Here we will learn & understand the concept of Customer Lockbox in Power Platform Admin Center. Before we start, make sure to subscribe to CRM Crate so that you can stay up to date in the field of Power Platform.
The majority of tasks conducted by Microsoft personnel, including support and troubleshooting, do not necessitate access to customer data. However, with the Power Platform Customer Lockbox, Microsoft offers its customers an interface to assess and authorize (or decline) requests for data access in the uncommon event that it becomes necessary. This feature is employed when a Microsoft engineer requires access to customer data, such as in response to a customer-generated support ticket or a Microsoft-identified issue.
This blog provides details of activating Customer Lockbox and outlines the initiation, tracking, and storage processes of lockbox requests for subsequent reviews and audits.
Why do we need Customer Lockbox in Power Platform?
Imagine your organization encounters an issue with the Microsoft Power Platform and submits a support request to Microsoft Support. Alternatively, Microsoft may proactively detect a problem, such as through a triggered proactive notification, leading to the initiation of a Microsoft-led event to investigate, mitigate, or address the underlying issue.
When a Microsoft operator examines the support request or event and endeavors to troubleshoot the problem using standard tools and telemetry, he or she should access to customer data be required for additional troubleshooting. In this case, the Microsoft engineer initiates an internal approval process for accessing customer data, regardless of whether the lockbox policy is enabled or not.
Furthermore, a lockbox request is generated when the respective data store is linked to an environment protected in accordance with the lockbox policy activation. An email notification is dispatched to the assigned approvers, including Global administrators and Power Platform administrators, informing them of the impending data access request from Microsoft.
The Microsoft engineer cannot advance with their investigation until the customer approves the lockbox request. This may lead to delays in resolving the support ticket or extended periods of service disruption. It is essential to regularly check email notifications and/or lockbox requests in the Power Platform admin center and respond promptly to prevent any interruptions in service.
Below is the sample email generated by Power Platform Customer Lockbox for user approval.
Now, the designated approver logs in to the Power Platform admin center and gives approval to the request. If the request is declined or not approved within a four-day period, it expires, resulting in no access being provided to the Microsoft engineer.
Once the designated approver from your organization grants approval to the request, the Microsoft engineer acquires the elevated permissions requested initially and resolves your issue. Microsoft engineers are allotted a specific timeframe—8 hours—to address the problem, after which access is automatically revoked.
How to enable Customer Lockbox for your Platform?
The Global administrators or Power Platform administrators have the ability to establish or modify the lockbox policy within the Power Platform admin center. Activating the tenant-level policy will exclusively impact environments that are activated for managed Environments. The implementation of Customer Lockbox across all data sources and environments may require up to 24 hours.
- Login in to the Power Platform admin center with a global admin or power platform admin role.
- Under the menu bar, navigate to Policies >> Customer Lockbox.
- Click on the button ‘Configure Customer Lockbox’ and enable the lockbox.
Review your Customer Lockbox request
You can find all of your customer lockbox requests within the same Policy page as shown above. Below are the details of customer lockbox requests which is raised whenever Microsoft tries to access the data from data source.
| Field | Description |
|---|---|
| Support request ID | The ID of the support ticket associated with the lockbox request. If the request is a result of Microsoft-initiated internal alert, the value will be “Microsoft initiated”. |
| Environment | The display name of the environment in which data access is being requested. |
| Status | The status of the lockbox request. Action needed: Pending approval from the customer Expired: No approval received from the customer Approved: Approved by the customer Denied: Denied by the customer |
| Requested | The time at which the Microsoft engineer requested access to customer data in customer’s environment. |
| Request expiration | The time by which the customer needs to approve the lockbox request. The status of the request will change to Expired if no approval is given by this time. |
| Access period | The length of time the requestor wants to access customer data. This value is by default 8 hours and can’t be changed. |
| Access expiration | If access is granted, this is the time until which the Microsoft engineer has access to customer data. |
After reviewing the details, you can either approve or deny the lockbox request as shown below.
It is important to note that the customer lockbox requests that have appeared in past 28 days are displayed in the above given recent table. Once a request is approved, it cannot be revoked for the entire duration of the access period of 8 hours.
What is the Licensing requirements for Customer Lockbox?
The enforcement of the Customer Lockbox policy is limited to environments activated for Managed Environments. Managed Environments are covered as an entitlement in standalone licenses for Power Apps, Power Automate, Power Virtual Agents, Power Pages, and Dynamics 365, providing premium usage rights.
Moreover, to access Customer Lockbox for Microsoft Power Platform and Dynamics 365, users in the environments where the Lockbox policy is applied must possess any of the following subscriptions as given below.
- Microsoft 365 A5/E5/F5/G5 Information Protection and Governance Learn more about applicable licenses.
- Microsoft 365 or Office 365 A5/E5/G5
- Microsoft 365 A5/E5/F5/G5 Insider Risk Management
- Microsoft 365 A5/E5/F5/G5 Compliance
- Microsoft 365 F5 Security & Compliance
What are the scenarios when lockbox requests are excluded by Microsoft?
The Customer Lockbox requests are not executed for the below given scenarios.
- A Microsoft engineer accesses the underlying platform during troubleshooting and may inadvertently come into contact with customer data. Instances where this leads to access to substantial amounts of customer data are infrequent.
- Unforeseen situations that deviate from regular operating procedures, like a significant service disruption demanding prompt attention for recovery or restoration in unforeseen or unpredictable circumstances.
- Customer Lockbox requests are also not executed or trigged by external legal demands for data such as government requests.
In conclusion, the Power Platform Customer Lockbox serves as a robust safeguard mechanism, ensuring a heightened level of security and control over access to customer data within the Microsoft Power Platform and Dynamics 365 environments. By providing customers with the authority to review and approve data access requests, the lockbox feature empowers organizations to maintain a vigilant stance over their sensitive information. While rare, the implementation of the lockbox policy offers an additional layer of protection, even in emergency scenarios. This proactive approach to data access not only aligns with stringent privacy standards but also underscores Microsoft’s commitment to fostering trust and transparency in its services.
