Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Organizations Can Now Try Out End-to-End Encrypted Microsoft Teams Calls

Microsoft Teams end-to-end encryption (E2EE)

Microsoft this week announced that organizations can now enable their employees to make one-to-one calls on Teams that are protected by end-to-end encryption.

Microsoft Teams end-to-end encryption (E2EE)

Microsoft this week announced that organizations can now enable their employees to make one-to-one calls on Teams that are protected by end-to-end encryption.

First announced at the tech giant’s Ignite event in March, end-to-end encryption (E2EE) for one-to-one Teams calls is now rolling out to public preview. Organizations can take advantage of the new capability, but IT admins and users will have to manually enable it.

When E2EE is used, conversations are encrypted in a way that prevents anyone, including Microsoft, from intercepting them. However, at this point, only the real-time media flow, which includes video and voice data, is encrypted end-to-end, and the users on both ends of the call will need to enable it.

E2EE is available for Teams on Windows, macOS, Android and iOS, and once it has been enabled for an account it can be used across all of a user’s devices. An end-to-end encryption indicator is displayed during a call so that the user knows their conversation is protected.

If users need to use Teams features that are not covered by end-to-end encryption — this includes recording, live caption and transcription, call transfer and merge, and group calls — they have to temporarily disable E2EE.

“In normal call flows, negotiation of the encryption key occurs over the call signaling channel. In an end-to-end encrypted call, the signaling flow is the same as a regular one-to-one Teams call. However, Teams uses DTLS to derive an encryption key based on per-call certificates generated on both client endpoints. Since DTLS derives the key based on client certificates, the key is opaque to Microsoft. Once both clients agree upon the key, the media begins to flow using this DTLS-negotiated encryption key over SRTP,” Microsoft explained.

It added, “To protect against a man-in-the-middle attack between the caller and callee, Teams derives a 20-digit security code from the SHA-256 thumbprints of the caller’s and callee’s endpoint call certificates. The caller and callee can validate the 20-digit security codes by reading them to each other to see if they match. If the codes don’t match, then the connection between the caller and callee has been intercepted by a man-in-the-middle attack. If the call has been compromised, users can terminate the call manually.”

Microsoft noted that even though E2EE is currently only available for one-to-one calls, other features such as group calls and chats are still protected by Microsoft 365 encryption. The company plans on adding E2EE to online meetings as well at some point in the future.

Microsoft has shared instructions on how end-to-end encryption can be enabled for Teams running on desktop and mobile devices.

Related: Zoom Introduces End-to-End Encrypted Phone Calls

Related: Facebook Adds End-to-End Encryption to Calls in Messenger

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A database containing over 235 million unique records of Twitter users is now available for free on the web, cybercrime intelligence firm Hudson Rock...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...