What is Customer Lockbox in Microsoft 365?

Imagine this: Your organization encounters a technical glitch in Microsoft 365, halting critical operations. You reach out to Microsoft support, and they want to access your account/system to resolve the issue. But how do you ensure to give them access that doesn’t expose sensitive info without your approval?

This is where Customer Lockbox in Microsoft 365 steps in! Customer lockbox ensures that MS engineer gets your explicit approval before accessing data. This gives you direct control over whether to approve or deny access.

In most situations, Microsoft engineers can resolve issues using various debugging tools without needing access to your content. However, in rare cases where they do require access, customer lockbox acts as your final line of defense, giving you the power to approve or deny access requests.

Microsoft Purview Customer Lockbox is a security feature that ensures Microsoft cannot access your organization’s content without your explicit approval. You’re in control, deciding when and if Microsoft engineers can access your data. This is particularly important when troubleshooting or fixing issues that may require access to your content.

To use Office 365 Customer Lockbox, you need one of the following licenses:

• Office 365 E5
• Microsoft 365 E5

Customer Lockbox can also be added to other plans by getting the Information Protection and Compliance or Advanced Compliance add-on.

Note: Currently, Microsoft supports Customer Lockbox for requesting access to Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and Windows 365. Additionally, Customer Lockbox applies to all Microsoft Copilot interactions in Microsoft 365, supported through Exchange Online.

By default, customer lockbox access request is not enabled. To turn on the customer lockbox in Microsoft admin center, follow the steps below.

1. Sign in to the Microsoft 365 admin center.
2. Navigate to Settings –> Org Settings –> Security & Privacy.
3. In the ‘Security & Privacy’ section, select Customer Lockbox.
4. Check the box labeled ‘Require approval for all data access requests’.
5. Click ‘Save’.

To turn off customer lockbox requests, you can check out the box and click ‘Save’.

Here’s a breakdown of how does the customer lockbox in Microsoft 365 works.

1. When a user is unable to resolve an issue in Microsoft 365 on their own, the user submits a support request to Microsoft.
2. A Microsoft support engineer reviews the request and determines that they need to securely access your organization’s tenant to address the issue. They submit a data access request via Customer Lockbox, detailing the tenant’s name, service request number, desired access time, duration, and the specific service involved.
3. The request is reviewed by a Microsoft Support manager within your organization. If approved, an email notification is sent to the designated approver in your organization.
   
   
4. Global administrators or anyone with a customer lockbox access approver role can either approve or deny the request through the Microsoft 365 admin center. If approved, the decision is logged in the audit logs. If denied or not acted upon within 12 hours, the request expires, and access is not granted.
5. Once access is granted, the support engineer resolves the issue by accessing customer content. Access is automatically revoked after the issue is resolved or the allotted time expires. Currently, Microsoft engineers can be granted access for up to 4 hours. They can also request a shorter access period.

Note: Customer content in Microsoft 365 refers to data created by users within Microsoft 365 services, including emails, SharePoint files, Teams messages, and more.

To approve or deny the customer lockbox access requests in Microsoft 365, follow the steps mentioned below.

1. Sign in to the Microsoft 365 admin center.
2. Navigate to Support –> Customer Lockbox Requests.
3. A list of pending customer lockbox requests will be displayed. Select the request you wish to act upon and choose either Approve or Deny.
4. A confirmation message will be shown after you make your decision. If approved, the Microsoft engineer will receive access; if denied, the request will expire.

Note: You can also approve, deny, or cancel customer lockbox requests using Set-AccessToCustomerDataRequest cmdlet after connecting to Exchange Online PowerShell.

For example, if you want to approve a request you should run like below.

Set-AccessToCustomerDataRequest -ApprovalDecision Approve -RequestId <RequestId> 

Replace <RequestId> with the actual request ID you received.

No need to worry about what the MS Engineer did, Microsoft logs every activity performed by the person in audit logs. To review the audit record of actions performed by the Microsoft engineer, do the following.

1. Sign in to the Microsoft Purview Compliance portal as global administrator or compliance administrator.
2. Navigate to Audit –> Search.
3. Configure the search criteria (i.e., date range, activities) to find records related to customer lockbox requests.
4. There you can review what actions Microsoft Engineers performed and who approved or denied the customer lockbox request.
5. Alternatively, you can click the user column to sort alphabetically. Look for “Microsoft Operator” to see actions taken by the Microsoft engineer.
   
   
6. You can also export the audit record of a customer lockbox request into a CSV file for further analysis.

Note: To audit customer lockbox request activities using PowerShell, run the following.

Search-UnifiedAuditLog -StartDate xx/xx/xxxx -EndDate xx/xx/xxxx -UserIds "Microsoft Operator" 

This command allows you to search the unified audit log for activities related to Customer Lockbox requests within a specified date range. Replace xx/xx/xxxx with the actual start and end dates.

There are some exceptions where Microsoft can access your data without requiring explicit customer approval. Here are some of the scenarios:

Emergency Situations (“Break Glass” Events):

• During a major service outage or security incident, Microsoft might need to use a ‘break glass account’ to act immediately without going through customer lockbox.
• These situations are rare and usually don’t require accessing customer data.
• Microsoft’s access controls are aligned with NIST 800-53 and audited through SOC 2.

Inadvertent Access by Microsoft Engineers:

• If a Microsoft engineer accidentally sees customer data while troubleshooting, customer lockbox is not triggered.
• For instance, during network troubleshooting, engineers might capture packets that contain small amounts of customer data.
• Customers can further protect their data with Customer-managed keys (CMK) available in some Azure services.

External Legal Demands:

• These are requests made by the government or legal entities requiring Microsoft to provide customer data. This could be for legal proceedings, investigations, or other government-mandated processes.
• In these cases, customer lockbox does not apply because Microsoft is legally obligated to comply with these requests without requiring customer approval.

In conclusion, Microsoft Purview Customer Lockbox offers your organization an additional layer of security by giving you control over when and if Microsoft can access your data. Integrating you into the approval workflow ensures that your content remains secure, even when troubleshooting critical issues.