Below, I will delve deeper into the topic of Microsoft Customer Lockbox. In practice, I notice that this feature, which Microsoft makes available to its customers, is known to very few. At the current time, there are two types of Microsoft Customer Lockbox. One solution, formerly known as Microsoft 365 Customer Lockbox, is now referred to as Microsoft Purview Customer Lockbox, and the other is Customer Lockbox for Microsoft Azure. Detailed explanations of these two Lockboxes will follow below.
Introduction
To give some additional context, Microsoft Customer Lockbox is a crucial feature for organizations that require strict control over data access and privacy. It allows customers to have explicit control over access to their data by Microsoft’s support engineers during service requests.
For Microsoft Purview Customer Lockbox, this feature is integrated into the Microsoft 365 suite and provides a way for customers to approve or deny access requests from Microsoft support when troubleshooting issues related to Microsoft 365 services.
On the other hand, Customer Lockbox for Microsoft Azure offers similar capabilities but is specifically designed for Azure services. It provides customers with the ability to review and approve or reject support requests that require access to their Azure resources.
Additionally, Just-in-Time (JIT) access is enforced by Microsoft’s support engineers. This means that access is granted only for a limited period, ensuring that support personnel have access just long enough to resolve the customer’s issue, enhancing security and minimizing the risk of unauthorized data access.
This elevated control over data access helps organizations maintain compliance with industry standards and regulations, which is particularly important for businesses in highly regulated sectors such as finance and healthcare.
Workflow
The workflow is as follows when a Microsoft engineer initiates the Customer Lockbox request:
- There is an issue with a Microsoft 365 or Micorsoft Azure service for a user.
- After initial troubleshooting, the issue cannot be resolved, and a Microsoft support case is opened for problem resolution.
- A Microsoft support engineer reviews the support case and determines that a Customer Lockbox request must be made to access the data.
- The Microsoft support engineer submits a request in his internal tool with the following information:
- Organization tenant name
- Support case number
- Start time
- The required time for data access
- The Microsoft support manager must approve the engineer’s request. Once approved, Customer Lockbox sends an email notification to the designated approvers in the organization about the pending access request from Microsoft.
- The approver signs into the respective portal and approves the request.
- After the request is approved, the responsible Microsoft support engineer is notified and can begin their analysis.
The following users receive the notification for Microsoft Purview Customer Lockbox request and can also approve:
- Global Administrator
- Customer Lockbox Access Approver
For Customer Lockbox for Microsoft Azure, it’s a bit different. If the request scope is set to Subscription, the Owner and Azure Customer Lockbox Approver RBAC roles are notified. For the Tenant scope (request to access Entra tenant), only the Global Administrator of the tenant is notified and can approve the request.
Microsoft Purview Customer Lockbox
Microsoft Purview Customer Lockbox supports requests to access data in Exchange Online, SharePoint, OneDrive, Teams, and Windows 365. Additionally, Microsoft 365 Copilot is now also integrated via support through Exchange Online.
Important to mention
A Microsoft 365 E5, Office 365 E5, or Microsoft 365 Compliance Add-On license is required to enable Customer Lockbox.
Configuration
You can enable/disable Microsoft Purview Customer Lockbox controls in the Microsoft 365 admin center.
- Sign in to Microsoft 365 Admin center with an Global Administrator or Customer Lockbox Access Approver Entra role.
- Navigate to Settings -> Org settings -> Security & privacy
- Choose Customer lockbox and check Require approval for all data access requests checkbox and save the changes.
Approve/Deny a Customer Lockbox request
If a support case is open at Microsoft and the support engineer requests access to the data, it can be viewed and accepted or rejected as follows:
- Sign in to Microsoft 365 Admin center with an Global Administrator or Customer Lockbox Access Approver Entra role.
- Go to the Support section and click on Customer Lockbox Requests.
- You’ll see a list of Customer Lockbox requests.
- Choose Customer Lockbox request and then Approve or Deny.
You’ll see a confirmation message about the approval of the Customer Lockbox request.
You’ll see a confirmation message about the approval of the Customer Lockbox request.
Customer Lockbox for Microsoft Azure
Customer Lockbox for Microsoft Azure is a vital security feature for Azure. It is designed to give customers more control over their data, ensuring privacy and compliance. It allows organisations to decide exactly who can access their Azure resources during support work.
It works with over 40 Microsoft Azure resources. You can find a current list here:
Important to mention
You don’t need a special licence, and activation can only be done on the Tenant Root Group. This means that activation can’t be done at subscription level.
Configuration
Activating or deactivating Customer Lockbox for Microsoft Azure is relatively simple. In order to activate/deactivate it, you must have the Global Administrator role.
- Sign in to Microsoft Azure Portal with an Global Administrator Entra role.
- Search for Customer Lockbox for Microsoft Azure or follow Administration module.
- Switch to Administration and Enable/Disable Customer Lockbox for Microsoft Azure.
Approve/Deny a Customer Lockbox request
In the event that a support case is open at Microsoft and the support engineer requests access to the data, this can be viewed and accepted or rejected in the following manner.
Note: Azure Subscription Owner, Microsoft Entra Global Administrator or Azure Customer Lockbox Approver for Subscriptions receive an email from Microsoft and are able to approve/reject the request.
- Sign in to Microsoft Azure Portal
- Search for Customer Lockbox for Microsoft Azure or follow Administration module.
- Choose Pending Requests in the left pane and select the affected Lockbox request.
- The person who’s in charge of approving these requests will check the request and choose either to Approve or Deny.
Exceptions
There are two possible scenarios in which the Customer Lockbox for Microsoft Azure does not apply.
- Emergency scenarios that require urgent action from Microsoft, such as major service outages or security incidents, are rare and usually do not necessitate access to customer data.
- A Microsoft engineer may inadvertently be exposed to customer data during platform troubleshooting, but such occurrences are rare and customers can further protect their data using Customer-managed keys (CMK) available for some Azure services.
Personal opinion
These are very good options that Microsoft makes available to its customers to give them a better feeling that their data is more secure in the Microsoft Cloud. Of course, it doesn’t protect 100% against misuse, but it gives you a better feeling and everything is logged cleanly. This is not only important to fulfil regulations but also to gain security in the areas.
Of course, not everything is as golden as it shines. Especially in the Microsoft 365 environment with Microsoft Purview Customer Lockbox, where an Microsoft 365/Office E5 and/or add-on licence is required, I think it’s a bit of a pity, especially in smaller environments. In my opinion, this security option should be offered free of charge, as is the case with Customer Lockbox for Microsoft Azure.
If you have the licence, consider the activation of Customer Lockbox for Microsoft 365 services as well Microsoft Azure resources. I can highly recommend it.