Customer Lockbox
This section describes the design decisions associated with Customer Lockbox for system(s) built using ASD's Blueprint for Secure Cloud.
Estimated reading time: 2 minutes
Customer Lockbox is a means to ensure Microsoft is restricted from accessing an organisation’s content without explicit approval from an authorised organisation representative. The service is used to address situations where Microsoft Engineers require access to client data within Microsoft 365 to resolve an incident. Similar to PIM role activations, Customer Lockbox requests are time-boxed with all actions performed by the Microsoft engineer logged in the audit log, which organisations can review within their audit records. The audit logs contain the following information:
| Audit record property | Description |
|---|---|
| Date | Date and time when the action was performed. The action will be performed within 4 hours of the Customer Lockbox request approval time. |
| IP address | The IP Address of the machine Microsoft engineer used. |
| User | Microsoft Operator; this value indicates the record is related to a Customer Lockbox request. |
| Activity | Name of the activity performed by the Microsoft engineer. |
Per the support agreement terms and conditions, when organisations have not enabled Customer Lockbox, Microsoft support engineers will use an internal Microsoft approval process, but will be able to access content without an organisation’s approval. Enabling the Customer Lockbox provides the ability to deny access requests, providing additional security.
Design Decisions
| Decision Point | Design Decision | Justification |
|---|---|---|
| Customer Lockbox | Enabled | This is to ensure that Microsoft support engineers cannot access the organisation’s content to perform a service operation without the organisation’s explicit approval. |
Related information
Security & Governance
- None identified
Design
- None identified
Configuration
- None identified