Deployment of End to End Encryption for Microsoft Teams
Here you can find a step by step guide to roll it out in your own tenant.
Preliminaries / Prerequirements
- Microsoft 365 license that includes Teams. This can be a Business, F or Enterprise plan. A Home or even Consumer license is not sufficient.
- Public Preview activated for all users who will use it or the entire Tennant.
- Configuration needed: Global Admin or the Microsoft Teams Administrator with the permissions for the Microsoft Teams PowerShell Module.
- PowerShell module of Microsoft Teams at least version 2.6.0
- Rollout must have already arrived in the tenant. (December 2021 starts the Public Preview!)
ATTENTION: Users:inside currently still need the Public Preview without SLA, increased sending of telemetry and errors may occur.
Configuration steps for using end-to-end encryption
- Login with a user with Teams Admin rights https://login.microsoftonline.com
- Go to the Teams Update Policies
- Create a new policy to enable individual users with it or modify the general policy
- [own policy/modify the general policy ] If you have made a new policy, you have to assign it to the users. For the general policy you can skip this step.
- [own policy/modification of the general] Here you have to wait some hours and continue the tutorial optimally on the next day. [PAUSE]
- Public preview you see at the user:inside
- If you see the preview/public preview step 6, then it goes to step 8, if not, then you still have to wait.
- Users who should test it should switch to the public preview. The Teams client will then restart once. Conditions: https://insider.windows.com/en-us/program-agreement ATTENTION: increased sending of telemetry and diagnostic data. No SLA.
- The user will be see a “P” near the avatar, when they activate the Public Preview
- Now we need to create a policy for end-to-end with PowerShell. So you need again the user with Teams Admin rights and PowerShell.
- ATTENTION: Here you can download the scripts directly.
- Open ISE Windows PowerShell as Administrator
- Enable that scripts can be executed on the computer
- Install the Teams PowerShell Module: Install-Module MicrosoftTeams -Force -AllowClobber
// if necessary Update Update-Module -Name MicrosoftTeams
- Import the module: Import-Module MicrosoftTeams
- Check if the module has been loaded Get-Module
- Connect with the Microsoft Teams PowerShell Module: Connect-MicrosoftTeams
- Logging in with your user with Teams Admincenter rights. I gave these to my user just before via PIM (Azure AD P2 required) for about 60 minutes.
- Create a new E2EE Policy:New-CsTeamsEnhancedEncryptionPolicy -Identity RAE2EE -CallingEndtoEndEncryptionEnabledType DisabledUserOverride- RAE2EE is a variable and can be set by you.
- DisableUserOverride can also be customized so that users can disable the function. This is especially useful for testing. This determines: CallingEndtoEndEncryptionEnabledType -EnableUserOverride
- Description: -Description This is the E2EE policy.
- Assign users/individual users to the Test Grant-CsTeamsEnhancedEncryptionPolicy -Identity ‘firstname.lastname@example.org’ -PolicyName ‘RAE2EE’
ATTENTION: Please adjust the policy name to the one you have chosen above.
ATTENTION: Please adjust the username of course.
- For all Users please use:
Set-CsTeamsEnhancedEncryptionPolicy -Identity Global -CallingEndtoEndEncryptionEnabledType DisabledUserOverride
- [Users] Now these users can select end-to-end encryption. It is important that it only works between users inside and outside the tenant if they all have the policy enabled.
- [Users] Now users can enable the E2EE. To do this, they have to go to the Privacy submenu via Settings.
Checking the policies
Result of the Script:
Check the Policy of one User
Get-CsUserPolicyAssignment -Identity email@example.com
Removing the policy
You can replace the policy with another EncryptionPolicy or simply remove it. For removal, you must put a $NULL in the place of the policy to return the user to the state of the origin.
Grant-CsTeamsEnhancedEncryptionPolicy -Identity ‘USERNAME’ -PolicyName $NULL
Check if it worked: Get-CsUserPolicyAssignment -Identity USERNAME
You wanted to test the end-to-end encryption now. For this both users have to activate it in the settings.
- Julia Meyer (demouser) and Raphael Köllner (me)
- 1 to 1 chat
- Then look in the upper left corner and instead of the sign with “Teams encryption” there is a lock and the end to end encryption is shown.
Here is a screenshot from the test: