This chapter covers Customer Lockbox for Microsoft 365, a critical data privacy control that governs Microsoft support access to your tenant data. For the MS-102 exam, this topic falls under objective 3.4: Implement and manage data governance and compliance solutions. Expect 1–2 questions on Customer Lockbox, typically asking about prerequisites, the approval workflow, or how it integrates with eDiscovery and Privileged Access Management. You must understand the exact steps, default timers, and licensing requirements to answer correctly.
Jump to a section
Customer Lockbox is like a hotel that places room service trays outside guest doors only after a guest explicitly approves the tray's delivery. In this hotel, engineers (Microsoft support staff) cannot bring a tray (access user data) to a guest's room without first sending a request to the guest's phone. The guest receives a notification: "Engineer Alice needs to place a tray at your door for 12 hours. Approve?" The guest can approve, deny, or set a shorter time. Once approved, the engineer gets a temporary key card that works only for that door and only during the approved window. The hotel logs every tray placement: who approved it, which engineer, and when. Without this system, engineers could theoretically access any room at any time—the hotel trusts its staff but wants guests to have visibility and control. The key difference: the tray is the data access request, the engineer is Microsoft support, the guest is the tenant admin, and the temporary key card is the just-in-time access granted via Privileged Identity Management (PIM). The hotel never allows engineers to bypass the approval—no backdoor keys exist. This mirrors Customer Lockbox's mechanism: Microsoft engineers cannot access customer content until the tenant admin explicitly approves each request via the Microsoft 365 admin center or an automated API. The approval is time-bound, audited, and revocable.
What Is Customer Lockbox?
Customer Lockbox is a Microsoft 365 compliance feature that provides an additional layer of control over how Microsoft support engineers access your data. When a support case requires access to customer content (e.g., Exchange Online mailboxes, SharePoint Online sites, or Teams chat data), the engineer must request explicit approval from your organization's designated approvers. The request is logged, time-bound, and audited. Without Lockbox, Microsoft engineers have a baseline level of access for troubleshooting, but with Lockbox, you can approve or deny each request, ensuring no data is accessed without your knowledge.
Why It Exists
Customer Lockbox addresses the need for data sovereignty and compliance in regulated industries (finance, healthcare, government). It is part of Microsoft's commitment to the Microsoft Trusted Cloud and helps customers meet regulatory requirements such as GDPR, HIPAA, and FedRAMP. It provides a clear audit trail of every access event, which is essential for compliance audits and internal security reviews.
How It Works – The Mechanics
Customer Lockbox operates through a workflow that integrates with the Microsoft 365 admin center, the Service Health Dashboard, and Privileged Identity Management (PIM). Here is the detailed step-by-step mechanism:
Support Case Initiation: A tenant admin submits a support request through the Microsoft 365 admin center. The support engineer (Microsoft employee) diagnoses the issue and determines that access to customer content is required.
Lockbox Request Creation: The engineer initiates a Lockbox request via the Microsoft internal tool. The request includes:
- The specific support case ID - The scope of data needed (e.g., a specific mailbox, site, or user) - The duration of access (default is 12 hours, max is 12 hours) - The justification for access
Notification to Tenant Approvers: The request triggers an email notification to the designated approvers (up to 10 users can be configured). Approvers can also see pending requests in the Microsoft 365 admin center under Support > Customer Lockbox Requests.
4. Approval or Denial: An approver reviews the request and can: - Approve: Grants the engineer access for the requested duration. The engineer receives a token valid for that period. - Deny: The request is rejected, and the engineer cannot access the data. The support case may need alternative troubleshooting. - Set a shorter duration: The approver can reduce the access window (minimum 1 hour).
Just-In-Time Access: Upon approval, the engineer's account is granted temporary, scoped access via PIM. The access is logged in the Customer Lockbox audit logs and the Unified Audit Log.
Access Execution: The engineer performs the required actions (e.g., viewing mailbox content). All actions are logged.
Access Expiration: After the approved duration expires, the access is automatically revoked. The engineer cannot extend it without a new request.
8. Audit Trail: All events are recorded in the following logs:
- Customer Lockbox logs: Available in the Microsoft 365 admin center under Support > Customer Lockbox Requests.
- Unified Audit Log: Use Search-UnifiedAuditLog in Exchange Online PowerShell or the Microsoft 365 compliance center. The workload is CustomerLockbox. Record type is CustomerLockboxRequest.
