Locking down your Microsoft 365 tenant from Microsoft engineers
I've never had any issues with Microsoft engineers accessing my data or changing my tenant without my explicit approval. Nevertheless, Microsoft has developed a way to lock out Microsoft engineers from your tenant. If you open a support ticket with Microsoft and they require access to your tenant they will need to send you an explicit request. Microsoft calls this feature Customer Lockbox.
Customer Lockbox allows you and your admins to secure your Microsoft 365 tenant from Microsoft engineers. That's right. The engineers at the organization hosting your data won't be able to access your data. Not without your explicit permission. Once a request is approved the Microsoft engineers will only be able to access your data for a limited window. Typically, 4 hours but it may be longer or shorter depending on your service issues.
Lockbox workflow
Before we jump into configuring Customer Lockbox let's discuss the broad strokes or take a bird's eye view of the workflow. So Let's say you've enabled Customer Lockbox. A month goes by and all of a sudden you have an issue with your Microsoft 365 tenant. Uh-oh. You open a service request with Microsoft and then they tell you they need access to your tenant. With Lockbox enabled the following will take place:
1. You open a support ticket with Microsoft.
2. Microsoft views the request and verifies they need to access your tenant.
3. The Microsoft engineer and their manager will send the Lockbox request to you and your other Customer Lockbox admins.
4. You or another admin in your organization will approve the request.
5. The Microsoft engineer will review your tenant.
6. The request will time out and the Microsoft engineer will be automatically locked out of your data again.
License requirements
Your users will need one of the following licenses to enable the Customer Lockbox feature:
- Office 365 E5
- Microsoft 365 E5
- Microsoft 365 E5 Compliance
- Office 365 Advanced Compliance
What admins can manage Lockbox?
The following admins can approve Lockbox requests and will receive notifications when a Microsoft engineer requests access.
- Global administrators
- Customer Lockbox access
Enable Customer Lockbox
So now that we've reviewed the overview and talked about licensing let's get into it. How do we enable Customer Lockbox? It's pretty simple, just click the right check box and the right place.
1. Log in to the Microsoft 365 admin center > Settings > Org settings > Security & privacy > Customer Lockbox.
2. Click Require approval for all data access requests. Click Save.
Approving Customer Lockbox requests
So now you have Customer Lockbox enabled let's talk about the Customer Lockbox requests because eventually, you'll get one... Maybe. Maybe not. Who knows. But either way, you'll need to know how to approve the requests in case you get one. So, how do you know if they have a request and how do you approve it once the request is opened?
In short, you'll receive an email that looks like the following:
Now that we have a Customer Lockbox request how do we approve the request so the Microsoft engineer can access our tenant and fix it? It's simple, just find the right button and click it.
1. Log in to the Microsoft 365 admin center > Support > Customer Lockbox Requests.
2. Click the request you wish to approve.
3. Click Approve.