Customer Lockbox for partners

%3CLINGO-SUB%20id%3D%22lingo-sub-1627579%22%20slang%3D%22en-US%22%3ECustomer%20Lockbox%20for%20partners%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1627579%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20if%20the%20Customer%20Lockbox%20functionality%20is%20possible%20to%20apply%20to%20partners%2Fusers%20and%20not%20just%20MS%20-%20so%20it%20applies%20to%20B2B%3F%20-%20so%20the%20partner%20can't%20access%20the%20customer's%20data%2C%20(files%2C%20emails%2C%20etc.)%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20partner%20has%20(global)%20admins%20rights%2C%20so%20how%20does%20one%20prevent%20access%20to%20the%20data%20or%20at%20least%20log%20it%20%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EOtherwise%2C%20if%20someone%20could%20point%20to%20another%20solution%2C%20where%20GA%20is%20blocked%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1627728%22%20slang%3D%22en-US%22%3ERe%3A%20Customer%20Lockbox%20for%20partners%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1627728%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F108979%22%20target%3D%22_blank%22%3E%40Taen%20keren%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20Customer%20Lockbox%20is%20only%20for%20Microsoft%20support%20I'm%20afraid.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20control%20access%20to%20the%20data%20using%20Conditional%20Access%20Policies%2C%20and%20%2F%20or%20Privileged%20Identity%20Management%20as%20per%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-resource-roles-external-users%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-resource-roles-external-users%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1637855%22%20slang%3D%22en-US%22%3ERe%3A%20Customer%20Lockbox%20for%20partners%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1637855%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3B-hmmm...%20If%20I%20could%20combine%20the%20CA%20with%20the%20actual%20Classification%20label%20-%20it%20would%20be%20great%3C%2FP%3E%3CP%3Ee.g.%3C%2FP%3E%3CP%3EIf%20a%20document%20labeled%20'Highly%20confidential'%20-%20then%20no%20global%20admin%2C%20compliance%20admin%20or%20other%20privileged%20role%2C%20had%20access%20to%20the%20document%20-%20only%20the%20end-users%20or%20the%20group%20specified%20in%20the%20label%20had%20access.%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20not%20aware%20if%20this%20can%20be%20achieved%20now%3F%26nbsp%3B%20%26nbsp%3B-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20see%20this%20one%20at%20the%20uservoice%3A%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F928576-microsoft-information-protection-mip%2Fsuggestions%2F19602304-conditional-access-policies-for-highly-sensitive-i%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365.uservoice.com%2Fforums%2F928576-microsoft-information-protection-mip%2Fsuggestions%2F19602304-conditional-access-policies-for-highly-sensitive-i%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1638157%22%20slang%3D%22en-US%22%3ERe%3A%20Customer%20Lockbox%20for%20partners%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1638157%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F108979%22%20target%3D%22_blank%22%3E%40Taen%20keren%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENo%20there%20is%20nothing%20that%20will%20work%20quite%20like%20that%20just%20yet%20I'm%20afraid.%26nbsp%3B%20One%20for%20the%20roadmap%20hopefully.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Super Contributor

Hi 

 

Does anyone know if the Customer Lockbox functionality is possible to apply to partners/users and not just MS - so it applies to B2B? - so the partner can't access the customer's data, (files, emails, etc.)? 

The partner has (global) admins rights, so how does one prevent access to the data or at least log it ? 

Otherwise, if someone could point to another solution, where GA is blocked? 

3 Replies

@Taen keren 

 

Hi, Customer Lockbox is only for Microsoft support I'm afraid.

 

You can control access to the data using Conditional Access Policies, and / or Privileged Identity Management as per https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-...

 

@PeterRising -hmmm... If I could combine the CA with the actual Classification label - it would be great

e.g.

If a document labeled 'Highly confidential' - then no global admin, compliance admin or other privileged role, had access to the document - only the end-users or the group specified in the label had access.

I'm not aware if this can be achieved now?   -

 

I can see this one at the uservoice:  https://office365.uservoice.com/forums/928576-microsoft-information-protection-mip/suggestions/19602...

@Taen keren 

 

No there is nothing that will work quite like that just yet I'm afraid.  One for the roadmap hopefully.