February 21, 2022
  • Home
  • /
  • Blog
  • /
  • What Is A Customer Lockbox In Office 365?

What Is A Customer Lockbox In Office 365?

One of the worries that keep many companies from adopting Cloud services for e-mail and other collaboration services; the question that who has control over the security of the content, So Microsoft has provided the solution to this concern by introducing a new feature of Customer Lockbox Request in its E5 license.

Customer lockbox Office 365 requests allow you to control how a Microsoft support engineer accesses your data. Sometimes if you run into an issue, you might need a Microsoft support engineer to help you fix it. In some cases, the support engineer will require access to your Office 365 content to troubleshoot and fix the issue. Customer lockbox requests allow you to control whether to give the support engineer access to your data. There's also an expiration time on the request and content access is removed after the support engineer has fixed the issue.

An Overview of the Microsoft Customer Lockbox

Let's start with an overview of the Microsoft Customer Lockbox with this 2-minute video. 

Maximizing Security for Customers

To maximize data security and privacy for Microsoft 365 customers, Microsoft engineered the service to require zero interaction with customer content by employees. All service operations performed by Microsoft are fully automated and the human involvement is highly controlled and abstracted away from customer content. Only in some cases - such as when troubleshooting a customer issue with a mailbox - does a Microsoft engineer have any reason to access customer content in Microsoft 365. And even in such a scenario customer approval is necessary.

The customer lockbox is included in the Office 365 E5 plan. If you don't have an Office 365 E5 plan, you can buy a separate customer lockbox subscription from any of the Office 365 Enterprise plans. Customer lockbox works with Exchange Online, SharePoint Online, and OneDrive for Business.

How does the Customer Lockbox work?

Customer Lockbox Office 365 Customer Lockbox brings an additional layer of protection to Microsoft's already rigorous access control policies, to maximize data security and privacy for Office 365 customers.

It gives customers unique control over their data by eliminating unnecessary access by Microsoft. This means that Microsoft needs your permission to access your data. For example, if your business is experiencing a service issue that requires Microsoft to access your systems to resolve, then you need to provide explicit permission for them to do so. You – or your Office 365 administrator, will be notified via email that there is a request for time access. And then accordingly you can approve or reject these Customer Lockbox requests. So, it means that you know on each occasion that a Microsoft engineer has a need to gain access to your company information and contents. Until the explicit approval of the access request, the Microsoft engineer will not be able to view any data. 

The Customer Lockbox Workflow

  • Someone at an organization has an issue with their Azure workload.
  • After this person troubleshoots the issue, but can't fix it, they open a support ticket from the Azure portal. The ticket is assigned to an Azure Customer Support Engineer.
  • An Azure Support Engineer reviews the service request and determines the next steps to resolve the issue.
  • If the support engineer can't troubleshoot the issue by using standard tools and service generated data, the next step is to request elevated permissions by using a Just-In-Time (JIT) access service. This request can be from the original support engineer or from a different engineer because the problem is escalated to the Azure DevOps team.
  • After the access request is submitted by the Azure Engineer, Just-In-Time service evaluates the request taking into account factors such as:
    • The scope of the resource
    • Whether the requester is an isolated identity or using multi-factor authentication
    • Permissions levels
    Based on the JIT rule, this request may also include an approval from Internal Microsoft Approvers. For example, the approver might be the Customer support lead or the DevOps Manager.
  • When the request requires direct access to customer data, a Customer Lockbox request is initiated. For example, remote desktop access to a customer's virtual machine. The request is now in a Customer Notified state, waiting for the customer's approval before granting access.
  • At the customer organization, the user who has the Owner role for the Azure subscription receives an email from Microsoft, to notify them about the pending access request. For Customer Lockbox requests, this person is the designated approver.
  • The email notification provides a link to the Customer Lockbox blade in the Administration module. Using this link, the designated approver signs in to the Azure portal to view any pending requests that their organization has for Customer Lockbox.

  • To get the details of the pending request, the designated approver can select the lockbox request from Pending Requests.
  • The designated approver can also select the SERVICE REQUEST ID to view the support ticket request that was created by the original user. This information provides context for why Microsoft Support is engaged, and the history of the reported problem.
  • After reviewing the request, the designated approver selects Approve or Deny.

Turning Customer Lockbox requests on or off

You can turn on Customer Lockbox controls in the Microsoft 365 admin center. When you turn on Customer Lockbox, Microsoft must obtain your organization's levels of approval before accessing any of your tenant's content.

  1. Using a work or school account that has either the global administrator or the Customer Lockbox access approver role assigned, go to https://admin.microsoft.com and sign in.
  2. Choose Settings > Org Settings.
  3. Select Security & Privacy > Customer Lockbox > Edit, and then move the toggle to On or Off to turn the feature on or off

Frequently asked questions

1. Who is notified when there is a request to access a customer’s content?

Admins in the customer’s Office 365 environment are notified via email that there is a request for access. The Office 365 Admin Center portal will also display requests that have been submitted to the customer for approval.

2. Who can approve or reject these requests in a customer’s organization?

Administrators in the customer’s Office 365 environment can approve or reject Customer Lockbox requests using their admin credentials.

3. Under what circumstances do Microsoft engineers need access to customer’s content?

No one at Microsoft has standing access to customer content in Office 365. Furthermore, Office 365 services are being engineered so that people performing service operations never have access to customer content. Therefore, we believe that the only scenario where a Microsoft manager will need to access customer content is when the customer asks us to do so

4. What happens if a customer rejects the Microsoft engineer’s access to content?

Microsoft can only proceed following approval of a Customer Lockbox Office 365 request. If a customer rejects a Customer Lockbox request, no access to customer content will occur. If a user was experiencing a service issue that required Microsoft to access customer content to resolve (though such circumstances are expected to be extremely rare), then the service issue might simply persist. Microsoft would inform the customer of this action.

Print Friendly, PDF & Email

Last Updated 3 months ago

About the Author

Rijah is a professional Marketing Executive & content specialist. You may know her from her greatest hits like, "No, I can't just make it go viral." or "No, you can't have everybody as your audience." and "Yes, you're absolutely going to need a copywriter!"

Rijah Naseem

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Have questions before Purchasing Office 365?