This blog is part of a series on Teams. For more articles, check back often
Written: 03/01/2022 | Updated: N/A
Following yesterdays blog on Watermarking let’s turn to another premium feature. End to End Encryption (E2EE) has been around for 1:1 VOIP calls for a while. I once did a blog on it. I even spoke about it a few times including at aMS Lausanne where I covered how to implement it, the caveats, and how DTLS over SRTP worked. So, with the coming of Teams Premium, we now have E2EE for Meetings. Excellent. And like VOIP calls caveats do apply. Let’s run through them. Number 1:Like VOIP calls, E2EE for Meetings only covers real time media. In other words, only audio and video and screen sharing are encrypted at the source and decrypted at the destination without any nodes or parties decrypting/re-encrypting in between. Everything else – chat, files, avatars, reactions, Q&A presence, are not end to end encrypted. – however importantly these other things are still TLS encrypted as part of the standard service encryption. This is a question you may be commonly asked, and it confuses people because what is EE2E and what is not E2EE is on the same screen, in the same app. Number 2: Like VOIP calls, in an E2EE meeting many familiar features will be unavailable to you – no together mode, or live captions, or recording or breakout rooms, or CART options, or language interpretation. This is minimalist meeting designed for private communications which, like VOIP calls it also nixes compliant call recording and all orgs/users who use CCR because the compliant call recording can’t access what it needs and EE2E will not override this compliance requirement. Number 3: Unlike when VOIP calls were first introduced, this can be managed in the TAC. Number 4: Like VOIP calls, E2EE isn’t enabled even after enabling it in the TAC – it requires enabling in the meeting options but good news is that unlike VOIP calls you don’t have to enable it in the client settings, and you can auto-enable it via Teams Meeting Templates and Sensitivity Labels. Number 5: Its available between two parties when the parties are using the latest version of the Teams desktop client for Windows or Mac, they are on a mobile device with the latest update for iOS and Android, or they are on a Teams Rooms on Windows device using the latest update and the mobile app. It’s not currently supported in web, nor VDI. So this is a continued phasing out and pretty consistent with the VOIP experience. One final thing – the meeting organiser, the one who schedules the E2EE meeting needs Teams Premium: not everyone needs a Teams Premium licence.
All prepped? Let’s go!
This blog will cover
- Getting Teams Premium Trial
- Configuring E2EE in Teams Admin Centre
- Experience of the Meeting
- FAQ
Note: this blog may have some abridged steps which will assume some experience with Teams. This blog is using a Ring 4 tenant with GA functionality. Teams Premium will be a trial sign up, but will soon be orderable via Microsoft 365 Portal or your CSP Partner
Prerequisites
- Global Admin for trial sign up. Global Admin or Teams Admin for tenant configuration
- Microsoft 365 Licence for Teams for testing
- Teams Premium Trial Licence for users
- Ensure Teams Client is up to date on the latest version (1.5.00.34874 (64-bit))
GETTING TEAMS PREMIUM TRIAL
Ok, so the tenant I am using is not using Teams Premium so I will need a Teams Premium trial.
1.) Go to https://aka.ms/tpdlnk and login with the global admin credentials
2.) Select Start Free Trial. Currently in this trial only 1 licence is permitted
3.) Select Try Now
4.) Select Continue
5.) Wait a few minutes and the licence will be provisioned to the tenant. In the Microsoft 365 Admin Centre select Users then Active Users
6.) Select the User to assign the Teams Premium Licence to, then Manage Product Licences. Tick Microsoft Teams Premium and then Save Changes. All set up and ready to go.
CONFIGURING WATERMARKING IN THE TEAMS ADMIN CENTRE
Ok. Now the licence is assigned to the user this should enable the configuration in the Teams Admin Centre to configuring the watermarking.
