Posey's Tips & Tricks

Microsoft Teams' Upcoming Lockbox Feature Is Big News

The new security benefits will be much appreciated for us who live in Microsoft's communication platform more and more these days.

Over the last two years Microsoft Teams has seen an enormous gain in popularity. Even before the pandemic began, Microsoft was hard at work trying to make Teams the go to platform for collaboration. Ever since 2020 however, Microsoft Teams has become an indispensable tool for countless businesses. As such, it is hardly surprising that Microsoft is currently working to bring Teams in line with the rest of the Microsoft 365 suite with regard to security and compliance. One of the most underrated improvements that will be rolling out the spring is the introduction of a customer lockbox feature.

The customer lockbox is not unique to Teams. It has been a part of Exchange Online, SharePoint Online and OneDrive for Business for quite some time.

If you’re not familiar with the customer lockbox, it is safeguard mechanism that is meant to keep your data private during support calls.

Those who have worked in IT for a long time will no doubt remember the way that Microsoft support calls used to be handled. When an organization needed support with Exchange Server or another Microsoft server product, it would place a phone call to the Microsoft support department. A support engineer would then guide the organization’s IT staff through the troubleshooting process over the phone.

The thing that made this type of support so different from what we have today was that the Microsoft engineer didn't have the ability to access the system that they were troubleshooting. Typically, the engineer would tell the organization’s IT staff what to click or what to type, and then those people would have to tell the support engineer what they saw on screen.

As someone who worked through a large number of these types of support calls back in the day, I can tell you from firsthand experience that resolving a complex technical issue was a grueling process. It was not unusual for support calls to last for several hours, with some lasting even longer. As ponderous (and sometimes frustrating) as these calls might have been, there was an upside. Data privacy was never an issue because the support engineer was unable to see anything on your system.

Today, things are different. Microsoft engineers commonly use remote access as a troubleshooting tool. This means that anyone contacting Microsoft for support has to consider what might be revealed to the support engineer over the course of the troubleshooting process. Even if the IT staff assumes that the support engineer is trustworthy and won’t do anything nefarious with any data that they might have seen, organizations have to consider government regulations on data privacy. HIPAA regulations, for example, expressly prohibit the disclosure of electronic protected health information if that data is personally identifiable.

This is where the customer lockbox comes into play. The customer lockbox acts as a barrier that prevents a support engineer at Microsoft from being able to access any data during a support call. As previously noted, some of the other Microsoft 365 applications have included a customer lockbox for quite some time, but the customer lockbox will be new to Teams.

This raises the question of what happens if the support issue is directly related to data and the Microsoft engineer needs to be able to access data in order to complete the troubleshooting process?

In these types of situations, there is a way for a Microsoft engineer to gain limited access to an organization’s data. However, the customer lockbox ensures that data access is performed in a very limited and transparent way.

When the Microsoft support engineer realizes that they need access to data, then the support engineer must submit a request to their manager. This request specifies which tenant’s data needs to be accessed and how long the engineer expects to need that access. The support engineer must also presumably submit justification for the request.

At that point, the engineer's manager signs off on the request and that causes the customer lockbox to send the organization’s tenant administrator an e-mail containing a copy of the access request. The organization can then either grant or deny the access request. Requests that are not acted on within twelve hours are treated as denials, and automatically expire. In either case, the customer lockbox creates an audit log entry, which may be useful for compliance purposes. Assuming that the organization grants access to the support engineer, the engineer will have access to the data for the time period specified in the request, regardless of whether or not the issue is resolved within that time. After that, data access is automatically revoked. If additional access is needed then the support engineer will have to initiate a new request.

About the Author

Brien Posey is a 21-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


comments powered by Disqus