Key Components, Values, and Defaults
Licensing: Customer Lockbox requires one of the following subscriptions:
- Microsoft 365 E5 - Microsoft 365 E5 Compliance - Microsoft 365 E5 Information Protection and Governance - Office 365 E5 - Microsoft 365 A5 (education) - Microsoft 365 G5 (government) - Add-on: Customer Lockbox is available as an add-on for E3 and other plans, but the exam focuses on E5. - Approvers: Up to 10 users can be designated as approvers. They must have the Global Admin role (though the exam says Global Admin only, in practice, the Customer Lockbox Access Approver role exists in some portals, but the exam tests Global Admin). - Default Duration: 12 hours (max). Approver can shorten to a minimum of 1 hour. - Request Frequency: There is no limit on the number of requests, but each request must be individually approved. - Retention: Lockbox requests are retained in the audit log for 90 days by default (can be extended with retention policies).
Configuration Steps
To enable Customer Lockbox: 1. Go to Microsoft 365 admin center > Settings > Org Settings > Security & Privacy > Customer Lockbox. 2. Toggle Require approval for all data access requests to On. 3. Add approvers (must be Global Admins). 4. (Optional) Configure automated notifications for pending requests.
Verification with PowerShell:
# Connect to Exchange Online PowerShell
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com
# Check Customer Lockbox settings
Get-CustomerLockboxSetting
# View pending requests
Get-CustomerLockboxRequest -Status Pending
# View completed requests
Get-CustomerLockboxRequest -Status ApprovedInteraction with Related Technologies
Privileged Access Management (PAM): Customer Lockbox uses PAM under the hood to grant just-in-time access. PAM is a separate feature that controls administrative access within your tenant, but Lockbox uses the same PIM infrastructure.
eDiscovery: If a support engineer needs to access data for eDiscovery purposes, that does not go through Customer Lockbox. eDiscovery is a separate workflow managed by compliance administrators.
Microsoft Purview Compliance Portal: Lockbox logs are accessible in the Compliance Portal under Audit > Search audit log.
Service Health Dashboard: If a service incident requires data access, Microsoft may need to bypass Lockbox for emergency access. This is audited and notified within 48 hours.
Edge Cases and Exceptions
Emergency Access: In rare cases where service health is critically impacted, Microsoft may access data without prior approval. This is called a "break-glass" scenario. Microsoft will notify the tenant admin within 48 hours of the access.
Third-Party Support: Customer Lockbox only applies to Microsoft support engineers. Third-party support vendors (e.g., partners with delegated admin privileges) are not covered. You must use other controls like Privileged Identity Management (PIM) for partners.
Government Clouds: Customer Lockbox is available in GCC, GCC High, and DoD clouds, but with slight variations in approval workflows (e.g., additional approval levels in GCC High).
Exam-Relevant Numbers
Default access duration: 12 hours
Maximum approvers: 10
Minimum access duration: 1 hour
License requirement: Microsoft 365 E5 or equivalent
Audit log retention: 90 days (default)
Notification timeframe for emergency access: 48 hours
Support Case Initiation
A tenant admin opens a support case via the Microsoft 365 admin center. The case is assigned to a Microsoft support engineer. During troubleshooting, the engineer determines that access to customer content (e.g., a specific mailbox or SharePoint site) is necessary. The engineer cannot access the data directly; instead, they initiate a Customer Lockbox request from the internal Microsoft support tool. The request includes the case ID, the scope of data needed, the justification, and the desired duration (default 12 hours). This step triggers the entire Lockbox workflow.
Request Notification to Approvers
Once the Lockbox request is created, the system sends an email notification to all designated approvers (up to 10 users with Global Admin role). The email includes details of the request: support case ID, requesting engineer, scope of access, duration, and justification. Approvers can also view pending requests in the Microsoft 365 admin center under Support > Customer Lockbox Requests. The request appears with a status of 'Pending' and a timer showing the remaining time before automatic expiry (if not acted upon).
Approval or Denial by Tenant Admin
An approver reviews the request and can approve, deny, or modify the duration. If approved, the engineer is granted just-in-time access via Privileged Identity Management (PIM). The access is scoped to the specific data required and time-bound to the approved duration (minimum 1 hour, maximum 12 hours). If denied, the engineer cannot access the data, and the support case continues with alternative methods. The approver can also set a shorter duration than requested. All actions are logged in the Unified Audit Log.
Just-In-Time Access Grant
Upon approval, the Microsoft support engineer's account is granted temporary access through PIM. The access token is valid only for the approved duration and scope. The engineer can now perform the required troubleshooting actions (e.g., viewing mailbox content, inspecting site permissions). All activities performed during this access window are audited and logged. The engineer cannot extend the access without submitting a new Lockbox request. The access automatically expires after the approved duration.
