Use end-to-end encryption for one-to-one Microsoft Teams calls
Important
The Teams service model, and its encryption support, is subject to change in order to improve customer experiences. For example, the service regularly deprecates cipher suites that are no longer considered secure. Any such changes would be made with the goal of keeping Teams secure and Trustworthy by Design. In addition, all customer content in Microsoft data centers is encrypted. For information about encryption layers in Microsoft 365, see Encryption in Microsoft 365.
End-to-end encryption, or E2EE, happens when content is encrypted before it's sent and decrypted only by the intended recipient. With end-to-end encryption, only the two endpoint systems are involved in encrypting and decrypting the call data. No other party, including Microsoft, has access to the decrypted conversation.
With E2EE for unscheduled one-to-one calls, only the real-time media flow, that is, video and voice data, for one-to-one Teams calls are end-to-end encrypted. Both parties must turn on this setting to enable end-to-end encryption. Encryption in Microsoft 365 protects chat, file sharing, presence, and other content in the call.
End-to-end encrypted calls can be made between two parties when: the parties are using the latest version of the Teams desktop client for Windows or Mac, they are on a mobile device with the latest update for iOS and Android, or they are on a Teams Rooms on Windows device using the latest update.
If you don't enable end-to-end encryption, Teams still secures a call or meeting using encryption based on industry standards. Data exchanged during calls is always secure while in transit and at rest. For more information, see Media encryption for Teams.
During an end-to-end encrypted call, Teams secures the following features:
Audio
Video
Screen sharing
The following advanced features aren't available during an E2EE call:
Live captions and transcription
Call transfer
Call merge
Call park
Consult then transfer
Call companion and transfer to another device
Adding a participant
Recording
Apps
Also, if your organization uses compliance recording, end-to-end encryption isn't available. For more info on how Teams supports compliance recording, see Introduction to Teams policy-based recording for callings & meetings.
Configure end-to-end encryption for Microsoft Teams
Complete these tasks so your users can place end-to-end encrypted calls.
Enable end-to-end encryption for your organization by creating one or more policies that define who can use end-to-end encryption. Before you start, make sure that your work or school account has been assigned the Teams or global administrator role. For information, see Use Microsoft Teams administrator roles to manage Teams. When you're ready to set up E2EE, you can use the Teams admin center or Microsoft PowerShell.
Switch on end-to-end encrypted calls in Teams settings on your device. Each user needs to complete this task, but they only need to do it on one device. Teams synchronizes this setting across supported end points for each user. For instructions, see Use end-to-end encryption for Teams calls.
Use the Teams admin center to configure end-to-end encryption
The global, organization-wide, default policy specifies that end-to-end encryption is disabled. Users in your organization will automatically get the global policy unless you create and assign a custom policy. To enable end-to-end encryption, create a new encryption policy or modify the global default policy. To enable end-to-end encryption using the Teams admin center, complete these steps.
Using a work or school account that has been assigned the Teams or global administrator role, sign in to the Teams admin center.
Go to Enhanced encryption policies.
Either choose the default policy or choose Add to add a new policy and then name the new policy.
To enable end-to-end encryption for your users, for End-to-end call encryption, choose Not enabled, but users can enable, and then choose Save.
To disable end-to-end encryption, choose Not enabled.
Once you’ve finished setting up the policy, assign the policy to users, groups, or your entire tenant the same way you manage other Teams policies. For information about using policies in Teams, see Manage Teams with policies.
Use Microsoft PowerShell to configure end-to-end encryption
You can manage end-to-end encryption policies using Microsoft PowerShell and the Teams admin center. Several end-to-end encryption cmdlets are included in the Teams PowerShell module and documented in the Microsoft Teams cmdlet reference. This article lists the cmdlets you can use and provides simple example configurations. These configurations use the default, global policy. Your organization might require more complex policy configuration. Complete information about these cmdlets is provided in the cmdlet reference.
End-to-end encryption PowerShell cmdlets:
Get-CsTeamsEnhancedEncryptionPolicy returns information about the Teams enhanced encryption policies in your organization.
Grant-CsTeamsEnhancedEncryptionPolicy assigns and unassigns existing enhanced encryption policies to a user. Use
$NULL
to unassign all policies from a user.New-CsTeamsEnhancedEncryptionPolicy creates a new Teams enhanced encryption policy.
Remove-CsTeamsEnhancedEncryptionPolicy deletes an enhanced encryption policy from your organization. You can't delete the global, default policy.
Set-CsTeamsEnhancedEncryptionPolicy updates values in an existing Teams enhanced encryption policy.
Your work or school account needs the Teams or global administrator role to configure end-to-end encryption.
To enable end-to-end encryption for your entire tenant using the global policy
By default, end-to-end encryption is disabled. To enable end-to-end encryption for the entire tenant by setting the default global policy, run the Set-CsTeamsEnhancedEncryptionPolicy cmdlet as follows.
Set-CsTeamsEnhancedEncryptionPolicy -Identity Global -CallingEndtoEndEncryptionEnabledType DisabledUserOverride
Where:
Global
means that you're setting this configuration on the global, organization-wide default policy.DisabledUserOverride
means that E2EE is disabled in Teams by default, but users can override the default and turn on E2EE in their Teams settings.
To disable end-to-end encryption for your entire tenant using the global policy
By default, end-to-end encryption is disabled. If you've made changes to the global policy, you can change the setting back by running the Grant-CsTeamsEnhancedEncryptionPolicy cmdlet as follows.
Grant-CsTeamsEnhancedEncryptionPolicy -Identity Global -CallingEndtoEndEncryptionEnabledType Disabled
Where:
Global
means that you're setting this configuration on the global, organization-wide default policy.Disabled
means that you're disabling E2EE for everyone and users can't turn it on in their Teams settings.
To enable end-to-end encryption for a single user
To enable end-to-end encryption for a user, run the Grant-CsTeamsEnhancedEncryptionPolicy cmdlet as follows.
Grant-CsTeamsEnhancedEncryptionPolicy -Identity "username" -PolicyName "policyname"
Where:
username
is the name of the user.policyname
is the name you want to use for the policy. Policy names can't contain spaces, for example, ContosoE2EEUserPolicy.
Users still need to switch on end-to-end encrypted calling in their Teams settings before they can make an end-to-end encrypted call. For instructions, see Use end-to-end encryption for Teams calls.
For example:
Grant-CsTeamsEnhancedEncryptionPolicy -Identity "[email protected]" -PolicyName "ContosoE2EEUserPolicy"
To unassign an end-to-end encryption policy from a single user
Users can have one and only one encryption policy assigned to them at a time. When you unassign a policy from a user, the user is then assigned the global, organization-wide, default policy. You can't unassign the default policy. To unassign an end-to-end encryption policy from a user, run the Grant-CsTeamsEnhancedEncryptionPolicy cmdlet as follows.
Grant-CsTeamsEnhancedEncryptionPolicy -Identity "[email protected]" -PolicyName $NULL
Switch on end-to-end encryption on your device
For instructions, see Use end-to-end encryption for Teams calls.
Related topics
Top 12 tasks for security teams to support working from home