CIS.M365.1.3.6 - (L2) Ensure the customer lockbox feature is enabled
Overviewβ
1.3.6 (L2) Ensure the customer lockbox feature is enabled
Customer Lockbox is a security feature that provides an additional layer of control and transparency to customer data in Microsoft 365. It offers an approval process for Microsoft support personnel to access organization data and creates an audited trail to meet compliance requirements.
Rationaleβ
Enabling this feature protects organizational data against data spillage and exfiltration.
Impactβ
Administrators will need to grant Microsoft access to the tenant environment prior to a Microsoft engineer accessing the environment for support or troubleshooting.
Remediation action:β
To enable the Customer Lockbox feature:
- Navigate to Microsoft 365 admin center https://admin.microsoft.com.
- Click to expand Settings then select Org settings.
- Select Security & privacy tab.
- Click Customer lockbox.
- Check the box Require approval for all data access requests.
- Click Save.
PowerShellβ
- Connect to Exchange Online using
Connect-ExchangeOnline. - Run the following PowerShell command:
Set-OrganizationConfig -CustomerLockBoxEnabled $true
Related linksβ
- Microsoft 365 Admin Center
- Turn Customer Lockbox requests on or off
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 61
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CIS.M365.1.3.6 |
| Severity | High |
| Suite | CIS |
| Category | CIS E5 Level 2 |
| PowerShell test | Test-MtCisCustomerLockBox |
| Tags | CIS, CIS E5, CIS E5 Level 2, CIS M365 v6.0.1, CIS.M365.1.3.6, L2 |
Sourceβ
- Pester test:
tests/cis/Test-MtCisCustomerLockBox.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisCustomerLockBox.ps1