M365 Customer Lockbox licensing

Senior Member

Can someone explain us how customer lockbox works under mixed licensing? For example: We have 99 M365 E3 licences and one M365 E5 license. In this situation there will be only one user/admin (which have M365 E5 license) able to turn on and off lockbox feature and also approve requests? Others users with E3 licence can´t turn lockbox feature on or off or approve requests despite they are global admins?

4 Replies
best response confirmed by Mi1anovic (Senior Member)



Take a look at this - - it explains the tenant level feature guidance in relation to licensing.


Global Administrators and Customer Lockbox Access Approvers can approve Customer Lockbox access requests from Microsoft.


Tenant level services can be very tricky when it comes to licensing.  By the letter of the law, you probably should have an M365 E5 licence for every user in your tenant if you are using this feature.  It will work if you only have one though.  


A very dangerous grey area in my opinion.  Same issue occurs with the features of O365 ATP.  They are activated at a tenant level, but all users should be appropriately licensed to benefit from the features.

Okay I got it. This is same situation as Premium AAD licenses. If AAD is Azure AD for Office 365 and we want to AAD Premium we need buy at least one license for user/admin but others users will not be able benefit from that. We will need premium aad licence for every user. So this lockbox feature is working on same license idea as AAD premium right?



Yes that's correct.

@PeterRising Thank you. You helped me a lot.