One of the worries that keep many companies from adopting Cloud services for e-mail and other collaboration services; the question that who has control over the security of the content, So Microsoft has provided the solution to this concern by introducing a new feature of Customer Lockbox Request in its E5 license.
Customer lockbox Office 365 requests allow you to control how a Microsoft support engineer accesses your data. Sometimes if you run into an issue, you might need a Microsoft support engineer to help you fix it. In some cases, the support engineer will require access to your Office 365 content to troubleshoot and fix the issue. Customer lockbox requests allow you to control whether to give the support engineer access to your data. There's also an expiration time on the request and content access is removed after the support engineer has fixed the issue.
An Overview of the Microsoft Customer Lockbox
Let's start with an overview of the Microsoft Customer Lockbox with this 2-minute video.
Maximizing Security for Customers
To maximize data security and privacy for Microsoft 365 customers, Microsoft engineered the service to require zero interaction with customer content by employees. All service operations performed by Microsoft are fully automated and the human involvement is highly controlled and abstracted away from customer content. Only in some cases - such as when troubleshooting a customer issue with a mailbox - does a Microsoft engineer have any reason to access customer content in Microsoft 365. And even in such a scenario customer approval is necessary.
The customer lockbox is included in the Office 365 E5 plan. If you don't have an Office 365 E5 plan, you can buy a separate customer lockbox subscription from any of the Office 365 Enterprise plans. Customer lockbox works with Exchange Online, SharePoint Online, and OneDrive for Business.
How does the Customer Lockbox work?
Customer Lockbox Office 365 Customer Lockbox brings an additional layer of protection to Microsoft's already rigorous access control policies, to maximize data security and privacy for Office 365 customers.
It gives customers unique control over their data by eliminating unnecessary access by Microsoft. This means that Microsoft needs your permission to access your data. For example, if your business is experiencing a service issue that requires Microsoft to access your systems to resolve, then you need to provide explicit permission for them to do so. You – or your Office 365 administrator, will be notified via email that there is a request for time access. And then accordingly you can approve or reject these Customer Lockbox requests. So, it means that you know on each occasion that a Microsoft engineer has a need to gain access to your company information and contents. Until the explicit approval of the access request, the Microsoft engineer will not be able to view any data.
The Customer Lockbox Workflow
Turning Customer Lockbox requests on or off
You can turn on Customer Lockbox controls in the Microsoft 365 admin center. When you turn on Customer Lockbox, Microsoft must obtain your organization's levels of approval before accessing any of your tenant's content.
- Using a work or school account that has either the global administrator or the Customer Lockbox access approver role assigned, go to https://admin.microsoft.com and sign in.
- Choose Settings > Org Settings.
- Select Security & Privacy > Customer Lockbox > Edit, and then move the toggle to On or Off to turn the feature on or off
Frequently asked questions
1. Who is notified when there is a request to access a customer’s content?
Admins in the customer’s Office 365 environment are notified via email that there is a request for access. The Office 365 Admin Center portal will also display requests that have been submitted to the customer for approval.
2. Who can approve or reject these requests in a customer’s organization?
Administrators in the customer’s Office 365 environment can approve or reject Customer Lockbox requests using their admin credentials.
3. Under what circumstances do Microsoft engineers need access to customer’s content?
No one at Microsoft has standing access to customer content in Office 365. Furthermore, Office 365 services are being engineered so that people performing service operations never have access to customer content. Therefore, we believe that the only scenario where a Microsoft manager will need to access customer content is when the customer asks us to do so
4. What happens if a customer rejects the Microsoft engineer’s access to content?
Microsoft can only proceed following approval of a Customer Lockbox Office 365 request. If a customer rejects a Customer Lockbox request, no access to customer content will occur. If a user was experiencing a service issue that required Microsoft to access customer content to resolve (though such circumstances are expected to be extremely rare), then the service issue might simply persist. Microsoft would inform the customer of this action.
Last Updated 9 months ago