Creating a Customer Lockbox Request
Start course

In this course, you will gain an understanding of what Customer Lockbox is, what it offers, and how it’s used.  

Learning Objectives

  • What Customer Lockbox is and what it’s used for as well as what licensing is required for using Lockbox
  • How to enable Customer Lockbox, how to create Customer Lockbox requests, and how to manage those requests
  • What goes into auditing Customer Lockbox requests

Intended Audience

This course is intended for those who wish to learn about Customer Lockbox. 


A general familiarity with the Microsoft 365 Admin Portal.



Welcome to Creating a Customer Lockbox Request. In this lesson, I’ll walk you through the steps in the typical workflow that occurs when a Microsoft engineer is troubleshooting an issue that involves a Customer Lockbox request.

The workflow begins when someone in the organizations experiences an issue with a Microsoft 365 service. For example, let’s assume Sue experiences an issue with a Microsoft 365 mailbox. Typically, Sue would perform some of her own basic troubleshooting. If Sue can’t fix the issue, she opens a support request with Microsoft Support.

At this point, a Microsoft support engineer reviews the support request details and decides that they need to access the organization's tenant to fix whatever the issue is in Exchange Online.

So, in the next step in the workflow, the support engineer logs into the Customer Lockbox request tool, on the Microsoft side of things, and makes a data access request. This data access request includes the organization's tenant name, the service request number, and the estimated time the engineer will need access to the data.

Once the data access request is submitted, a Microsoft Support manager reviews the request and approves it. Once the Microsoft Support manager approves the request, Customer Lockbox sends an email notification to the designated approver at the organization:

At this point, the approver in the organization can sign into the Microsoft 365 admin center and approve the request. I should mention that anyone that is assigned the Customer Lockbox access approver admin role in Microsoft 365 can approve Customer Lockbox requests.

Once the request is approved by the organization’s approver, an audit record is created in the Microsoft 365 audit log. The Microsoft engineer then receives the approval message, logs into the tenant, and fixes whatever needs to be fixed. It should be noted that access is automatically revoked after the time frame that was approved in the request, whether the issue was fixed or not, so that’s something to keep an eye on.

I should also mention that if a request is rejected by the approver in the organization, or if the request isn’t approved within 12 hours, the request expires, and no access is granted to the Microsoft engineer.

So, that’s workflow process. To recap, the customer experiences a problem, and does a bit of their own troubleshooting. They then open a ticket with Microsoft. The responding engineer makes a data access request using the Customer Lockbox tool, and then a support manager at Microsoft approves it. The customer then receives an email and approves the request on their side. At this point, the engineer signs into the tenant, and fixes the problem. Access is then removed.


About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.