Configure Customer Lockbox
To use Customer Lockbox, you need to enable and configure it in your Microsoft 365 tenant. This ensures that all access requests from Microsoft engineers follow your organization's approval process, giving you greater control and transparency over your data.
Prerequisites
Before enabling Customer Lockbox, ensure that:
You have the global administrator or Customer Lockbox access approver role.
Your organization is licensed for Microsoft 365 E5 or equivalent. For details, see Microsoft 365 licensing guidance.
Audit logging is enabled to track all actions related to Customer Lockbox. For details, see Get started with auditing solutions.
Enable Customer Lockbox
Follow these steps to turn on Customer Lockbox in the Microsoft 365 admin center:
Sign in to the Microsoft 365 admin center using an account with the global administrator role.
Navigate to Settings > Org settings > Security & Privacy.
Select Customer Lockbox from the left column.
Check the box labeled Require approval for all data access requests.
Select Save to enable the feature.
Best practices for configuration
Limit access with least privilege: Assign the Customer Lockbox access approver role only to individuals who require it, minimizing unnecessary access to sensitive approval workflows.
Coordinate with compliance teams: Work with your compliance and security teams to ensure Customer Lockbox supports your organization's regulatory requirements, such as HIPAA or FEDRAMP.
Monitor settings periodically: Periodically check that Customer Lockbox remains enabled to ensure ongoing alignment with your organization's security policies.