Skip to main content

Announcing Customer Lockbox for Office 365

Editor’s note 10/7/2015
The FAQs have been updated to provide more clarification.

Editor’s note 8/5/2015
The FAQs have been updated with Customer Lockbox purchase information.

This post was written by Vijay Kumar, senior product marketing manager, and Raji Dani, principal program manager for the Office 365 Security team.

As a cloud services provider, we recognize that organizations understandably want to have full control over access to their content stored in cloud services. Today at RSA, we announced Customer Lockbox for Office 365, a new capability designed to provide customers with unprecedented control over their content in the service. Customer Lockbox gives customers explicit control in the very rare instances when a Microsoft engineer may need access to customer content to resolve a customer issue.

In our efforts to maximize data security and privacy for Office 365 customers, we have engineered the service to require nearly zero interaction with customer content by Microsoft employees.  Nearly all service operations performed by Microsoft are fully automated and the human involvement is highly controlled and abstracted away from customer content. As a result, only in rare cases—such as when troubleshooting a customer issue with mailbox or document contents—does a Microsoft engineer have any reason to access customer content in Office 365.

Microsoft Engineers do not have standing access to any service operation.  All access is obtained through a rigorous access control technology called Lockbox. Today, Lockbox enforces access control through multiple levels of approval within Microsoft, providing just-in-time access with  limited and time-bound authorization. In addition, all access control activities in the service are logged and audited.

With today’s announcement, we are bringing customers into the Lockbox approval process for instances involving access to customer content. Use of the Customer Lockbox feature ensures that Microsoft engineer does not get access to the customer’s content without customer’s explicit approval. When the customer gets the request for access, they can scrutinize the request and either approve or reject it. Until the request is approved, the Microsoft engineer will not be granted access.

Announcing Customer Lockbox for Office 365 1

Of course transparency and control are important in achieving trust, and all Customer Lockbox activity will be available to customers via the Office 365 Management Activity logs for easy integration into customer security monitoring and reporting systems.

Customer Lockbox will be available for Exchange Online by the end of 2015, and for SharePoint Online by the first quarter of 2016.

For more information about our trust principles and how we manage security, privacy and compliance, please visit the Office 365 trust center.

Frequently asked questions

Q. Who is notified when there is a request to access a customer’s content?

A. Administrators in the customer’s Office 365 environment are notified via email that there is a request for access. The Office 365 Admin Center portal will also display requests that have been submitted to the customer for approval.

Q. Who can approve or reject these requests in a customer’s organization?

A. Administrators in the customer’s Office 365 environment can approve or reject Customer Lockbox requests.

Q. Under what circumstances do Microsoft engineers need access to customer’s content?

A. No one at Microsoft has standing access to customer content in Office 365. Furthermore, Office 365 services are being engineered so that people performing service operations never have access to customer content. Therefore, we believe that the only scenario where a Microsoft engineer will need to access customer content is when the customer asks us to do so.

Q. What happens if a customer rejects the Microsoft engineer’s access to content?

A. Microsoft can only proceed following approval of a Customer Lockbox request. If a customer rejects a Customer Lockbox request, no access to customer content will occur. If a user was experiencing a service issue that required Microsoft to access customer content in order to resolve (though such circumstances are expected to be extremely rare), then the service issue might simply persist. Microsoft would inform the customer of this outcome.

Q. What happens to a Customer Lockbox request that was not acted upon by the customer in a timely manner?

A. Customer Lockbox requests have a default lifetime of 12 hours, after which they expire. Expired requests do not result in access to customer content.

Q. How do I purchase Customer Lockbox for Office 365?

A. Customer Lockbox for Office 365 will be available as part of a new premium Office 365 Enterprise Suite called E5. More information on E5 can be found here.

You may also like these articles

Image for: Manufacturing business owner wearing a mask and reviewing schedule in Shifts within Microsoft Teams.

Upcoming commercial preview of Microsoft Office LTSC

At Microsoft, we believe that the cloud will power the work of the future. Overwhelmingly, our customers are choosing the cloud to empower their people—from frontline workers on the shop floor, to on-the-go sales teams, to remote employees connecting from home. We’ve seen incredible cloud adoption across every industry, and we will continue to invest…

Image for: Female enterprise employee working remotely from her home office, chatting with a headset on.

How partners are fueling growth and innovation on Microsoft Teams

Teams not only enables you to meet, chat, call, and collaborate with your team, but it also serves as a platform that brings together the apps and workflows that help you get your work done.

Image for: image of a woman standing over a desk at home, looking down at her laptop

The evolution of mobile productivity, even when we’re a little less mobile

What’s the one essential you’d go back home for if forgotten? Maybe it’s your mask. But also, your mobile phone, right? Your personal organizer, your digital wallet, your instant camera—your mobile device has become the most essential tool you use to stay connected to the people and things that are important at home, at the office,…