Rajeev Pentyala – Technical Blog on Power Platform, Azure and AI

Were you aware that administrators can create lockbox policies in the Power Platform admin center, enabling the restriction of data access for Microsoft support engineers?

What’s Lockbox and how it protects the data:

Consider that your organization’s Power Platform or Dynamics 365 application is live. Let’s explore the following use case to understand the lockbox policy.

• Your organization has an issue with Power Platform and opens a support request with Microsoft Support.
• A Microsoft operator reviews the support request/event and attempts to troubleshoot the issue. If access to customer data is needed for further troubleshooting, a Microsoft engineer triggers an internal approval process for access to customer data, irrespective of lockbox policy being enabled or not.
• In addition, a lockbox request is generated if the respective data store is associated with an environment protected according to the lockbox policy enablement.
• An email notification is sent to the designated approvers (Global administrators and Power Platform administrators) about the pending data access request from Microsoft.
• If the lockbox policy is enabled, The Microsoft engineer won’t be able to proceed with their investigation until the lockbox request is approved by the customer.

Enable the lockbox policy:

Global administrators or Power Platform administrators can create or update the lockbox policy in the Power Platform admin center.

Enabling the tenant level policy will apply only to environments that are activated for Managed Environments. 

• Sign in to the Power Platform admin center.
• Use the Tenant settings page to review and manage tenant-level settings. To view tenant-level settings, select the Gear icon () in the upper-right corner of the Power Platform site and select Power Platform settings > Settings > Tenant settings in the left-side navigation pane.
• Set Customer Lockbox to Enable.

Review a lockbox request:

• Sign in to the Power Platform admin center.
• Select Policies > Customer Lockbox.
• Review the request details.
• Select a lockbox request, and then select Approve or Deny.

• The lockbox requests that have occurred in the past 28 days are displayed in the Recent table.
• Once a request is approved, it cannot be revoked for the entire duration of the access period of 8 hours.

Key Points:

• Customer Lockbox policy will be enforced only on environments that are activated for Managed Environments.
• Features powered by Azure OpenAI Service are excluded from Lockbox policy enforcement unless product documentation for a given feature states that Lockbox applies.
• If the lockbox request is rejected or not approved within four days, it expires, and no access is granted to the Microsoft engineer.

Refer this docs page for more details.

🙂