Office 365 Customer Lockbox
Configure Customer Lockbox
- Assiging the Customer Lockbox access approver role
- Enable Customer Lockbox
Approve or Deny Requests
Useful Links

Office 365 Customer Lockbox

Summary: How to configure Customer Lockbox in Office 365.
Date: Around 2018
Refactor: 8 March 2025: Checked links and formatting.

o365

Customer Lockbox requests allows you to control how a Microsoft support engineer accesses your data. Usually the following workflow takes place when a Microsoft Engineer wants to access your data:

With customer lockbox the workflow changes as you as a customer gets an active part in the process:

See here for more information on how this workflow takes place.

Configure Customer Lockbox

Configuring Customer Lockbox is a two step implementation:

Assiging the Customer Lockbox access approver role

By default only global administrators can approve access requests. You can however give the “Customer Lockbox access approver” role to members of, for example, your SOC team. As these are Office 365 roles it's not possible to assign them to an AD security group and you need to assign them manually to individual users:

In the Office 365 Admin portal go to Users → Active users and select the user you want to assign the role to
On the new blade click edit next to the Roles part
Set the role to Customized administrator and select “Customer Lockbox access approver”
Click on Save

Enable Customer Lockbox

Now there are users who can approve a request you can enable Customer Lockbox:

In the Office 365 Admin portal go to Settings → Security & Privacy
Click on Edit in the Customer Lockbox block
Set “Require approval for all data access requests” to On
Click on Save

Approve or Deny Requests

After a Microsoft Engineer / manager enables a request a email is sent out to the global admins (won't be delivered with an invalid email address) and the users with the “Customer Lockbox access approver” role. The email will hold no link due to security reasons. After receiving the mail follow these steps to approve or deny the request:

Go to the Office 365 Admin Portal: https://portal.office.com
In the Office 365 Admin portal go to Support → Customer Lockbox Requests
Select a Customer Lockbox request, and then select Approve or Reject.

All the requests are saved here for historical reasons.

Useful Links

https://docs.microsoft.com/en-us/office365/admin/manage/customer-lockbox-requests?view=o365-worldwide
https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Customer-Lockbox-Approver-Role-Now-Available/ba-p/223393
https://www.c-sharpcorner.com/article/what-is-customer-lockbox-in-office-365/

Table of Contents