Digital transformation has changed the way we think about enterprise security. With more information stored online, locked filing cabinets aren’t enough to keep your corporate data safe, and security concerns are much bigger than misplaced keys. We now face an abundance of new risks like cybercrime, compromised credentials, and over-privileged users, to name a few.
With so many security concerns to consider, there’s one threat you shouldn’t have to be worried about: IT support staff. Experiencing tech problems with collaboration platforms like Microsoft 365 (M365) or Google Workspace could lead to major issues like downtime or even revenue loss; no one wants to deal with cybersecurity risks on top of that.
While your IT support might need access to your tenant to fix whatever problem you’re experiencing, this access should be authorized, controlled, and tracked to ensure the safety of your information. That’s why Microsoft offers Customer Lockbox for Microsoft 365 to keep you in control of access to your most important data.
What is Customer Lockbox?
While incredibly rare thanks to Microsoft’s efforts to limit the necessity for their employees to interact with customer content, there are times when a Microsoft support engineer may need access to your Microsoft 365 tenant. This is primarily when an engineer needs to troubleshoot in the application or library itself to solve an issue. In this case, they might need access to your mailbox, SharePoint library, Teams chats or channels, or other types of content.
Customer Lockbox is a feature that allows you to control a Microsoft support engineer’s access to your tenant. Before an engineer can access your content to perform IT support or services, a Microsoft employee must submit a request for your explicit approval to access your content.
Currently, Microsoft supports Customer Lockbox for requesting access to your Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. The feature comes with a Microsoft 365 E5 license and can be added to other enterprise plans.
Note: While Customer Lockbox is also available for Microsoft Azure, we will not be covering the approval workflow or set-up of that feature in this article.
Looking to ramp up your cybersecurity? Discover how AvePoint can help you level up your data protection.
How does Customer Lockbox work?
Once enabled, Customer Lockbox automatically adds your organization and designated approver(s) – also called access approver admins – to Microsoft’s access approval workflow.
While working on a support ticket, a Microsoft support engineer may determine they need access to your tenant to solve the issue. To gain access, they will submit a request via the Customer Lockbox request tool. The request will include the estimated duration of time the engineer will need access to your content to fix the problem.
After the request is submitted, it will be reviewed and approved by the engineer’s support manager. Once this level of approval is cleared, your organization’s designated approver(s) will receive an email notification with the request for access from the support engineer. Requests are also viewable in the Admin Center.
Your approver has 12 hours to review and verify the request before approving or rejecting it. Your global admins will also have the ability to approve or reject requests. If a decision is not made within 12 hours, the request will expire.
Once the request is approved, the engineer will be granted limited and time-bound access to your content. Once the requested duration is up, access is automatically revoked.
In addition to authorizing a support engineer’s access to your data, approving a request will create an audit record, which includes information about the requester like IP address, user, and activity.
These records are stored in the Microsoft 365 audit log and are accessible with the audit log search tool in with Microsoft Purview compliance portal. You can view your Customer Lockbox request history via the M365 admin center.
How do I enable Customer Lockbox?
If you’re a global admin or a designated approver, enabling Customer Lockbox in your tenant is easy.
- Login to your admin account at admin.microsoft.com and open the M365 Admin Center.
- Navigate to Settings > Org Settings.
- Choose the second tab, Security & Privacy
- Under this tab, select Customer Lockbox. Check the “Require approval for all data access requests” checkbox to turn on the feature.
- Be sure to save changes before exiting.
Do I need Customer Lockbox?
This answer really depends on your security team and the protocols and mandates they have in place.
For organizations following modern security architectures like Zero Trust, which encourage you to “never trust, always verify,” it’s common practice to not trust anyone no matter what – including IT support staff. That’s because insider threats are real; according to IBM, nearly one in 10 data breaches are caused by malicious insiders.
Microsoft has safeguards in place to ensure their engineers do not pose a risk to your tenant, like requiring multi-factor authentication, background checks, and hierarchical approvals. Yet some organizations still require more granular access management, which Customer Lockbox offers. It can also help organizations mandated to meet certain regulatory obligations, such as HIPAA and FEDRAMP, stay compliant.
No matter your reason, enabling Customer Lockbox helps your security team better control access to your Microsoft 365 tenant and offers peace of mind that your data is protected and secure.
Have any questions? Check out Microsoft’s Customer Lockbox FAQ or drop them in the comments below!