Microsoft rolls out end-to-end encryption for Teams calls

Microsoft announced today the general availability of end-to-end encryption (E2EE) support for one-to-one Microsoft Teams calls.

The company started the roll-out of E2EE support for Teams calls in public preview two months ago, on October 21. 

The new feature is now rolling out to enterprise customers' tenants, and IT admins will be able to toggle it on for their organization once the update has been received.

"As a reminder, by default end-to-end encryption will not be available to all users within the tenant," said John Gruszczyk, a Technical Product Manager at Microsoft.

"Once IT has configured the policy and enabled it for selected users, those selected users will still need to turn on end-to-end encryption in their Teams settings. IT retains the ability to disable E2EE for one-to-one Teams calls as necessary."

How to enable E2EE for Teams calls

Once the new feature is available (disabled by default), IT admins will be able to toggle it on for their entire org or only for a specific user group via the Teams admin center:

1. Sign in to the Teams admin center and navigate to Other settings > Enhanced encryption policies.
2. Name the new policy, then for End-to-end call encryption, choose users can turn it on, and then select Save.
3. Once you’ve finished creating the policy, assign the policy to users, groups, or your entire tenant the same way you manage other Teams policies.

They can choose which users can use the enhanced encryption settings in Teams from the IT Admin modern portal under Enhanced Encryption policies. 

Admins can also manage E2EE policies using PowerShell scripts and apply them to tenants, users, and groups.

The feature will be made available to users only when running the latest Microsoft Teams update. They will need to turn on E2EE in their Team settings using the following steps:

1. On the top right of the Teams window, select the profile picture (or the ellipses next to the profile picture).
2. Choose Settings > Privacy.
3. Turn on end-to-end encrypted calls by toggling the switch.

More info on how 1:1 calls are end-to-end encrypted and which Teams features aren't available when E2EE is turned on can be found in this blog post. 

While Teams already encrypted data in transit and at rest, the addition of E2EE support for calls also allows administrators to set up automatic recording and transcription of voice calls.

After enabling E2EE for calls in a tenant, Teams calls will be suitable for sharing sensitive info that should remain private between call participants.

When toggled on, the real-time media flow (i.e., video and voice data) in Microsoft Teams 1:1 calls will also be encrypted for head-to-head discussions to remain entirely private, with no way for other parties to decrypt them.

Encryption for Teams calls is also available for Microsoft 365 customers (more details are available here).