Audit and Logging
All events related to the Lockbox request are recorded in two places: the Customer Lockbox logs in the admin center (Support > Customer Lockbox Requests) and the Unified Audit Log in the Microsoft 365 compliance center. The audit log includes details such as request creation, approval/denial, access start and end times, and the specific actions taken by the engineer. These logs are retained for 90 days by default. You can export them for compliance reporting. Use `Search-UnifiedAuditLog -RecordType CustomerLockboxRequest` to query via PowerShell.
Enterprise Scenario 1: Financial Services Compliance
A large bank uses Microsoft 365 E5 and must comply with SOX and GDPR. They enable Customer Lockbox for all support requests. When a critical issue arises with an Exchange Online mailbox, the support engineer requests access. The bank's compliance officer receives the notification and approves a 4-hour window. The engineer accesses the mailbox, and all actions are logged. The bank's audit team later reviews the logs to demonstrate that no unauthorized access occurred. Without Lockbox, the bank would have to trust that Microsoft engineers never access data without permission—a risk they cannot accept. The key configuration detail: the bank designates three Global Admins as approvers, ensuring 24/7 coverage. They also set up automated email alerts to a shared mailbox so no request is missed.
Scenario 2: Healthcare Provider with HIPAA
A hospital uses Microsoft 365 E5 and must comply with HIPAA. They have a strict policy that any access to patient health information (PHI) must be approved by the privacy officer. When a support case requires access to a SharePoint site containing patient records, the Lockbox request is sent to the privacy officer. She approves a 2-hour window. The engineer accesses the site, and the logs are later included in a HIPAA audit. The hospital also uses the emergency access notification—when Microsoft breaks glass for a critical outage, they receive an alert within 48 hours and document it for compliance. A common pitfall: the hospital initially forgot to enable auditing for Lockbox, so they had no logs. After enabling, they regularly export logs to their SIEM.
Scenario 3: Government Contractor with FedRAMP
A government contractor uses Microsoft 365 GCC High and must meet FedRAMP requirements. Customer Lockbox is enabled, but they also require additional approval from a security officer. They configure the approvers list with two Global Admins. In one instance, a support engineer requested access to a mailbox, but the request was denied because the justification was insufficient. The engineer had to provide more details and resubmit. This demonstrates the importance of clear justification. The contractor also uses the PowerShell cmdlet Get-CustomerLockboxRequest to periodically audit all requests. A performance consideration: in GCC High, Lockbox requests may take slightly longer due to additional security checks, but the default 12-hour window is usually sufficient.
What MS-102 Tests on Customer Lockbox
MS-102 objective 3.4 includes Customer Lockbox under "Implement data governance and compliance solutions." Exam questions typically focus on: - Prerequisites: Which licenses are required? (E5 or equivalent) - Approver role: Who can approve? (Global Admin only – a common trick is offering 'Compliance Admin' or 'Security Admin') - Default duration: 12 hours - Emergency access notification: 48 hours - Audit log location: Unified Audit Log with RecordType CustomerLockboxRequest
Common Wrong Answers and Why Candidates Choose Them
"Customer Lockbox requires Microsoft 365 E3" – Wrong. E3 does not include Lockbox unless you purchase an add-on. The exam expects E5.
"Approvers can be any admin role" – Wrong. Only Global Admin can approve. Candidates often pick Security Admin because it seems related.
"Lockbox requests expire after 24 hours" – Wrong. Default is 12 hours. The exam tests the exact number.
"Lockbox applies to all Microsoft support access, including emergency" – Wrong. Emergency access is allowed without prior approval, but notified within 48 hours.
"Lockbox logs are only in the admin center" – Wrong. They are also in the Unified Audit Log.
Specific Numbers and Terms to Memorize
Default access duration: 12 hours
Minimum duration: 1 hour
Maximum approvers: 10
Emergency notification: 48 hours
License: Microsoft 365 E5 (or E5 Compliance, E5 Information Protection, Office 365 E5, A5, G5)
PowerShell cmdlet: Get-CustomerLockboxRequest
Audit record type: CustomerLockboxRequest
Edge Cases the Exam Loves
Emergency access: Microsoft can bypass Lockbox for service health emergencies. They will notify within 48 hours. The exam may ask: "When does Microsoft access data without approval?"
Third-party support: Lockbox does not cover partners or delegated admins. You need PIM for partners.
