Best known as “Customer lockbox”, the new name is now: Microsoft Purview Customer Lockbox
Customer Lockbox is a security feature in Microsoft 365 designed to help customers control and audit access to their data in the cloud. When a Microsoft engineer needs to access a customer’s data, Customer Lockbox ensures that the customer has explicit approval before granting access to the data.
Here are some key features of Customer Lockbox in Microsoft 365:
- Access control: Customer Lockbox provides customers with full control over who has access to their data in the cloud. When a Microsoft engineer requests access to a customer’s data for troubleshooting or support, the customer is notified and can choose to approve or deny the request.
- Audit: All access requests and actions taken by Microsoft engineers are logged and audited. This enables customers to monitor and review all access to their data in the cloud.
- Time-bound access: Customer Lockbox requests are only valid for a limited time, and customers can set policies to restrict access to specific periods of time. This helps to ensure that access to sensitive data is only granted when necessary.
- Multi-factor authentication: To further enhance security, Microsoft requires multi-factor authentication for all access requests made through Customer Lockbox.
- Integration with other security features: Customer Lockbox works in conjunction with other security features in Microsoft 365, such as Data Loss Prevention and Advanced Threat Protection, to provide a comprehensive security solution for customers.
Overall, Customer Lockbox provides customers with greater control and transparency over who has access to their data in the cloud. By requiring explicit approval for all access requests and providing a comprehensive audit, Customer Lockbox helps to ensure that customers’ data remains secure and private in Microsoft 365.
How to activate it?
To activate Customer Lockbox in Microsoft 365, you will need to have an Enterprise E5 or Advanced Compliance subscription. If not, you can signup for a trial here.
Here are the steps to activate Customer Lockbox:
- Sign in to the Microsoft 365 admin center with your administrator credentials.
- In the left navigation pane, select Settings > Org settings > Security & privacy.
- Click on Customer lockbox.
- Click on the Customer Lockbox option and turn it on.
- Review the activation terms and click on Accept.
Once Customer Lockbox is activated, you can configure access policies, time-bound access, and other settings to customize the feature for your organization.
It’s important to note that Customer Lockbox is only available for certain Microsoft 365 services, such as Exchange Online and SharePoint Online, and not all Microsoft 365 services support by this feature.
How to use it?
After activating Customer Lockbox in Microsoft 365, here are the steps to use it:
- When a Microsoft engineer needs to access your data in the cloud etc. Exchange Online, they will submit a request through the standard support process.
- You will receive a notification that a request has been made, and you will need to review and approve the request before the engineer can access your data.
You can see requests in your Microsoft 365 Admin portal under Support > Data access requests. A direct link is here.
- To review the request, go to the Microsoft 365 admin center and select Customer Lockbox from the left navigation pane.
- Review the details of the request, including the reason for the request and the data that will be accessed.
- If you approve the request, the engineer will be granted access to the data for the specified time period. If you deny the request, the engineer will not be able to access your data.
- Once the request is approved or denied, the action is logged and audited for compliance and regulatory purposes.
It’s important to note that the process of approving a request may take some time, so it’s recommended that you plan accordingly when requesting support from Microsoft. Additionally, not all Microsoft 365 services support Customer Lockbox, so be sure to check the list of supported services before relying on this feature.
Read more about this feature here