Events
Powerful Devs Conference and Hack Together
Feb 12, 11 PM - Feb 28, 11 PM
Join the online conference and 2-week hackathon to explore building powerful solutions with Power Platform.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Most operations, support, and troubleshooting performed by Microsoft personnel (including subprocessors) don't require access to customer data. With Power Platform Customer Lockbox, we provide an interface for the customers to review and approve (or reject) data access requests in the rare occasion when data access to customer data is needed. It's used in cases where a Microsoft engineer needs to access customer data, whether in response to a customer-initiated support ticket or a problem identified by Microsoft.
This article covers how to enable Customer Lockbox and how lockbox requests are initiated, tracked, and stored for later reviews and audits.
Note
Customer Lockbox is available in public clouds and US Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) regions.
You can enable Customer Lockbox for your data sources within your tenant. Enabling Customer Lockbox will enforce the policy only for environments that are activated for Managed Environments. Power Platform administrators can enable the lockbox policy.
For more information, go to Enable the lockbox policy.
In the rare occasion when Microsoft attempts to access customer data that's stored within Power Platform (for example, Dataverse), a lockbox request is sent to the Power Platform administrators for approval. For more information, go to Review a lockbox request.
All updates to a lockbox request are recorded and made available to your organization as audit logs. For more information, go to Audit lockbox requests.
Power Platform and Dynamics 365 applications and services store customer data in several Azure storage technologies. When you turn on Customer Lockbox for an environment, customer data associated with the respective environment is protected by the lockbox policy, irrespective of the storage type.
Note
Your organization has an issue with Microsoft Power Platform and opens a support request with Microsoft Support. Alternatively, Microsoft proactively identifies a problem (for example, a proactive notification is triggered), and a Microsoft-initiated event is opened to investigate and mitigate or fix the root cause.
A Microsoft operator reviews the support request/event and attempts to troubleshoot the issue by using standard tools and telemetry. If access to customer data is needed for further troubleshooting, a Microsoft engineer triggers an internal approval process for access to customer data, irrespective of lockbox policy being enabled or not.
In addition, a lockbox request is generated if the respective data store is associated with an environment protected according to the lockbox policy enablement. An email notification is sent to the designated approvers (Power Platform administrators) about the pending data access request from Microsoft.
Important
The Microsoft engineer won’t be able to proceed with their investigation until the lockbox request is approved by the customer. This could cause delays in addressing the support ticket or prolonged outages. Make sure you monitor email notifications and/or lockbox requests in the Power Platform admin center and respond in a timely manner to avoid service interruptions.
The approver signs into the Power Platform admin center and approves the request. If the request is rejected or not approved within four days, it expires, and no access is granted to the Microsoft engineer.
After the approver from your organization approves the request, the Microsoft engineer obtains the elevated permissions that were initially requested and fixes your issue. Microsoft engineers have a set amount of time - 8 hours - to fix the issue, after which, access is automatically revoked.
Power Platform administrators can create or update the lockbox policy in the Power Platform admin center. Enabling the tenant level policy will apply only to environments that are activated for Managed Environments. It may take up to 24 hours for all data sources and all environments to be implemented with Customer Lockbox.
Sign in to the Power Platform admin center.
Use the Tenant settings page to review and manage tenant-level settings. To view tenant-level settings, select the Gear icon () in the upper-right corner of the Microsoft Power Platform site and select Power Platform settings > Settings > Tenant settings in the left-side navigation pane.
Set Customer Lockbox to Enable.
Sign in to the Power Platform admin center.
Select Policies > Customer Lockbox.
Review the request details.
Field | Description |
---|---|
Support request ID | The ID of the support ticket associated with the lockbox request. If the request is a result of Microsoft-initiated internal alert, the value will be “Microsoft initiated”. |
Environment | The display name of the environment in which data access is being requested. |
Status | The status of the lockbox request.
|
Requested | The time at which the Microsoft engineer requested access to customer data in customer’s environment. |
Request expiration | The time by which the customer needs to approve the lockbox request. The status of the request will change to Expired if no approval is given by this time. |
Access period | The length of time the requestor wants to access customer data. This value is by default 8 hours and can't be changed. |
Access expiration | If access is granted, this is the time until which the Microsoft engineer has access to customer data. |
Select a lockbox request, and then select Approve or Deny.
Note
The lockbox requests that have occurred in the past 28 days are displayed in the Recent table.
Once a request is approved, it cannot be revoked for the entire duration of the access period of 8 hours.
Warning
The schema documented in this section for the lockbox audit events is deprecated and won't be available starting in July 2024. You can audit Customer Lockbox events using the new schema available at Activity category: Lockbox operations.
Actions related to accepting, denying, or expiration of a lockbox request are recorded automatically in Microsoft 365 Defender.
Audit traces include these and other fields for each lockbox request:
The Microsoft 365 Audit tab allows admins to search for events associated with lockbox sessions. View the Power Platform Lockbox category for Power Platform related lockbox events.
Admins can directly export the result set based on the filter criteria.
Customer Lockbox produces two types of audit logs:
By default, the audit logs are preserved for a duration of one year. You need a 10-Year Audit Log Retention add-on license to retain audit records for 10 years. See Audit (Premium) for more details on audit log retention.
Customer Lockbox policy will be enforced only on environments that are activated for Managed Environments. Managed Environments is included as an entitlement in standalone Power Apps, Power Automate, Microsoft Copilot Studio, Power Pages, and Dynamics 365 licenses that give premium usage rights. To learn more about Managed Environment licensing, see Licensing and Licensing overview for Microsoft Power Platform.
In addition, access to Customer Lockbox for Microsoft Power Platform and Dynamics 365 requires users in the environments where the Lockbox policy is enforced to have any of these subscriptions:
Lockbox requests aren't triggered in the following engineering support scenarios:
Emergency scenarios that fall outside of standard operating procedures, such as a major service outage that requires immediate attention to recover or restore services in unexpected or unpredictable cases. These “break glass” events are rare and, in most instances, don't require any access to customer data to resolve.
A Microsoft engineer accesses the underlying platform as part of troubleshooting and is inadvertently exposed to customer data. It's rare that such scenarios would result in access to meaningful quantities of customer data.
Customer Lockbox requests are also not triggered by external legal demands for data. For details, refer to the discussion of government requests for data in the Microsoft Trust Center.
Customer Lockbox won't apply to the access and manual review of customer data shared for Copilot AI features. Customer Lockbox will remain enabled for all in-scope data.
Events
Powerful Devs Conference and Hack Together
Feb 12, 11 PM - Feb 28, 11 PM
Join the online conference and 2-week hackathon to explore building powerful solutions with Power Platform.
Register nowTraining
Module
Manage Customer Lockbox - Training
Customer Lockbox supports requests to access data in Exchange Online, SharePoint Online, and OneDrive when Microsoft engineers need to access customer content to determine root cause and fix an issue. Customer Lockbox requires the engineer to request access from the customer as a final step in the approval workflow. This gives organizations the option to approve or deny these requests and provide direct-access control to the customer.
Certification
Microsoft Certified: Information Protection and Compliance Administrator Associate - Certifications
Demonstrate the fundamentals of data security, lifecycle management, information security, and compliance to protect a Microsoft 365 deployment.