Blog Post

Security, Compliance, and Identity Blog
3 MIN READ

Customer Lockbox Approver Role Now Available

Caroline Shin's avatar
Caroline Shin
Icon for Microsoft rankMicrosoft
Aug 03, 2018

We are excited to share a new capability in Customer Lockbox that can provide more flexibility in who can approve Customer Lockbox requests. Read further to learn more. 

 

First, what is Customer Lockbox?

 

Many customers, and in particular regulated customers, have compliance obligations that require access control capabilities to be implemented or for procedures to be in place before privileged access is provided to sensitive data.

 

Customer Lockbox is part of the access control system in Office 365. It extends the default access control workflow so customers can review and approve (or deny) requests for service provider access during service operations. With Customer Lockbox, organizations can demonstrate that there are procedures in place for explicit data access authorization, which may help customers meet certain regulatory or internal compliance obligations. Actions taken by Microsoft engineers in response to Customer Lockbox requests are logged and auditable. 

 

You can view this short video for a closer look at how Customer Lockbox works:

 

 

What’s new in Customer Lockbox?

 

Until recently, approving or denying Customer Lockbox requests was reserved to the Global Administrator. Today, we are announcing the availability of a new custom administrator role: Customer Lockbox access approver. This new custom role and the members of this role are now allowed to configure, approve and deny Customer Lockbox requests.  

 

This has been a key ask from customers who want to add, for example, non-IT roles such as a compliance officer, data protection officer or legal officer to approve privileged access to their Office 365 content by Microsoft personnel during support operations.

 

Here are a few examples of what the new capability looks like. 

 

Graphic 1: Add users to Customer Lockbox access approver roleGraphic 2: User with Customer Lockbox access approver role approving requests

 

Get started today!

 

The Customer Lockbox access approver role is now generally available. Customers who have purchased Office 365 E5 or the Advanced Compliance SKU, and have Customer Lockbox provisioned should be able to use the new capability today. 

 

You can find further documentation and resources below to help you get started!

 

 

Tell us what you think! If there are additional features that you would like to see in Customer Lockbox, we would love to hear from you on uservoice.

 

 

FAQ

Q: How do I turn on Customer Lockbox?

A: For licensed customers, the tenant administrator and Customer Lockbox access approver can enable and configure Customer Lockbox from the Admin Center. For detail on how to turn this on please go here.

 

Q: Which services are covered by Customer Lockbox?

A: Exchange Online, SharePoint Online and OneDrive for Business have complete coverage. Skype for Business coverage does not include Skype Meeting Broadcast recordings or Skype Meeting content uploads. 

 

Q: Who is notified when there is a request to access my content?

A: The Global Administrators and the Customer Lockbox access approver roles are notified via email and can approve or deny Customer Lockbox request via Microsoft 365 Admin Center portal or PowerShell.

 

Q: Who can approve or reject these requests in my organization?

A: Customers control membership of the groups that can approve or reject Customer Lockbox requests.

 

Q: Can a regular user admins reset the password for members of Customer Lockbox access approver role?

A: Only global admins can reset the passwords of people assigned to this role as it’s considered a privileged role.

 

Q: Is there a limit on the members who can be part of this role?

A: No, there is no limit on the number of members who can be part of this role. However, since this is a privileged role, our recommendation is to limit the members of the group to a smaller manageable size.

 

Q: When a Customer Lockbox request is approved, how long are the permissions valid?

A: The maximum period for permissions granted following a Customer Lockbox approval is currently 4 hours. The Microsoft engineer may request a shorter period as well.

 

Q: How can I get a history of all Customer Lockbox requests?

A: All Customer Lockbox requests can be viewed directly from the Microsoft 365 Admin Center.

Updated May 11, 2021
Version 10.0
  • I liked the line about controlling who can reset the passwords of people with this role. That's great evidence of thinking through consequences and implications carefully.

  • Rhys Paterson's avatar
    Rhys Paterson
    Copper Contributor

    Is there a way to programmatically enable the lockbox feature, say via Graph or otherwise? Same again for checking the status (enabled/disabled)?