1.) In the Microsoft 365 Admin Centre, select Show All then Teams from the left navigation
2.) In the Teams Admin Centre, from the left navigation, select Enhanced Encryption Policies
3.) Select the Policy. This example will use the Global (Org Wide Default) policy. If you only want to set it for a subset of users select a custom policy instead.
4.) Set End-to-End Meeting Encryption to Not Enabled, but users can override. Once done, select Save. The policy is now configured and will need time for propagation
CONFIGURING END TO END ENCRYPTION IN MEETING OPTIONS
Now that E2EE has been configured in the Teams Admin Centre and there has been some propagation time (I waited 2 hours), let’s configure a meeting to include E2EE
1.) Create the meeting as usual and once created, open it back up and select Meeting Options
2.) In the meeting options, swipe Enable end-to-end-encryption to on and select Save. You will notice that recording, CART options and language interpretation becomes greyed out since they are not permitted with E2EE
Job done. All ready to go 🙂
EXPERIENCE OF THE MEETING
Once in the meeting here is the experience of End to End Encryption for the attendee. Looks pretty much like a normal meeting.
The key difference is this: all participants should check that E2EE has been applied successfully by checking the Shield with the Padlock Icon (Non E2EE meetings simply have a shield) at the top left of the client, and hovering over, that the 20 Digit Safety Number is the same for all attendees who have joined the meeting. Some people at this point would ask – what is a Safety number? The Safety number is generated for verification that the meeting is EE2E otherwise mismatches in the number could signal something like a MITM (Man in the Middle) attack
E2EE can be used in conjunction with Watermarking
FAQ
Q.) What is the limit of a E2EE Encrypted Meeting?
A.) 50 participants
Q.) Is there a definitive list of what is not EE2E and what functionalities don’t work?
A.) The best way to think of it is the only thing that is E2EE encrypted is audio, video and screen sharing. If other features exist in the meeting these are not EE2E, but encrypted with standard service encryption. Recording, CART options, Language Interpretation, Large Gallery and Together Mode are definitely unavailable at the time of writing.
Q.) Do I need to enable E2EE in the Teams Client?
A.) No, enabling E2EE in the Teams Client, within the settings is for 1:1 VOIP calls, not meetings
Q.) Can I enabled E2EE during a meeting? Can I disable it during a meeting?
A.) No. You need to enable it in the meeting options before the meeting. You can disable it during a meeting but the meeting will remain E2EE until everyone leaves the meeting and it restarts
Q.) What if the Safety Number is different?
A.) Personally, leave the meeting, cancel it, create another and rejoin and check the safety number is the same
Q.) What is the experience if I join an E2EE meeting on the web, or with a Desktop client which hasn’t been updated?
A.) You will not be able to join and get the following notification: switch out to an updated Desktop App or Mobile App. The Desktop App version tested is: 1.5.00.34874 (64-bit)
Q.) Can this be configured in PowerShell?
A.) You can get the E2EE Meeting Policy using
Get-CsTeamsEnhancedEncryptionPolicy
And you should be able to enable/disable it in the future using commands like
Set-CsTeamsEnhancedEncryptionPolicy -Identity Global -MeetingEndToEndEncrytpion DisabledUserOverride
Set-CsTeamsEnhancedEncryptionPolicy -Identity Global -MeetingEndToEndEncrytpion DisabledHowever, looks like that isn’t supported yet in the latest module (4.9.1). Of course, I didn’t deep dive into testing this element and of course I may be overlooking something
Q.) What happens if my org has compliant call recording and I join an E2EE meeting set up by someone else?
A.) You cannot join it
Q.) How does this relate to Teams Meeting Templates and Sensitivity Labels
A.) End to End Encryption for Meetings can be applied to specific meetings using Teams Meeting Templates, or Sensitivity Labels, which are also features in the Teams Premium Licence. These will be covered in blogs following this one 🙂
@Microsoft365Pro 
4 thoughts on “Teams Real Simple with Pictures: End to End Encryption in Meetings with Teams Premium”
Comments are closed.