Microsoft Entra ID · Security & Compliance

Customer LockBox Access Approver

Can approve Microsoft support requests to access customer organizational data. Critical for controlling Microsoft engineer access.

Scope: Control over Microsoft support engineer access to tenant data

Permissions

  • Approve Customer Lockbox requests
  • Deny Customer Lockbox requests
  • View pending Lockbox requests
  • Turn Customer Lockbox feature on/off
  • Receive Lockbox request notifications

Common use cases

  • Approving Microsoft support access
  • Reviewing support request justifications
  • Maintaining audit trail of access approvals
  • Controlling data sovereignty
  • Compliance with data access policies

Best practices

  • Review each request carefully
  • Verify support case context
  • Document approval decisions
  • Set up notification alerts
  • Have backup approvers available

Security considerations

  • This is a PRIVILEGED role - controls external access
  • Microsoft engineers cannot access data without approval
  • Audit all approval decisions
  • Critical for regulated industries
  • Consider 24/7 approver availability

Common questions

When should I assign the Customer LockBox Access Approver role?

Assign Customer LockBox Access Approver when you need to: Approving Microsoft support access; Reviewing support request justifications; Maintaining audit trail of access approvals; Controlling data sovereignty; and Compliance with data access policies. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Customer LockBox Access Approver role do?

The Customer LockBox Access Approver role grants permissions including: Approve Customer Lockbox requests; Deny Customer Lockbox requests; View pending Lockbox requests; Turn Customer Lockbox feature on/off; and Receive Lockbox request notifications. See the Permissions section above for the full list.

What are the security risks of the Customer LockBox Access Approver role?

Key considerations when assigning Customer LockBox Access Approver: This is a PRIVILEGED role - controls external access; Microsoft engineers cannot access data without approval; Audit all approval decisions; and Critical for regulated industries. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →