Teams Premium – Secure meetings

Reading time: 10 minutes

Securing meeting information

In most organizations, there will be the need to protect information exchanged during specific meetings. These might be board meetings or very sensitive projects. Or even a kick-off meeting with a client, where you need to ensure that any screenshots of the recording cannot be misused.

Applying a sensitivity label to the content you’re sharing and thus preventing screenshots won’t help. When sharing that type of content, Microsoft Teams will just present the attendees of the meeting with a blank screen.

Microsoft Teams did not offer much in the way of information protection on that level. Even End-to-End Encryption [or E2EE] could only be used on a one-on-one level for chats and VoIP call. During Microsoft Ignite, the new Microsoft Premium licensing model was introduced. And amongst several of the key-features being presented were meeting security options.

In this blog, I want to explore some of these functions, without stepping into the licensing swamp. And yes: I too have questions regarding the need for such an add-on license. And why this is not included in Microsoft/Office 365 E5 or any other available add-on licensing packages. But in this blog, I will very likely touch on licensing issues from time to time. If you want to, you can skip to the wrap-up. There’s a short video on this subject.

Information in this blog:

1. Securing meeting information
2. What’s in the package for compliance?
3. Limitations – beware!!
4. Getting there – enabling the preview
5. Teams Premium from the Teams Admin Center
6. Working with labels
7. So how does this work?
8. Wrapping up

---

What’s in the package for compliance?

To be very clear, Teams Premium as related to secure meetings offers two distinct functions which are intertwined. And this needs to be understood because these functions are managed differently.

First, there is the End-to-End Encryption [or E2EE] for meetings and the ability to add watermarks on meeting content. These allow an organizer of a meeting to add additional security.

And second, there is the integration with Microsoft Purview Information Protection. This integration allows you to control these functions from a sensitivity label:

• Lobby bypass
• Presenter ability
• Allowing meeting chat
• Meeting recordings (automatically, who can record)
• End-to-end encryption
• Watermarking and prevent copy/paste of meeting chat
• Protecting meeting invites

If you look closely, you will notice that most of these options can already be set using a Microsoft Teams policy. And you can assign this policy to those people in the organization that require these settings. But Teams Premium adds more functions and allows you to use these functions per meeting – based on the label.

And to be fair, Teams policies require an administrator to set up and assign them. Working from a label (and therefore integrated with organizing a meeting from Outlook/Teams) can be more user-friendly and manageable. When you attend a meeting with a label assigned, this can be the experience:

Watermarking and preventing copy/paste are functions that are new to Microsoft Teams meetings. And these do make sense. If they make sense enough to validate the Microsoft Premium license? That’s a very relevant question. From a security/compliance perspective, I’m curious how this function deals with a meeting transcript and the recording. So let’s take a closer look.

---

Limitations – beware!!

I really don’t like to start out with limitations. But as this is a Public Preview, I decided to do this anyway. There’s some thing you need to be aware of when using the encryption functions. For example, RMS functions are not supported and neither are s/MIME and Double Key Encryption.

Also, be aware that enforcing E2EE will break recordings and the application of watermarks to shared content. E2EE and the application of watermarks only works on desktop versions for Teams.

However, when using my Surface Laptop, I did encounter an error when accessing an E2EE-protected meeting. When I updated both the laptop (build 19044) and Teams (1.5.00.33362 64bit) on Windows and iOS (4.22.1) I was able to join an E2EE meeting. Yeah!

Weirdly enough, Microsoft does state that you can enter a secure meeting – even when using a Teams client that doesn’t meet the requirements. In which case the options will not be enforced. Which is weird because: why secure the meetings in this case? And second: why did I encounter these problems?

One last thing to take note of: Microsoft intends to protect the meeting invites themselves using Information Protection. And this makes perfect sense. Calender invites themselves can contain sensitive information, either in the description, title or the attached documents. But this does not work as yet. In future, you will need to add the “Items” part to a sensitivity label in order to get this to work.

Let’s look how to configure the Premium options.

---

Getting there – enabling the preview

As this still is a Public Preview function, we will need to enable this. And there are two ways of doing so. You can either use the Microsoft 365 Admin Portal and “purchase” your 30-day trial licenses. Or, if this does not work (in my case), simply go to https://aka.ms/tpdlnk.

Don’t forget to assign the license(s) to your user(s) so that you can use them. I must admit that it took a very long time for the licenses to become active in Microsoft Purview. Whereas the Microsoft Teams Admin Center presented me with the premium function really quickly, I had to wait for several days (4 or 5) for Purview to accept them. And then a message like this is really frustrating.

---

Teams Premium from the Teams Admin Center

So while I was waiting, I took a look at the Teams Admin Center. And when the Premium license is active, you will notice several new options here. These options are located in the Meeting Policies | Global (Org-wide default) and in the Enhanced encryption policies | Global (Org-wide default).

Of course, if you have more than just the default policy – the options are in those policies as well.

In the policies, you can configure the watermarking of content/videos and end-to-end encryption for meetings. As these are user-designated policies, these settings will work for anyone in the policy. And that’s what makes these settings different from the sensitivity labels.

---

Working with labels

The other, highly anticipated function for Teams Premium is the ability to classify (label) meetings and meeting invites. This function allows you to specify specific settings for the meeting. These settings are mostly also covered using Microsoft Teams policies. But by using a label, we can differentiate more and make this more user-friendly.

To create a specific label, we need the Microsoft Information Protection component in the Microsoft Purview Admin Center. And when the Premium license is (finally…..) added, a new scoping option appears in the label definition.

Now beware: although the Include meetings option is the most relevant one, the Groups & sites option also contains a setting for secure meetings. And just to be clear, the Items option will be used to protect the meeting invite in the future.

But let’s start with the Include meetings option. This option will allow you to set specific settings for protecting meetings and chats. This option is added to the available options of encrypting content and applying content markings. But these do not apply to meetings! So go for the third option.

The options controlling the meeting are now selectable. And these are split into the meeting settings (including the watermark) and chat settings (including a form of data loss prevention). These chat settings are pretty cool by the way. This is a new feature that allows you to prevent copy/paste actions on chat information.

Because E2EE breaks some functions (like recordings), expect these to be grey-out when you go for that option. And visa-versa.

When the settings have been selected, the label is done. Or basically done. As I stated above, you can also include the scope for Groups & sites on the label. And when you do, you will be presented with an additional option that is related to meetings. This setting is related to channel meetings.

As you can see from the screenshot, this option allows you to set a default label for channel meetings. And this is in addition to setting a default label for meetings and calendar events in general. These work when people create a meeting. This option is configured in the label policy used to publish the label. And that’s in the same line as setting other default labels.

---

So how does this work?

Let’s see how this works on a functional level. When you have set the Premium settings using the Teams Admin Center, the relevant options become available when opening the meeting options.

When a watermark and E2EE have been enabled, you will notice this on the screen. Information on the encryption is shown in the lefthand corner at the top. By the way – this always shows you if a session is secure.

When the chat protection has been added to the label then you won’t be able to copy/paste the information from the chat. And this protection stays with the meeting. Even after the meeting has ended, you won’t be able to do this. Really cool stuff…

---

Wrapping up

Although I had to wait for days for the Microsoft Purview Information Protection integration to kick-in, I really liked to see these Premium features. As I mentioned at the start of the blog, I was really interested to see what Teams Premium (Preview) offers on the compliance side.

I think the current preview functions are great, but there are still some caveats and functions to be addressed. End-to-End Encryption for meetings is finally here! But some meeting functions will break when you enable this. These are:

• Live captions and transcription
• Recording
• Together mode, companion mode, large gallery
• Breakout rooms

This makes sense, because of the nature of encryption. But beware of this.

Also, I would like to see the meeting-invite being protected as-well. This is on the roadmap. And speaking of protection: the meeting recording nor the meeting transcript inhert the sensitivity label. So you won’t be able to apply encrypting to the meeting recording or the transcript.

Microsoft Purview Information Protection does allow the encryption of meeting records. Is this sensible at this time? It depends. SharePoint and Stream cannot handle encrypted media-files. They just show up as <recording .mp4.pfile> and will not open. However, this type of file can be opened using the AIP Viewer and the relevant application (like Mediaplayer). So from that perspective it might be usefull.

And yes: licensing. For me it’s hard to imagine an organization that already uses Microsoft 365 E5 or Microsoft 365 E3 with add-on licenses like E5 Security to add another licence to this mix, just for the security features of Teams Premium. Don’t get me wrong: the security features are great. But in my opinion, Teams Premium licenses make sense when you enable all the Premium features.

If you want any more information, take a look here:

https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-meetings?view=o365-worldwide

What to see this in action? Look no further 🙂

---