Government clouds: Lockbox is available in GCC/GCC High/DoD, but the exam focuses on commercial.
How to Eliminate Wrong Answers
If a question asks about the approver role, eliminate any answer that is not Global Admin. If it asks about duration, eliminate anything other than 12 hours. If it asks about licensing, eliminate E3 unless it mentions an add-on. Use the underlying mechanism: Lockbox is a just-in-time approval system, so any answer suggesting permanent access or no approval is wrong.
Customer Lockbox requires a Microsoft 365 E5 license (or equivalent) – not E3.
Only Global Admins can be designated as Customer Lockbox approvers (up to 10).
Default access duration for a Lockbox request is 12 hours; minimum is 1 hour.
Emergency access by Microsoft is allowed without prior approval, with notification within 48 hours.
Lockbox audit logs are retained for 90 days by default and are available in the Unified Audit Log with RecordType CustomerLockboxRequest.
Use Get-CustomerLockboxRequest in Exchange Online PowerShell to view requests.
Customer Lockbox does not apply to third-party support or delegated admin access.
These come up on the exam all the time. Here's how to tell them apart.
Customer Lockbox
Controls Microsoft support engineer access to customer data.
Requires approval from tenant Global Admin for each request.
Default access duration: 12 hours.
Licensing: Microsoft 365 E5 or equivalent.
Audit logs in Customer Lockbox logs and Unified Audit Log.
Privileged Access Management (PAM)
Controls administrative access within your own tenant (e.g., admins accessing mailboxes).
Requires approval from a separate approver group (can be non-Global Admins).
Default access duration: configurable, often 4 hours.
Licensing: Microsoft 365 E5 (included in same suite).
Audit logs in Privileged Access Management logs and Unified Audit Log.
Mistake
Customer Lockbox requires Microsoft 365 E3 or higher.
Correct
Customer Lockbox requires Microsoft 365 E5 or equivalent (E5 Compliance, E5 Information Protection, Office 365 E5, A5, G5). E3 does not include it unless you purchase an add-on license.
Mistake
Any admin role can approve Customer Lockbox requests.
Correct
Only users with the Global Admin role can be designated as approvers. Even Security Admin or Compliance Admin cannot approve.
Mistake
The default access duration for a Lockbox request is 24 hours.
Correct
The default duration is 12 hours. The approver can set a shorter duration (minimum 1 hour), but the maximum is 12 hours.
Mistake
Customer Lockbox covers all Microsoft support access, including emergency break-glass scenarios.
Correct
In emergency scenarios (e.g., service outage), Microsoft may access data without prior approval. They will notify the tenant admin within 48 hours. Lockbox does not apply to such cases.
Mistake
Customer Lockbox audit logs are only available in the Microsoft 365 admin center.
Correct
Lockbox events are also recorded in the Unified Audit Log in the Microsoft 365 compliance center. You can query them with PowerShell using `Search-UnifiedAuditLog -RecordType CustomerLockboxRequest`.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Customer Lockbox requires Microsoft 365 E5, Microsoft 365 E5 Compliance, Microsoft 365 E5 Information Protection and Governance, Office 365 E5, Microsoft 365 A5, or Microsoft 365 G5. It is not included in E3 unless you purchase an add-on. The exam expects E5 as the answer.
Only users with the Global Admin role can be designated as approvers. You can have up to 10 approvers. Other roles like Security Admin or Compliance Admin cannot approve. This is a common exam trap.
The default duration is 12 hours. An approver can shorten it to as little as 1 hour, but cannot extend beyond 12 hours. If no action is taken, the request expires after 12 hours (though the engineer can resubmit).
No. In emergency scenarios (e.g., service outage), Microsoft can access data without prior approval. They will notify the tenant admin within 48 hours. This is called a break-glass scenario. Lockbox is designed for non-emergency support cases.
Logs are available in two places: the Microsoft 365 admin center under Support > Customer Lockbox Requests, and the Unified Audit Log in the compliance center. Use PowerShell: `Search-UnifiedAuditLog -RecordType CustomerLockboxRequest`.
Yes. You can connect to Exchange Online PowerShell and use cmdlets like `Get-CustomerLockboxSetting`, `Get-CustomerLockboxRequest`, and `Set-CustomerLockboxSetting`. These are available in the EXO V2 module.
No. Customer Lockbox only applies to Microsoft support engineers. For third-party vendors with delegated admin privileges, you should use other controls like Privileged Identity Management (PIM) or Conditional Access.
You've just covered Customer Lockbox for Microsoft 365 — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?