SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

o365customerlockbox

Customer Lockbox

Customer Lockbox requests allows you to control how a Microsoft support engineer accesses your data. Usually the following workflow takes place when a Microsoft Engineer wants to access your data:


With customer lockbox the workflow changes as you as a customer gets an active part in the process:


See here for more information on how this workflow takes place.

Configure Customer Lockbox

Configuring Customer Lockbox is a two step implementation:

Assiging the Customer Lockbox access approver role

By default only global administrators can approve access requests. You can however give the “Customer Lockbox access approver” role to members of, for example, your SOC team. As these are Office 365 roles it's not possible to assign them to an AD security group and you need to assign them manually to individual users:

  • In the Office 365 Admin portal go to Users → Active users and select the user you want to assign the role to
  • On the new blade click edit next to the Roles part
  • Set the role to Customized administrator and select “Customer Lockbox access approver”
  • Click on Save

Enable Customer Lockbox

Now there are users who can approve a request you can enable Customer Lockbox:

  • In the Office 365 Admin portal go to Settings → Security & Privacy
  • Click on Edit in the Customer Lockbox block
  • Set “Require approval for all data access requests” to On
  • Click on Save

Approve or Deny Requests

After a Microsoft Engineer / manager enables a request a email is sent out to the global admins (won't be delivered with an invalid email address) and the users with the “Customer Lockbox access approver” role. The email will hold no link due to security reasons. After receiving the mail follow these steps to approve or deny the request:

  • Go to the Office 365 Admin Portal: https://portal.office.com
  • In the Office 365 Admin portal go to Support → Customer Lockbox Requests
  • Select a Customer Lockbox request, and then select Approve or Reject.

All the requests are saved here for historical reasons.

Resources

You could leave a comment if you were logged in.
o365customerlockbox.txt · Last modified: 2021/09/24 00:25 (external edit)