Joins Exchange, SharePoint, and OneDrive
Message center notification MC346909 (March 25) announces the general availability of an update to enable Teams support for the customer lockbox feature (Microsoft 365 roadmap item 86190). Microsoft expects full deployment to complete in late April with GCC availability in June and GCC-High/DOD in September.
Tenants need Office 365 or Microsoft 365 licenses or a Microsoft 365 information protection or compliance add-on to use customer lockbox. If the tenant has already enabled customer lockbox through the Org settings section of the Microsoft 365 admin center (Figure 1), no further action is necessary to add Teams to the set of covered services.
What is Customer Lockbox?
Customer lockbox is a mechanism to control access to user content when Microsoft engineers believe they require access to resolve support incidents. Without customer lockbox (for instance, in an Office 365 E3 tenant), it’s sufficient for Microsoft support to ask the tenant administrator if they can access content like a Word document in a SharePoint Online document library or messages in an Exchange mailbox (see this list of user content). When customer lockbox is enabled, it becomes mandatory for Microsoft to seek approval prior to any access to user content.
Access to user content should not be necessary very often. Most support incidents involve system components or are instances where a feature doesn’t work as it should. In these circumstances, it’s usually possible to replicate the problem and give the reproduction steps to the support engineers to verify and test. Indeed, experienced tenant administrators often attempt to replicate a problem in a development tenant to understand if the issue is specific to a tenant or more general.
Access to user content is problematic. Although tenant configuration and settings are confidential, user content like the documents in a library or conversations in a team channel are much more confidential. They expose the inner workings of an organization and could even reveal secrets that should not out outside the organization.
No one likes the idea of a stranger poking around in their content. Customer lockbox provides reassurance to customers that Microsoft engineers can only do this after tenant administrators give explicit approval for the action. Microsoft must raise a request for approval by the tenant administrators (users assigned the Customer Lockbox Access Approver administrative role can also approve these requests). Each request states a reason why access to user content is necessary and the duration of the requested access (usually four hours). This article explains how to report the membership of Microsoft 365 role groups, including the accounts holding the customer lockbox access approver role.
Figure 2 shows an example of the message sent to seek administrator approval. Customer lockbox is active in my tenant for the last four years. I have never had to report a problem which involved user content access, so I had to copy the example from Microsoft documentation. However, my experience is not typical because I don’t have to deal with many users likely to report problems requiring lockbox access.
Approval occurs through the Microsoft 365 admin center and must be received within 12 hours if the request is not to expire. If granted, Microsoft receives access to the customer content for the requested duration.
Customer Lockbox Doesn’t Cover All Support Data
As I note above, enabling customer lockbox doesn’t mean that every interaction with Microsoft support creates additional paperwork that slows down their ability to resolve problems. Customer lockbox is only involved with incidents where access to user content is absolutely necessary. For example, a sensitivity label protects an Office document, and the user cannot open the document even though the rights assignments inherited from the label should allow this. Hopefully, an administrator might be able to resolve the issue, but if they can’t, Microsoft support should be able to help.
Non-user tenant content required by Microsoft support is not covered by customer lockbox. For instance, last week I used PowerShell to run a message trace for Microsoft support and shared the output with a support engineer. Even though a message trace reveals email subjects, it’s not the same as when an support engineer wants to access user content.
Microsoft Should Make Customer Lockbox Available to More Tenants
It’s nice that Teams user content is now covered by customer lockbox. However, on a more fundamental note, my view is that this should not be an E5 feature. Although valuable, customer lockbox is probably not the kind of feature that convinces an organization to move from E3 to E5 or even purchase an information protection or compliance add-on. It seems like a fundamental protection which Microsoft should extend to tenants at a lower licensing point (E3 at the very least). I hope Microsoft will move to make customer lockbox available to more tenants, but I am not holding my breath.
Learn about protecting Microsoft 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s importance and how best to protect your tenant.