Microsoft 365 administrators often need to decide between Customer Lockbox and Service Lockbox when managing data access for Copilot. Both features control how Microsoft engineers can access tenant data, but they serve different purposes and apply to different scenarios. Customer Lockbox gives you explicit approval control over any engineer access to your content. Service Lockbox restricts access during automated support operations. This article explains the functional differences, configuration steps, and when to use each lockbox type.
Key Takeaways: Customer Lockbox vs Service Lockbox for Copilot
- Microsoft 365 admin center > Settings > Org Settings > Customer Lockbox: Use this to require administrator approval before Microsoft engineers access tenant data for support cases.
- Microsoft 365 admin center > Settings > Org Settings > Service Lockbox: Use this to block Microsoft from accessing tenant data during automated diagnostic or maintenance operations.
- Copilot data processing scope: Customer Lockbox covers all Copilot-related content stored in Exchange Online, SharePoint Online, and OneDrive for Business. Service Lockbox covers Copilot metadata and logs.
Customer Lockbox and Service Lockbox: Core Concepts
Both lockbox features are part of Microsoft’s data protection suite for Microsoft 365. They control when and how Microsoft engineers can access tenant data. The key difference lies in the trigger for access.
Customer Lockbox
Customer Lockbox applies when a Microsoft support engineer needs to access your tenant content to resolve a support ticket. The engineer submits an access request through the Microsoft 365 admin center. A designated approver in your organization must approve the request within 12 hours. If no approval is given, access is denied. This feature covers content in Exchange Online, SharePoint Online, OneDrive for Business, and Teams, which includes all Copilot data that Copilot processes through Microsoft Graph.
Service Lockbox
Service Lockbox applies when automated Microsoft systems need to access tenant data for diagnostic or maintenance operations. These operations include log collection, performance monitoring, and system updates. Service Lockbox blocks the automated access until an administrator in your tenant explicitly approves it. This feature covers metadata, diagnostic logs, and system-generated data related to Copilot operations.
Steps to Configure Customer Lockbox and Service Lockbox
Configuration requires Global Administrator permissions in Microsoft 365. The following steps apply to both lockboxes separately.
Enable Customer Lockbox
- Open the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in with a Global Administrator account. - Navigate to Org Settings
Select Settings in the left navigation, then choose Org Settings. - Select Customer Lockbox
In the Services tab, locate and select Customer Lockbox. If you do not see it, your license may not include this feature. - Enable Customer Lockbox
Toggle the switch to On. Optionally, you can add up to 10 approvers by entering their email addresses in the designated field. - Confirm the setting
Select Save to apply the change. The setting takes effect immediately.
Enable Service Lockbox
- Open the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in with a Global Administrator account. - Navigate to Org Settings
Select Settings in the left navigation, then choose Org Settings. - Select Service Lockbox
In the Services tab, locate and select Service Lockbox. This option appears only if your tenant has the appropriate license. - Enable Service Lockbox
Toggle the switch to On. No additional approver configuration is needed because Service Lockbox uses the same approval process as Customer Lockbox. - Confirm the setting
Select Save to apply the change. The setting takes effect immediately.
Common Misconceptions and Limitations
Customer Lockbox does not cover all Copilot data
Customer Lockbox covers only user-generated content stored in Exchange Online, SharePoint Online, OneDrive for Business, and Teams. Copilot interaction logs, prompt history, and AI-generated drafts stored outside these workloads are not covered. For full coverage, enable Service Lockbox as well.
Service Lockbox does not block all automated access
Service Lockbox blocks automated access only for diagnostic and maintenance operations initiated by Microsoft systems. It does not block access required for security incidents, legal compliance, or emergency fixes. Microsoft may override Service Lockbox in those cases with internal approval.
Both lockboxes require specific licenses
Customer Lockbox is available in Microsoft 365 E5, Microsoft 365 E5 Compliance, and Microsoft 365 E5 Information Protection and Governance. Service Lockbox is available in Microsoft 365 E5 and Microsoft 365 E5 Compliance. Copilot Pro users do not have access to either lockbox.
Approval timeouts can cause service delays
If an approver does not respond within 12 hours for Customer Lockbox or 8 hours for Service Lockbox, the access request expires and the engineer or system cannot proceed. This can delay support ticket resolution or system updates. Assign multiple approvers to reduce the risk of timeout.
| Item | Customer Lockbox | Service Lockbox |
|---|---|---|
| Description | Controls engineer access for support tickets | Controls automated system access for diagnostics |
| Trigger | Microsoft support engineer submits a request | Automated system initiates diagnostic or maintenance operation |
| Approval required | Yes, by designated approver within 12 hours | Yes, by designated approver within 8 hours |
| Data covered | User content in Exchange, SharePoint, OneDrive, Teams | Metadata, diagnostic logs, system-generated data |
| License required | Microsoft 365 E5, E5 Compliance, E5 Information Protection | Microsoft 365 E5, E5 Compliance |
| Override capability | No override by Microsoft | Microsoft can override for security or legal reasons |
Both lockbox features provide a clear audit trail in the Microsoft 365 compliance portal. You can review access requests, approvals, and denials in the Audit log. Enable both lockboxes to achieve the strongest data access control for Copilot in your tenant.