In this article, I will show you how to enable end-to-end encryption for Microsoft Teams. You can configure end-to-end encryption (E2EE) policies using Microsoft PowerShell and the Teams admin center.
End-to-end encryption for Microsoft Teams is a technique that protects communication between sender and receiver. In simple words, with Microsoft Teams E2EE enabled, the content is encrypted before it’s sent and decrypted only by the intended recipient.
There are many organizations that have adopted end-to-end encryption, which includes WhatsApp messenger, Telegram, WebEx, etc. Microsoft Teams supports end-to-end encryption features, and they can be enabled by administrators for individual groups or entire organizations.
When end-to-end encryption (E2EE) is enabled for Teams, no other party, including Microsoft, has access to the decrypted conversation. With E2EE, the sender or creator encrypts the data, and only the intended receiver or reader can decrypt it.
Note: The E2EE of Microsoft Teams is available only for one-on-one Teams calls, and you cannot use E2EE for group calls and meetings.
Some useful articles on Microsoft Teams that might be of your help:
- Reduce Background Noise in Microsoft Teams
- Deploy Microsoft Teams Using Intune
- Upload Custom Background in Microsoft Teams
- Integrate Google Analytics with Microsoft Teams
- How to Archive or Delete a Team in Microsoft Teams
- Schedule Out Of Office In Microsoft Teams
Ways to Turn on End-to-End Encryption for Microsoft Teams
There are two ways to enable end-to-end encryption for Microsoft Teams:
- Enable E2EE from the Teams admin center.
- Use Microsoft PowerShell to turn on end-to-end encryption.
Out of the two methods, using PowerShell is much easier than using the Teams admin center to enable the E2EE. End-to-end encryption for Microsoft Teams can be enabled using the PowerShell method for both a single user and the entire tenant. You can manage which users in your organization have access to the enhanced encryption settings in Teams by using the enhanced encryption policies.
Microsoft Teams E2EE Capabilities
After you enable E2EE for Microsoft Teams, during an E2EE call, Teams secures the following features:
- Audio
- Video
- Screen sharing
The below listed features will not be available in Teams during an E2EE call:
- Recording
- Live captions and transcription
- Call transfer
- Call merge
- Call Park
- Consult then transfer
- Call companion and transfer to another device
- Adding a participant
Note: To enable end-to-end encryption, you can either create a new encryption policy or modify the existing global default policy. The global, organization-wide, default policy has the end-to-end encryption policy disabled by default. Turn on Teams Enhanced encryption policies under global policy if you want to make E2EE available to all Team users.
How to Enable End-to-End Encryption for Microsoft Teams
To enable end-to-end encryption using the Teams admin center, perform the following steps:
- Sign in to the Teams admin center using a work or school account that has been assigned the Teams or global administrator role.
- Go to Enhanced encryption policies.
- Either choose the default policy or choose Add to add a new policy and then name the new policy.
- To enable end-to-end encryption for your users, for End-to-end call encryption, select Off, but users can turn it on. Click Save.
In the Teams Admin Center, there are two options for setting end-to-end encryption:
- Off: This option is enabled by default.
- Off, but users can turn it on: This option should be selected if you want to turn on end-to-end encryption for teams.
After making the above changes, click Save.
Use PowerShell to Enable E2EE for Teams calls
You can use the PowerShell cmdlets to enable the teams end-to-end encryption. This can be done for a single user or for the entire tenant.
To enable end-to-end encryption for a user, run the Grant-CsTeamsEnhancedEncryptionPolicy cmdlet as shown in the below example.
Grant-CsTeamsEnhancedEncryptionPolicy -Identity "username" -PolicyName "policyname"
To enable end-to-end encryption for your entire tenant using the global policy, run the below PowerShell command.
Set-CsTeamsEnhancedEncryptionPolicy -Identity Global -CallingEndtoEndEncryptionEnabledType DisabledUserOverride
Turn on End-to-end Encrypted Calls in Microsoft Teams
The end-to-end encryption works only when both the people enable End-to-end Encrypted Calls option in Microsoft Teams before the start of call. Perform the below steps to enable it.
- Launch Microsoft Teams client.
- Select More options next to your profile picture and then select Settings.
- Select Privacy on the left and then select the toggle next to End-to-end encrypted calls to turn it on.
Verify E2EE in Microsoft Teams Call
There is a way to find out if the end-to-end encryption is working during the Microsoft Teams call. Look for a shield with a lock in the top-left corner of the Teams call window. If you see this Shield icon, it indicates that E2EE is turned on for both parties and end-to-end encryption is working.
