Locking down your Microsoft 365 tenant from Microsoft engineers

Personally, I've never had any issues with Microsoft engineers accessing my data or changing my tenant without my explicit approval. Nevertheless, Microsoft has developed a way to lock out Microsoft engineers from your tenant. If you open a support ticket with Microsoft and they require access to your tenant they will need to send you an explicit request. Microsoft calls this feature Customer Lockbox.

Lockbox workflow

With Lockbox enabled the following will take place:

1. You open a support request with Microsoft.

2. Microsoft views the request and verifies they need to access your tenant.

3. The Microsoft engineer and their manager will send the Lockbox request to you and your admins.

4. You or another admin in your organization will approve the request.

5. The Microsoft engineer will review your tenant.

License requirements

Your users will need one of the following licenses to enable the Customer Lockbox feature:

• Office 365 E5

• Microsoft 365 E5

• Microsoft 365 E5 Compliance

• Office 365 Advanced Compliance

Enable Customer Lockbox

1. Log in to the Microsoft 365 admin center > Settings > Org settings > Security & privacy > Customer Lockbox.

2. Click Require approval for all data access requests. Click Save.

Enable customer lockbox

Approving Customer Lockbox requests

So now you have Customer Lockbox enabled and you’ve opened a ticket with Microsoft. How do you know if they have a request and how do you approve it once the request is opened?

In short, you'll receive an email that looks like the following:

Customer Lockbox request email

1. Log in to the Microsoft 365 admin center > Support > Customer Lockbox Requests.

2. Click the request you wish to approve.

Customer Lockbox data access requests

3. Click Approve.