Welcome to Creating a Customer Lockbox Request. In this lesson, I’ll walk you through the steps in the typical workflow that occurs when a Microsoft engineer is troubleshooting an issue that involves a Customer Lockbox request.

The workflow begins when someone in the organizations experiences an issue with a Microsoft 365 service. For example, let’s assume Sue experiences an issue with a Microsoft 365 mailbox. Typically, Sue would perform some of her own basic troubleshooting. If Sue can’t fix the issue, she opens a support request with Microsoft Support.

At this point, a Microsoft support engineer reviews the support request details and decides that they need to access the organization's tenant to fix whatever the issue is in Exchange Online.

So, in the next step in the workflow, the support engineer logs into the Customer Lockbox request tool, on the Microsoft side of things, and makes a data access request. This data access request includes the organization's tenant name, the service request number, and the estimated time the engineer will need access to the data.

Once the data access request is submitted, a Microsoft Support manager reviews the request and approves it. Once the Microsoft Support manager approves the request, Customer Lockbox sends an email notification to the designated approver at the organization:

At this point, the approver in the organization can sign into the Microsoft 365 admin center and approve the request. I should mention that anyone that is assigned the Customer Lockbox access approver admin role in Microsoft 365 can approve Customer Lockbox requests.

Once the request is approved by the organization’s approver, an audit record is created in the Microsoft 365 audit log. The Microsoft engineer then receives the approval message, logs into the tenant, and fixes whatever needs to be fixed. It should be noted that access is automatically revoked after the time frame that was approved in the request, whether the issue was fixed or not, so that’s something to keep an eye on.

I should also mention that if a request is rejected by the approver in the organization, or if the request isn’t approved within 12 hours, the request expires, and no access is granted to the Microsoft engineer.

So, that’s workflow process. To recap, the customer experiences a problem, and does a bit of their own troubleshooting. They then open a ticket with Microsoft. The responding engineer makes a data access request using the Customer Lockbox tool, and then a support manager at Microsoft approves it. The customer then receives an email and approves the request on their side. At this point, the engineer signs into the tenant, and fixes the problem. Access is then removed.