With this public preview release, Microsoft is rolling out E2EE for unscheduled one-to-one calls. Only the real-time media flow, that is, video and voice data, for one-to-one Teams calls are end-to-end encrypted. Both parties must turn on this setting to enable end-to-end encryption. Encryption in Microsoft 365 protects chat, file sharing, presence, and other content in the call.
We need to have a better close look at what is done behind the scenes and how to configure it by IT administrators .
You need to know that If you don't enable end-to-end encryption, Teams still secures a call or meeting using encryption based on industry standards. Data exchanged during calls is always secure while in transit and at rest. also , During an end-to-end encrypted call, Teams secures the following features:
The following advanced features aren't available during an E2EE call:
Live captions and transcription
Consult then transfer
Call companion and transfer to another device
Adding a participant
Also, if your organization uses compliance recording, end-to-end encryption isn't available.
Yes that's how it is for now !
Use the Teams admin center to configure end-to-end encryption
The global, organization-wide, default policy specifies that end-to-end encryption is disabled. Users in your organization will automatically get the global policy unless you create and assign a custom policy. To enable end-to-end encryption, create a new encryption policy or modify the global default policy. To enable end-to-end encryption using the Teams admin center, complete these steps.
Using a work or school account that has been assigned the Teams or global administrator role, sign in to the Teams admin center.
Go to Other settings > Enhanced encryption policies.
Either choose the default policy or choose Add to add a new policy and then name the new policy.
To enable end-to-end encryption for your users, for End-to-end call encryption, choose users can turn it on, and then choose Save. To disable end-to-end encryption, choose Turn it off for everyone.
Once you’ve finished setting up the policy, assign the policy to users, groups, or your entire tenant the same way you manage other Teams policies.
Use Microsoft PowerShell to configure end-to-end encryption
You can manage end-to-end encryption policies using Microsoft PowerShell and the Teams admin center. Several end-to-end encryption cmdlets are included in the Teams PowerShell module and documented in the Microsoft Teams cmdlet reference. This article lists the cmdlets you can use and provides simple example configurations. These configurations use the default, global policy. Your organization might require more complex policy configuration. Complete information about these cmdlets is provided in the cmdlet reference.
End-to-end encryption PowerShell cmdlets:
Get-CsTeamsEnhancedEncryptionPolicy returns information about the Teams enhanced encryption policies in your organization.
Grant-CsTeamsEnhancedEncryptionPolicy assigns and unassigns existing enhanced encryption policies to a user. Use $NULL to unassign all policies from a user.
New-CsTeamsEnhancedEncryptionPolicy creates a new Teams enhanced encryption policy.
Remove-CsTeamsEnhancedEncryptionPolicy deletes an enhanced encryption policy from your organization. You can't delete the global, default policy.
Set-CsTeamsEnhancedEncryptionPolicy updates values in an existing Teams enhanced encryption policy.
Your work or school account needs the Teams or global administrator role to configure end-to-end encryption.
Does this capability only exist in Teams Desktop?
End-to-end encrypted calls can be made between two parties when the parties are using the latest version of the Teams desktop client for Windows or Mac, or they are on a Mobile device with latest update for iOS and Android.
Does turning on end-to-end encryption on one device also turn it on for all my devices? Yes, the setting will be synchronized across supported end points.
How do I enable end-to-end encryption from Mobile? By following these steps:
In Teams Mobile, go to settings > calling.
Under Encryption, turn on End-to-end encrypted calls.
How do I verify that I’m on an end-to-end encrypted call on Mobile? The mobile call also shows a lock + shield icon. Tap on the encryption indicator to reveal the 20-digit security code for the call. Just like the desktop app, both the caller and callee can verify that the code matches to ensure that both parties are on an end-to-end encrypted call.