Event details
For when Microsoft Engineers access our tenant directly, when they've both separately been invited and when they haven't (for special troubleshooting and service restoration etc..):
Do we get alerted at any point in either event, that an MS Engineer is currently in our tenant? We understand Lockbox is applicable to some services such as VMs, but does not cover all of Azure.
We understand that when creating support tickets, we can opt out of having an Engineer enter our tenant for support. Does an option exist to stop engineers entering our tenant for all cases and not just support? This is beyond the scope of protecting "customer data" stored in any DB's or VM's, but all company data within the Azure tenant.
We've read that Microsoft Engineers can enter our tenant for special troubleshooting reasons. Is all access, for any reason, restricted to an approved elevation of privilege?
Does Microsoft have any written agreements detailing when this access will occur and after what checks?
Ed Fisher
Microsoft
MicrosoftThis is much more complex than can be answered in this format. As I see in the below question that you have an NDA already in place, I expect that means you do have an Account Team who can discuss this with you. Customer data is yours, and Lockbox is an effective way to ensure that you are a part of the approval process for any access to your data. Access to the underlying SaaS infrastructures, which does NOT include any ability to see your data (blob, emails, docs in SharePoint, etc.) I may be reading between the lines here, but it sounds like you have some specific compliance or privacy concerns. While you can see what compliance standards we meet and which are audited in the Service Trust Portal (linked earlier) it does sound like an interactive discussion with your account team is the next best step, and can get you specific answers to your specific situation(s).