled calls, unscheduled group calls, and meetings don’t have End-to-End encryption (yet).
But End-to-End Encryption has to be enabled by users, first by IT admins, then by end-users in the tenant. IT admins will get to decide which users will have access to the feature. End-to-End Encryption will be available on the desktop app on Windows and Mac, as well as the mobile app on both iPhone and Android. It won’t be available on Teams for Web.
Both users in the call should have End-to-End Encryption enabled for their accounts for them to be able to use the feature. End-to-End Encryption in calls will only encrypt the real-time data, i.e., voice and video data. This doesn’t include other data like Chat, files, presence, etc. But all this other data is not unsafe. Microsoft 365 protects this data using other Encryption technologies.
Currently, this feature seems to be available only for Microsoft 365 users. Whether it will be available for Microsoft Teams Free users in the future is unclear. But all Microsoft Teams calls are still safe as they secure them using industry-standard encryption.
Features Unavailable with E2EE in Teams
Some features won’t be available in calls that are using End-to-End Encryption. These include features like:
- Call Recording
- Transcripts and Live Captions
- Call Park
- Call Merge
- Call Transfer (blind, safe, and consult)
- Call Companion and transfer to another device
- Add Participant to make the 1:1 call a group call (as E2EE isn’t available for group calls)
To use these features in a call, you’ll have to disable End-to-End Encryption for your account.
How to Enable End-to-End Encryption for your Organization (For IT Admins)
IT Admins can add the feature for End-to-End Encryption for users in their organization like any other policy. You can make it a global (org-wide) policy or create custom policies and assign them to users.
Go to admin.teams.microsoft.com and sign in with your admin account. Then, navigate to ‘Other Settings’ from the navigation pane on the left.
Few options will expand underneath it. Click ‘Enhanced encryption policies’ from the options.
Then, name your policy. Click the drop-down menu next to ‘End-to-End Encryption’ and select ‘Users can turn it on’. Finally, click the ‘Save’ button.
Once you’ve created the policy, assign it to users, groups, or your entire tenant just like any other policy in Microsoft Teams.
Note: The feature has only started to roll out, and it might take a little while before you get the update.
How to Enable End-to-End Encryption in your Teams Account
Once the IT admins have configured the E2EE policy for the organization, users (as per the policy) can enable it for their accounts. By default, end-to-end encryption will have to be enabled at the account level again. Otherwise, it’ll remain off even if the admins have allowed your account to use it.
Note: Make sure that you’re using the latest update of the desktop client or mobile app or else the feature won’t be available.
To enable E2EE from the desktop, open the Microsoft Teams desktop app on your PC or Mac. Then, go to the Title Bar and click the ‘More options’ icon (three dots) next to your profile icon.
Select ‘Settings from the menu.
Then, go to ‘Privacy’ from the navigation menu on the left.
In Privacy settings, turn on the toggle for ‘End-to-end encrypted calls’.
Turn off the toggle from these settings when you want to use the features that E2EE restricts in the call.
To enable E2EE from the Teams mobile app, open the latest version of the Teams Mobile app on iPhone or Android.
Tap your Profile icon in the upper left corner.
Then, tap the option for ‘Settings’.
From the settings screen, go to ‘Calling’.
There you can enable the option for ‘End-to-End encryption’ under Encryption.
Whether you enable the option from the desktop or mobile app, the application is account-wide. So, if you’ve enabled it from the desktop app, it’ll be on when you use the mobile phone and vice-versa.
How to Check for End-to-end Encryption in a Teams Call
The whole point of having End-to-End Encrypted calls is to make sure that your calls are secure. With E2EE, you can rest assured that the voice and video data is only decrypted on its intended destination and no one in the middle has access. But how can you be completely sure that there has been no man-in-the-middle attack? There’s an easy way to check this for Microsoft Teams calls.
When a call is end-to-end encrypted successfully, both the caller and the callee will see an encryption indicator, a shield with a lock, on the upper-left corner of the call window.
Although seeing the indicator lets you know that end-to-end encryption is enabled for the call, it isn’t the confirmation we’re looking for. Hover over the E2EE indicator to display more information. Teams will display a 20-digit security code.
In an encrypted call, the same code will appear on both ends. Match the number with the person on the other side of the call. If the number matches, your call is secure. But if it doesn’t, the connection has been intercepted by a man-in-the-middle attack and isn’t secure anymore. In this case, terminate the call manually.
Although Microsoft is introducing E2EE only for ad-hoc 1:1 calls right now, it doesn’t mean that’s all it’ll be available for. They will take this opportunity to assess how the feature is assisting users and eventually might bring it to other types of calls.