Use end-to-end encryption for Teams calls

For situations that require heightened confidentiality, Teams offers end-to-end encryption (E2EE) for one-on-one calls. With E2EE, call information is encrypted at its origin and decrypted at its intended destination so that no information can be decrypted between those points.

Overview

By default, Teams encrypts all communication using industry-standard technologies such as Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP). For more info on the Teams security framework, see Security and Microsoft Teams.

If your IT admin has enabled end-to-end encryption (E2EE) for your team, you can use it to further increase the confidentiality of your one-on-one calls. Both people on the call must turn on E2EE for the technology to work.

Current capabilities

During an E2EE call, Teams secures the following features:

  • Audio

  • Video

  • Screen sharing

You will also be able to chat in these calls, but Microsoft 365 secures your chat sessions. 

Advanced features, including the following, will not be available during an E2EE call:

  • Recording

  • Live captions and transcription

  • Call transfer

  • Call merge

  • Call Park

  • Consult then transfer

  • Call companion and transfer to another device

  • Adding a participant

If your organization uses compliance recording (enterprise call recording that helps businesses meet specific regulatory requirements), E2EE won’t be available. For more info on how Teams supports compliance recording, see Introduction to Teams policy-based recording for callings & meetings.

Make a call using E2EE

Turn on E2EE

Before the call, both people must do the following:

  1. In Teams, select More options next to your profile picture and then select Settings.

  2. Select Privacy on the left and then select the toggle next to End-to-end encrypted calls to turn it on.

    Setting after Read receipts

Verify that E2EE is working

When the call is connected, do the following:

  1. Look for a shield with a lock Shield with a lock in the top left corner of the call window. This indicates that E2EE is turned on for both parties.

    Icon in upper-left corner of screen

    Note: If the shield looks like this Shield without a lock, E2EE is not turned on for at least one of the parties but your call is still encrypted by Microsoft 365.

  2. Point to the shield with a lock to view the security code and compare it with the code that the other person sees.

  3. If both people on the call see the same code, E2EE is working properly.

    A mouse hovers over the encryption shield icon. A message with a group of numbers shows telling the person to verify that the numbers match with others on the call to make sure they're in an end-to-end encrypted call.

FAQ

If I don't use E2EE for a one-on-one call, does that mean the call is not secure?

No. Teams data is encrypted in transit and at rest in Microsoft data centers using industry standard technologies such as TLS and SRTP. This includes calling, messages, files, meetings, and other content. See Encryption for Teams for details.

Can I use E2EE for group meetings and calls?

Not yet. Initially E2EE will be available only for one-on-one Teams calls. After gathering customer feedback to understand how the feature addresses their compliance needs and obligations, we will work to bring E2EE capabilities to online meetings.

For IT admins

Use end-to-end encryption for one-to-one Microsoft Teams calls

Security guide for Microsoft Teams overview

To enable and use end-to-end encryption (E2EE) on one-on-one calls from your mobile device, follow the steps below.

Turn on E2EE

Before the call, both people must do the following:

  1. In Teams, tap your profile picture in the upper left corner of the screen and then tap Settings.

  2. Tap Calling then scroll down to End-to-end encrypted calls and tap the toggle to turn it on. 

    E2EE settings

Verify that E2EE is working

When the call is connected, do the following.

  1. Look for a shield with a lock Shield with a lock in the top left corner of the call window. This indicates that E2EE is turned on for both parties.

  1. Note: If the shield doesn't have a lock  Shield without a lock, E2EE is not turned on for at least one of the parties but your call is still encrypted by Microsoft 365.

  2. Tap the shield with a lock to view the security code and compare it with the code that the other person sees.

  3. If both people on the call see the same code, E2EE is working properly.

    E2EE enabled

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Office Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×