Microsoft Entra ID · Security & Compliance
Customer LockBox Access Approver
Can approve Microsoft support requests to access customer organizational data. Critical for controlling Microsoft engineer access.
Scope: Control over Microsoft support engineer access to tenant data
Permissions
- Approve Customer Lockbox requests
- Deny Customer Lockbox requests
- View pending Lockbox requests
- Turn Customer Lockbox feature on/off
- Receive Lockbox request notifications
Common use cases
- Approving Microsoft support access
- Reviewing support request justifications
- Maintaining audit trail of access approvals
- Controlling data sovereignty
- Compliance with data access policies
Best practices
- Review each request carefully
- Verify support case context
- Document approval decisions
- Set up notification alerts
- Have backup approvers available
Security considerations
- This is a PRIVILEGED role - controls external access
- Microsoft engineers cannot access data without approval
- Audit all approval decisions
- Critical for regulated industries
- Consider 24/7 approver availability
Common questions
When should I assign the Customer LockBox Access Approver role?
Assign Customer LockBox Access Approver when you need to: Approving Microsoft support access; Reviewing support request justifications; Maintaining audit trail of access approvals; Controlling data sovereignty; and Compliance with data access policies. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Customer LockBox Access Approver role do?
The Customer LockBox Access Approver role grants permissions including: Approve Customer Lockbox requests; Deny Customer Lockbox requests; View pending Lockbox requests; Turn Customer Lockbox feature on/off; and Receive Lockbox request notifications. See the Permissions section above for the full list.
What are the security risks of the Customer LockBox Access Approver role?
Key considerations when assigning Customer LockBox Access Approver: This is a PRIVILEGED role - controls external access; Microsoft engineers cannot access data without approval; Audit all approval decisions; and Critical for regulated industries. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.