Data Management - Ensure the Customer Lockbox Feature is Enabled
Summary
Customer Lockbox feature should be enabled in which your approval is required by Microsoft for any datacenter operation that grants a Microsoft support engineer or other employee direct access to any data. For example, in some cases a Microsoft support engineer might need access to your Microsoft 365 content in order to help troubleshoot and fix an issue for you. Customer lockbox requests also have an expiration time, and content access is removed after the support engineer has fixed the issue.
Reason
When this feature is enabled, it can protect the data against data spillage and exfiltration.
What If?
In this setting Microsoft will require access to the tenant environment prior to a Microsoft engineer accessing the environment for support or troubleshooting.
How to?
To enable the Customer Lockbox feature, use the Microsoft 365 Admin Portal:
- Browse to the Microsoft 365 admin center.
- Expand Settings then select Org settings.
- Choose Security & privacy in the right pane.
- Click Customer Lockbox.
- Check the box Require approval for all data access requests.
- Click Save.
To set the Customer Lockbox feature to enabled, use the Exchange Online PowerShell Module:
- Run Exchange Online PowerShell Module.
- Connect using Connect-ExchangeOnline.
- Run the following PowerShell command-
Set-OrganizationConfig -CustomerLockboxEnabled $true
Monitor:
To verify the Customer Lockbox feature is enabled, use the Microsoft 365 Admin Portal:
- Browse to the Microsoft 365 admin center.
- Expand Settings then select Org settings.
- Choose Security & privacy in the right pane.
- Click Customer Lockbox.
- Ensure the box labeled Require approval for all data access requests is checked.
To verify the Customer Lockbox feature is enabled, use the Microsoft 365 SecureScore Portal:
- Log in to the Microsoft 365 SecureScore portal (https://securescore.microsoft.com) using admin permissions (global admin or a custom admin role) for an Office 365 Enterprise, Microsoft 365 Business, or Office 365 Enterprise, Microsoft 365 Business, or Office 365 Business Premium subscription.
- Search for Turn on customer lockbox feature under Improvement actions.
To verify the Customer Lockbox feature is enabled, use the Exchange Online PowerShell Module:
- Run Exchange Online PowerShell Module.
- Connect using Connect-ExchangeOnline.
- Run the following PowerShell command-
Get-OrganizationConfig | Select-Object CusomeLockBoxEnabled
4. Verify the value is set to True.
Comments
Post a Comment