Moving data to the cloud is, for many people, still a big deal. One of the most common concerns is over who has access to your data when it’s in the cloud. In this post, I’ll explain what Office 365 Customer Lockbox is, and how it can help address that concern.

Office 365 Security

Your data is in very safe hands in Office 365. Microsoft prides itself on its industry accreditations, leading position on cloud security and protecting customer data, and invests heavily in R&D to ensure it is staying one step ahead in keeping your data safe online.

It’s not unrealistic to say that for small businesses and their technology partners achieving this level of investment, security, and scale by building these services themselves is all but impossible. If nothing else, it’s too expensive.


Having a solid process for managing access to customer data is essential when you’re running a cloud service. For this reason, Microsoft adopts a lockbox method to restrict access to customer data for engineers. This access is just in time, and just enough.


An engineer must submit a request along with a clear justification to the Lockbox system at which point a Microsoft manager must approve or reject access before any further action can be taken. It means that nobody - not even Microsoft - gets unfettered access without audit or accountability.

If Office 365 is so secure, why do I need Customer Lockbox?

I speak to lots of customers and partners. I’m always amazed at the variation in understanding there is about Customer Lockbox and what it does. Usually, the conversation starts off trying to evaluate it against the security of the service and that’s where it all goes wrong… Customer Lockbox doesn’t make Office 365 more secure. Instead, it helps to think about some common pain points…


Generally, customers want to ensure that there’s as much transparency over access to their data. Privacy is a huge concern in all our lives and anything we can do to limit unnecessary access to data is only a good thing.


When you are using a cloud service there’s an implication that at some point someone other than you is going to need access to your data. Most likely, this will be to address a support request. There’s already no standing access to customer data in Office 365, but wouldn’t it be great if you could ensure that even when you need help from a support engineer there’s no access without your explicit approval?


In the case of a support request, customers want to ensure that any access to their data is logged and audited.

Office 365 Customer Lockbox

Office 365 Customer Lockbox introduces an additional step in the process of providing access to your data to those who have a legitimate request.


This flow shows how it works from creating a support request, to an engineer being granted access to a customer’s data. Now there are two stages of approval that must be completed: first from a Microsoft manager, and then from the customer. If the customer doesn’t respond, respond in time, or declines the request then no access is granted. It’s this customer approval step that is what we refer to as Office 365 Customer Lockbox.

By approving access, you are granting an engineer just enough access, just in time to support you.

All access is audited and available via the Office 365 Management Activity logs.

Video Overview of Office 365 Customer Lockbox

Take a look at this video from the Microsoft Mechanics team that covers an overview of how Customer Lockbox works, and how to activate it.


Office 365 is a very secure productivity platform, and privacy is foremost in the minds of many customers. Office 365 Customer Lockbox introduces a step in the approval process beyond the regular Lockbox process to gain access to a customer’s data that requires the customer to explicitly approve or reject access on a case by case basis. It is available as part of Office 365 Enterprise E5, and supplements the existing rigorous processes that Microsoft adheres to when providing cloud services.