Teams end-to-end encryption extends to desktop clients
Available since November 2021
Microsoft has been rolling out E2EE to Office 365 tenants since November (MC259495, updated September 23, 2021).
Microsoft’s definition is: “End-to-end encryption is the encryption of information at its origin and its decryption at its intended destination without intermediary nodes being able to decrypt it.” Teams already encrypts its VOIP traffic for calls using Transport Layer Security (TLS). What changes in E2EE is that the devices involved in the call also encrypt the information. For this to happen, both parties (same tenant or not) must be allowed by policy to use E2EE. Both parties must also enable the E2EE option in the Teams client’s privacy settings (Figure 1). E2EE is supported by both Windows and Mac desktop clients.
When everything is aligned, the negotiation to initiate a call between two parties agrees on an encryption key. This allows both parties to understand each other. The additional layer of encryption ensures greater call confidentiality.
Calls locked
During an encrypted call, Teams displays a lock icon in the upper-left corner of the call window. If participants click the lock, they’ll see a number that must be the same for both parties.
Besides the lock icon, the call window UI is different. This is to remove call features such as subtitles,
- live transcription,
- adding additional participants,
- call transfer,
- the consultation then the transfer,
- call merger,
- call parking and call recording.
These features are not available when end-to-end encryption secures calls.
Aside from the loss of functionality, I haven’t noticed any performance hits for encrypted Teams calls. It’s still important to have reasonable bandwidth and use good headsets. Workstations do extra work to secure communications. But this shouldn’t be a problem for the type of PCs and Macs available today.
The challenges of E2EE
The complexity of key management explains why Microsoft currently limits Teams E2EE to one-on-one or “ad hoc” calls. However, Microsoft intends to expand E2EE to full online meetings in the future.
Key management also creates other challenges in terms of available features. According to Microsoft, “E2EE calls [in the] first release will only support basic calling features, and many advanced features such as escalation, call transfer, recording, captions, etc. will not be available…”. Voice processing isn’t possible when only the clients of a communication share the encryption key. For example, Teams can generate live captions and meeting transcripts. But before AI agents can process the audio stream, they need access to the data. The same goes for Teams meeting recordings, as they rely on an audio-video stream capture bot for further processing and storage in OneDrive. I imagine that if you’re hosting super-secret calls, you might not want to have transcripts and recordings. So it probably doesn’t matter much.
Meeting chat remains available during E2EE calls but lacks E2EE protection. Instead, chat messages are like other Teams data. They are protected in transit and at rest by standard encryption capabilities.
Administrative control
The encryption policy controls whether the end-to-end encryption setting is visible in calls. This option removes a substantial amount of functionality from Teams calls. Therefore, the default value is “off.” This means users won’t see the end-to-end encryption setting in Teams settings.
If tenant administrators don’t want people to use E2EE, they can leave the default value. They can then create a custom policy to enable the capability and assign that policy to selected accounts. For example, this command allows users to enable E2EE in Teams calls.
Set-CsTeamsEnhancedEncryptionPolicy -Identity Global -CallingEndtoEndEncryptionEnabledType DisabledUserOverrideAs with any changes to Teams, it may take some time for the changes to take effect. Microsoft plans to add the Teams end-to-end encryption policy to the Teams admin center.
Some calls are more important
There’s no doubt that some calls are more important and confidential than others. People probably don’t worry too much about encrypted communications for their usual check-in calls with colleagues. But when the time comes to discuss company secrets, it’s good to know that E2EE is available.
