Locking down your Microsoft 365 tenant from Microsoft engineers
Personally, I've never had any issues with Microsoft engineers accessing my data or changing my tenant without my explicit approval. Nevertheless, Microsoft has developed a way to lock out Microsoft engineers from your tenant. If you open a support ticket with Microsoft and they require access to your tenant they will need to send you an explicit request. Microsoft calls this feature Customer Lockbox.
Lockbox workflow
With Lockbox enabled the following will take place:
1. You open a support request with Microsoft.
2. Microsoft views the request and verifies they need to access your tenant.
3. The Microsoft engineer and their manager will send the Lockbox request to you and your admins.
4. You or another admin in your organization will approve the request.
5. The Microsoft engineer will review your tenant.
License requirements
Your users will need one of the following licenses to enable the Customer Lockbox feature:
• Office 365 E5
• Microsoft 365 E5
• Microsoft 365 E5 Compliance
• Office 365 Advanced Compliance
Enable Customer Lockbox
1. Log in to the Microsoft 365 admin center > Settings > Org settings > Security & privacy > Customer Lockbox.
2. Click Require approval for all data access requests. Click Save.

Approving Customer Lockbox requests
So now you have Customer Lockbox enabled and you’ve opened a ticket with Microsoft. How do you know if they have a request and how do you approve it once the request is opened?
In short, you'll receive an email that looks like the following:

1. Log in to the Microsoft 365 admin center > Support > Customer Lockbox Requests.
2. Click the request you wish to approve.

3. Click Approve.