Defining Customer Lockbox
In this tutorial, we will learn about concept of Customer Lockbox.
Occasionally, an organization might need a Microsoft engineer’s help to help troubleshoot and fix reported issues. Usually, issues are fixed through extensive telemetry and debugging tools Microsoft has in place for its services. However, some cases require a Microsoft engineer to access the organization’s content to determine the root cause and fix the issue.
That is to say, Customer Lockbox ensures that Microsoft can’t access the content to perform a service operation without explicit approval. Customer Lockbox brings the organization into the approval workflow for requests to access their content. Further, Customer Lockbox supports requests to access data in Exchange Online, OneDrive for Business, and SharePoint Online.
Customer Lockbox: Process
The process looks like:
- Firstly, someone at an organization experiences an issue with their Microsoft 365 mailbox, for example. After the user troubleshoots the issue, but can’t fix it, they open a support request with Microsoft Support.
- Secondly, a Microsoft support engineer reviews the service request and determines a need to access the organization’s tenant to repair the issue in Exchange Online.
- Then, the Microsoft support engineer logs into the Customer Lockbox request tool and makes a data access request. This includes the organization’s tenant name, service request number, and the estimated time the engineer needs access to the data.
- After a Microsoft Support manager approves the request, Customer Lockbox sends the designated approver at the organization an email notification about the pending access request from Microsoft.
- Next, the approver signs in to the Microsoft 365 admin center and approves the request. This step also triggers the creation of an audit record available by searching the audit log. However, if the customer rejects the requestor doesn’t approve the request within 12 hours. Then, the request expires, and Microsoft engineer gets no access.
- Lastly, after the approver from the organization approves the request, the Microsoft engineer receives the approval message, logs into the tenant in Exchange Online, and fixes the customer’s issue. Microsoft engineers have the requested duration to fix the issue after which the access is automatically revoked.
Reference: Microsoft Documentation