1.3.6 Ensure the customer lockbox feature is enabled

Information

Customer Lockbox is a security feature that provides an additional layer of control and transparency to customer data in Microsoft 365. It offers an approval process for Microsoft support personnel to access organization data and creates an audited trail to meet compliance requirements.

Rationale:

Enabling this feature protects organizational data against data spillage and exfiltration.

Impact:

Administrators will need to grant Microsoft access to the tenant environment prior to a Microsoft engineer accessing the environment for support or troubleshooting.

Solution

To enable the Customer Lockbox feature:

Navigate to Microsoft 365 admin center https://admin.microsoft.com.

Click to expand Settings then select Org settings.

Select Security & privacy tab.

Click Customer lockbox.

Check the box Require approval for all data access requests.

Click Save.

To set the Customer Lockbox feature to enabled using PowerShell:

Connect to Exchange Online using Connect-ExchangeOnline.

Run the following PowerShell command:

Set-OrganizationConfig -CustomerLockBoxEnabled $true

Default Value:

Require approval for all data access requests - Unchecked

CustomerLockboxEnabled - False

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: microsoft_azure

Control ID: d74672d149b6e0a55ce1b72f092b8cddf41937d0fa6f5a11a8b5fc05a65d749b