Microsoft Copilot integrates deeply with Microsoft 365 services, which means it can process data from Exchange Online, SharePoint, and Teams. Customer Lockbox is a compliance feature that controls Microsoft engineer access to your tenant data during support requests. When both features are enabled together, confusion arises about whether Copilot can operate normally or if its data access is blocked. This article explains how Customer Lockbox interacts with Copilot, what data access is affected, and how to configure both tools to work together without compliance gaps.
Key Takeaways: Copilot and Customer Lockbox — What You Need to Know
- Customer Lockbox approvals: Copilot does not trigger a Lockbox request because Copilot operates under your tenant’s existing data access policies.
- Microsoft engineer access: Lockbox controls only human engineer access, not automated service operations like Copilot queries.
- Copilot data sources: Copilot uses Microsoft Graph data from your tenant; Lockbox does not block this automated access.
What Customer Lockbox Controls — and What It Does Not
Customer Lockbox is a compliance tool in Microsoft 365 that requires explicit approval before a Microsoft engineer can access your tenant data for support or troubleshooting. It applies only to scenarios where a human engineer needs to view content in Exchange Online, SharePoint Online, or OneDrive for Business. The Lockbox request is sent to a designated approver in your organization, and the engineer is denied access until approval is granted.
Copilot does not use human engineers to process data. When you ask Copilot a question in Word, Outlook, or Teams, the response is generated by AI models running in Microsoft’s cloud infrastructure. These models query the Microsoft Graph, which indexes your tenant’s data. This automated data retrieval is not subject to Customer Lockbox because no human engineer is involved. The Lockbox policy applies only to manual access by Microsoft support staff, not to automated service operations.
Why Administrators Sometimes Confuse the Two
The confusion arises because both features involve data access. Customer Lockbox controls who can look at your files. Copilot reads your files to generate answers. An administrator might see Copilot accessing SharePoint documents and assume that a Lockbox request should be generated. In reality, Copilot is a service that runs under your tenant’s data access permissions, which are granted by the user who asks the question. No Microsoft engineer sees the data during a Copilot query.
How Copilot Accesses Tenant Data Without Triggering Lockbox
When a user sends a prompt to Copilot, the request goes through the Microsoft Graph. The Graph checks the user’s permissions and returns only the data that user is authorized to see. This process is automated and runs on Microsoft’s server infrastructure. The data is processed in memory, used to generate the response, and then discarded. No human engineer views the data at any point.
Customer Lockbox applies only to cases where a Microsoft engineer initiates a support session and requests access to a specific mailbox, site, or file. This is a manual action that requires an explicit approval workflow. Copilot never initiates a support session, and it never requests engineer-level access. Therefore, Copilot queries do not generate Lockbox requests and are not blocked by Lockbox policies.
What Happens If Lockbox Is Enabled and Copilot Is Also Enabled
Both features can run simultaneously without interference. Lockbox remains active for support scenarios. Copilot continues to operate normally for all authorized users. The only scenario where Lockbox might appear to affect Copilot is if an administrator mistakenly believes that Copilot is blocked and disables the Copilot service. This is not necessary and can be avoided by understanding the separation between automated service access and human engineer access.
Configuring Customer Lockbox for Copilot Environments
No special configuration is required to make Copilot work with Customer Lockbox. However, administrators should verify that their Lockbox approval process is not overly restrictive. If your organization requires Lockbox approval for every support case, you can continue using that process. Copilot will not be affected. The only change you might consider is creating a clear internal policy that explains when Lockbox applies and when it does not.
- Open the Microsoft 365 admin center
Go to Settings > Org settings > Security & privacy > Customer Lockbox. Verify that the Lockbox feature is enabled if you want to control engineer access. - Review Lockbox approvers
Under the Customer Lockbox settings, check the list of approved users who can grant or deny access requests. Add or remove users as needed. - Test Copilot with a standard user
Sign in as a user who has a Copilot license and the appropriate Microsoft 365 permissions. Ask Copilot a question about a document in SharePoint. Confirm that the response is generated without any Lockbox notification. - Review audit logs
In the Microsoft 365 compliance portal, go to Audit > Search. Look for events related to Copilot queries. You will see that no Lockbox approval events are generated for Copilot activity.
If Copilot and Lockbox Appear to Conflict
Copilot Returns an Error About Data Access Being Blocked
If a user receives an error that Copilot cannot access data, the cause is almost always a permissions issue, not a Lockbox block. Check the user’s SharePoint or Exchange permissions. The user must have at least read access to the content they are querying. Customer Lockbox does not block automated access, so a permissions audit is the correct first step.
An Administrator Receives a Lockbox Request for Copilot Activity
This scenario cannot occur because Copilot never triggers a Lockbox request. If you receive a Lockbox request, it is from a support case opened by a user or an automatic request from Microsoft support. Review the support case details to confirm that the request is legitimate. Cancel any Lockbox request that is unrelated to an active support case.
Compliance Auditors Ask About Copilot and Lockbox
Prepare a written policy that states Copilot operates under the user’s existing permissions and does not require Lockbox approval. Document that Lockbox is used only for human engineer access during support cases. This policy satisfies most compliance requirements and shows that both features are correctly managed.
Copilot and Customer Lockbox: Feature Comparison
| Item | Copilot | Customer Lockbox |
|---|---|---|
| Purpose | Generate AI responses from tenant data | Control Microsoft engineer access to tenant data |
| Access type | Automated service queries via Microsoft Graph | Manual human engineer support sessions |
| Does it require approval? | No — uses user permissions | Yes — explicit approver must grant access |
| Triggers Lockbox request? | No | Yes — only for engineer access |
| Affected by Lockbox policy? | No | Yes — Lockbox blocks engineer access until approved |
Copilot and Customer Lockbox serve different compliance purposes. Copilot handles automated data retrieval. Lockbox handles manual engineer access. They do not conflict when configured correctly.
You can now manage both Copilot and Customer Lockbox in your Microsoft 365 tenant without worrying about unintended data access blocks. The key is to remember that Lockbox controls only human support access. Copilot does not use human access. If you need to audit Copilot activity, use the compliance portal audit logs instead of Lockbox reports. For deeper compliance control, consider using Microsoft Purview data loss prevention policies to restrict which data Copilot can index.