Understanding Office 365 Customer Lockbox

What is Office 365 Customer Lockbox?

In the Office 365 service, no one at Microsoft has access to customer’s data. In the extremely rare event that there is a problem that requires Microsoft Support engineer to access your data for troubleshooting, Microsoft have a highly supervised process called LockBox comprised of elevated permissions to allow for just-in time access to fix the issue.
With Office 365 Customer Lockbox feature, you have the ability to approve or deny access by a Microsoft engineer to perform such service operations. Office 365 Customer lockbox requests allows you to control whether to give the support engineer access to your data. There’s also an expiration time on the request and content access is removed after the support engineer has fixed the issue.

Customer lockbox is included in the Office 365 E5 plan. If you don’t have an Office 365 E5 plan, you can buy a separate customer lockbox subscription with any Office 365 Enterprise plan.

How Office 365 Customer Lockbox works?

The Microsoft support engineer logs into the customer lockbox request tool and sends you an email letting you know there’s a pending customer lockbox request. All requests are reviewed and approved by Microsoft support managers before you get the request.

Customer lockbox requests notification will be received by all admins in your office 365 tenant.

The customer lockbox request tool sends you an email letting you know there’s a pending lockbox request. If you reject or don’t approve the request in 12 hours, access is automatically revoked.

Once approved, the Microsoft support engineer receives the approval message and proceeds to login to address the specified issue. The customer lockbox request is closed once the issue is fixed and access is then revoked.


Why we need to Enable Office 365 Customer Lockbox?

Customer that wants to have a complete control of their data in Office 365 for security and compliance reasons can enable customer lockbox to ensure of their data integrity.

  • Customer lockbox eliminates unnecessary data access. Microsoft engineers do not have standing access to your data in Office 365.
  • Customer lockbox grant limited access. Access is provided on a just-in-time basis and documented.
  • Full auditing of access is available via the Office 365 management activity logs.

Use of the Customer Lockbox feature ensures that Microsoft engineer does not get access to the customer’s content without customer’s explicit approval. When the customer gets the request for access, they can scrutinize the request and either approve or reject it. Until the request is approved, the Microsoft engineer will not be granted access.

Enabling Office 365 Customer Lockbox

Enabling Office 365 customer lockbox requests requires you to perform the following steps:

  • Sign in to Office 365 with your admin credentials.
  • Navigate to Office 365 Admin Center > Settings > Security and Privacy

  • Locate Customer Lockbox. Click Edit and move the toggle On or Off to turn lockbox requests on or off and click Save.

Once enabled, you can navigate to Settings > Support > Service Request to approve or reject a customer lockbox request in Office 365.