Wie können wir helfen?

Deployment of End to End Encryption for Microsoft Teams

You are here:
< All topics

Here you can find a step by step guide to roll it out in your own tenant.

Preliminaries / Prerequirements

  • Microsoft 365 license that includes Teams. This can be a Business, F or Enterprise plan. A Home or even Consumer license is not sufficient. 
  • Public Preview activated for all users who will use it or the entire Tennant.
  • Configuration needed: Global Admin or the Microsoft Teams Administrator with the permissions for the Microsoft Teams PowerShell Module.
  • PowerShell module of Microsoft Teams at least version 2.6.0
  • Rollout must have already arrived in the tenant.  (December 2021 starts the Public Preview!) 

ATTENTION: Users:inside currently still need the Public Preview without SLA, increased sending of telemetry and errors may occur. 

Configuration steps for using end-to-end encryption

  1. Login with a user with Teams Admin rights https://login.microsoftonline.com
  2. Go to the Teams Update Policies 
  3. Create a new policy to enable individual users with it or modify the general policy

  4. [own policy/modify the general policy ] If you have made a new policy, you have to assign it to the users. For the general policy you can skip this step.
  5. [own policy/modification of the general] Here you have to wait some hours and continue the tutorial optimally on the next day. [PAUSE]
  6. Public preview you see at the user:inside
  7. If you see the preview/public preview step 6, then it goes to step 8, if not, then you still have to wait.
  8. Users who should test it should switch to the public preview. The Teams client will then restart once. Conditions: https://insider.windows.com/en-us/program-agreement ATTENTION: increased sending of telemetry and diagnostic data. No SLA. 
  9. The user will be see a “P” near the avatar, when they activate the Public Preview
  10. Now we need to create a policy for end-to-end with PowerShell. So you need again the user with Teams Admin rights and PowerShell. 
  11. ATTENTION: Here you can download the scripts directly.
  12. Open ISE Windows PowerShell as Administrator 
  13. Enable that scripts can be executed on the computer
  14. Install the Teams PowerShell Module: Install-Module MicrosoftTeams -Force -AllowClobber
    // if necessary Update Update-Module -Name MicrosoftTeams
  15. Import the module: Import-Module MicrosoftTeams
  16. Check if the module has been loaded Get-Module
  17. Connect with the Microsoft Teams PowerShell Module: Connect-MicrosoftTeams
  18. Logging in with your user with Teams Admincenter rights. I gave these to my user just before via PIM (Azure AD P2 required) for about 60 minutes. 
  19. Create a new E2EE Policy:New-CsTeamsEnhancedEncryptionPolicy -Identity RAE2EE -CallingEndtoEndEncryptionEnabledType DisabledUserOverride- RAE2EE is a variable and can be set by you.
    1. DisableUserOverride can also be customized so that users can disable the function. This is especially useful for testing. This determines: CallingEndtoEndEncryptionEnabledType -EnableUserOverride
    1. Description: -Description This is the E2EE policy. 
  20. Assign users/individual users to the Test Grant-CsTeamsEnhancedEncryptionPolicy -Identity ‘raphael.koellner@rakoellner.com’ -PolicyName ‘RAE2EE’
    ATTENTION: Please adjust the policy name to the one you have chosen above. 
    ATTENTION: Please adjust the username of course.
  21. For all Users please use:

    Set-CsTeamsEnhancedEncryptionPolicy -Identity Global -CallingEndtoEndEncryptionEnabledType DisabledUserOverride

User Experiance

  • [Users] Now these users can select end-to-end encryption. It is important that it only works between users inside and outside the tenant if they all have the policy enabled.

  • [Users] Now users can enable the E2EE. To do this, they have to go to the Privacy submenu via Settings.

Admin helper

Checking the policies


Result of the Script:

Check the Policy of one User

Get-CsUserPolicyAssignment -Identity raphael.koellner@rakoellner.com

Removing the policy

You can replace the policy with another EncryptionPolicy or simply remove it. For removal, you must put a $NULL in the place of the policy to return the user to the state of the origin.

Grant-CsTeamsEnhancedEncryptionPolicy -Identity ‘USERNAME’ -PolicyName $NULL

Check if it worked: Get-CsUserPolicyAssignment -Identity USERNAME


You wanted to test the end-to-end encryption now. For this both users have to activate it in the settings. 

  • Julia Meyer (demouser) and Raphael Köllner (me)
  • 1 to 1 chat
  • Then look in the upper left corner and instead of the sign with “Teams encryption” there is a lock and the end to end encryption is shown.

Here is a screenshot from the test:


Verwandte Beiträge

Beginne damit, deinen Suchbegriff oben einzugeben und drücke Enter für die Suche. Drücke ESC, um abzubrechen.

Zurück nach oben