3.1 Ensure the customer lockbox feature is enabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


You should enable the Customer Lockbox feature. It requires Microsoft to get your approval for any datacenter operation that grants a Microsoft support engineer or other employee direct access to any of your data. For example, in some cases a Microsoft support engineer might need access to your Microsoft 365 content in order to help troubleshoot and fix an issue for you. Customer lockbox requests also have an expiration time, and content access is removed after the support engineer has fixed the issue.


Enabling this feature protects your data against data spillage and exfiltration.


The impact associated with this setting is a requirement to grant Microsoft access to the tenant environment prior to a Microsoft engineer accessing the environment for support or troubleshooting.


To enable the Customer Lockbox feature, use the Microsoft 365 Admin Portal:

Browse to the Microsoft 365 admin center.

Expand Settings then select Org settings

Choose Security & privacy in the right pane.

Click Customer Lockbox.

Check the box Require approval for all data access requests.

Click Save.

To set the Customer Lockbox feature to enabled, use the Exchange Online PowerShell Module:

Run Exchange Online PowerShell Module.

Connect using Connect-ExchangeOnline.

Run the following PowerShell command:

Set-OrganizationConfig -CustomerLockBoxEnabled $true

Default Value:


See Also