Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
To use this feature, your organization must have an Azure support plan with a minimal level of Developer.
Alternate email notification feature enables customers to use alternate email IDs for getting Customer Lockbox notifications. This feature lets Customer Lockbox for Microsoft Azure customers receive notifications when their Azure account isn't email enabled or when a service principal is defined as the tenant admin or subscription owner.
Important
This feature only enables Customer Lockbox notifications to be sent to alternate email IDs. It does not enable alternate users to act as approvers for Customer Lockbox requests.
For example, Alice has the subscription owner role for subscription X, and she adds Bob's email address as an alternate email in her user profile. Bob has a reader role. When a Customer Lockbox request is created for a resource scoped to subscription 'X', Bob receives the email notification, but he can't approve or reject the Customer Lockbox request because he doesn't have the required privileges (subscription owner role).
Prerequisites
To take advantage of the Customer Lockbox for Microsoft Azure alternate email feature, you must have:
- A Microsoft Entra ID tenant that has Customer Lockbox for Microsoft Azure enabled on it.
- A Developer or above Azure support plan.
- Role assignments:
- A user account with the Tenant admin, privileged authentication administrator, or User administrator role to update user settings.
- [Optional] Subscription owner or the new Azure Customer Lockbox Approver for Subscription role if you want to approve or reject Customer Lockbox requests.
Set up customer Lockbox for Microsoft Azure alternate email feature
Here are the steps to set up the Customer Lockbox for Microsoft Azure alternate email feature.
Access the Azure portal.
Sign in with the user account with tenant/privileged authentication administrator/User administrator role privileges.
Search for Users at the home page:
Search for the user to add an alternate email address.
Note
The user must have tenant admin/subscription owner/Azure Customer Lockbox Approver for Subscription role privileges to act on Lockbox requests.
Select the user, then select Edit properties.
Navigate to Contact Information tab.
Select Add email under the 'Other emails' category, then select Add.
Enter the alternate email address in the text field, then select Save.
Select the "Save" button in the Contact Information tab to save the updates.
The Contact information tab now shows the updated information with the alternate email:
If the primary 'Email' field has a value, emails are sent only to that address. To send Lockbox email notifications to 'Other emails', clear the primary 'Email' field.
When a Lockbox request is triggered and the user is identified as a Lockbox approver, the email notification is sent to the primary email if it has a value. If the primary email is empty, the notification is sent to other email addresses. These emails notify the approver that Microsoft Support is trying to access a resource in their tenant, and they need to sign in to the Azure portal to approve or reject the request. Here is an example screenshot:
Known Issues
These are the known issues with this feature:
- Duplicate emails are sent if the value for the primary email and other email is the same.
- Notifications are sent to only the first email address in 'other emails' despite multiple email IDs configured in other email field.
- If the primary email is not set, and the other email is set, two emails are sent to the alternate email address.