Enable End-to-End Encryption for Microsoft Teams

In this article, I will show you how to enable end-to-end encryption for Microsoft Teams. You can configure end-to-end encryption (E2EE) policies using Microsoft PowerShell and the Teams admin center.

Teams end-to-end encryption is a method that secures the communication between sender and receiver. In simple words, the content is encrypted before it’s sent and decrypted only by the intended recipient.

There are many organizations that have adopted end-to-end encryption which includes WhatsApp messenger, Telegram, WebEx etc. Microsoft Teams supports end-to-end encryption feature, and it can be enabled by administrator for individual groups or entire organization.

When the end-to-end encryption (E2EE) is enabled for Teams, no other party, including Microsoft, has access to the decrypted conversation. With E2EE, the sender or creator encrypts the data, and only the intended receiver or reader can decrypt it.

Note: The E2EE is available only for one-on-one Teams calls, and you cannot use E2EE for group calls and meetings.

Some useful articles on Microsoft Teams that might be of your help:

Ways to Enable Teams End-to-End Encryption

There are two ways to enable end-to-end encryption for Microsoft Teams:

  1. You can enable E2EE from Teams admin center
  2. Use Microsoft PowerShell to configure end-to-end encryption

Out of the two methods, enabling the E2EE from Teams admin center is much easier than using PowerShell. The Enhanced encryption policies are used to control if users in your organization can use enhanced encryption settings in Teams.

If you are good at PowerShell, then go with the second method. With PowerShell method, you can also enable end-to-end encryption for a single user and also for entire tenant.

Teams E2EE Capabilities

After you enable E2EE for Microsoft Teams, during an E2EE call, Teams secures the following features:

  • Audio
  • Video
  • Screen sharing

The below listed features will not be available in Teams during an E2EE call:

  • Recording
  • Live captions and transcription
  • Call transfer
  • Call merge
  • Call Park
  • Consult then transfer
  • Call companion and transfer to another device
  • Adding a participant

Note: To enable end-to-end encryption, you can create a new encryption policy or modify the existing global default policy. The global, organization-wide, default policy has the end-to-end encryption policy disabled by default. If you want to enable the E2EE for all Team users, then you can turn on Teams Enhanced encryption policies in global policy.

Enable End-to-End encryption for Microsoft Teams

To enable end-to-end encryption using the Teams admin center, perform the following steps:

  • Sign in to the Teams admin center using a work or school account that has been assigned the Teams or global administrator role.
  • Go to Enhanced encryption policies.
  • Either choose the default policy or choose Add to add a new policy and then name the new policy.
  • To enable end-to-end encryption for your users, for End-to-end call encryption, select Off, but users can turn it on. Click Save.
Enable End-to-End encryption for Microsoft Teams
Enable End-to-End encryption for Microsoft Teams

There are two options available for End-to-end encryption setting in Teams Admin Center:

  1. Off: This option is enabled by default.
  2. Off, but users can turn it on: This option should be selected if you want to turn on end-to-end encryption for Teams.

After making the above changes, click Save.

Enable End-to-End encryption for Microsoft Teams
Enable End-to-End encryption for Microsoft Teams

Use PowerShell to Enable Teams End-to-end Encryption

You can use the PowerShell cmdlets to enable the Teams end-to-end encryption. This can be done for a single user or for the entire tenant.

To enable end-to-end encryption for a user, run the Grant-CsTeamsEnhancedEncryptionPolicy cmdlet as shown in the below example.

Grant-CsTeamsEnhancedEncryptionPolicy -Identity "username" -PolicyName "policyname"

To enable end-to-end encryption for your entire tenant using the global policy, run the below PowerShell command.

Set-CsTeamsEnhancedEncryptionPolicy -Identity Global -CallingEndtoEndEncryptionEnabledType DisabledUserOverride

Turn on End-to-end Encrypted Calls in Microsoft Teams

The end-to-end encryption works only when both the people enable End-to-end Encrypted Calls option in Microsoft Teams before the start of call. Perform the below steps to enable it.

  • Launch Microsoft Teams client.
  • Select More options next to your profile picture and then select Settings.
  • Select Privacy on the left and then select the toggle next to End-to-end encrypted calls to turn it on.
Turn on End-to-end Encrypted Calls option in Microsoft Teams
Turn on End-to-end Encrypted Calls option in Microsoft Teams

Verify E2EE in Microsoft Teams Call

There is a way to find out if the end-to-end encryption is working during the Teams call. Look for a shield with a lock in the top-left corner of the Teams call window. If you see this Shield icon, it indicates that E2EE is turned on for both parties and end-to-end encryption is working.

Leave a Comment