When you submit a support request for Microsoft Copilot, Microsoft engineers may need to access your tenant data to diagnose and resolve the issue. Without explicit controls, this access could raise data governance and compliance concerns for your organization. Customer Lockbox for Microsoft 365 provides a workflow that requires your explicit approval before a Microsoft support engineer can access your Copilot data. This article explains the Customer Lockbox workflow for Copilot support access, including how to enable it, how to approve or reject requests, and what happens at each stage.
Key Takeaways: Copilot Customer Lockbox Workflow
- Microsoft 365 admin center > Settings > Org Settings > Security & Privacy > Customer Lockbox: Enable the service and configure approval notifications.
- Support request escalation process: A Microsoft engineer requests Lockbox access only after standard troubleshooting fails and the case is escalated.
- Approval or rejection within 12 hours: You must respond within 12 hours or the request expires; the engineer cannot access data without approval.
What Is Customer Lockbox for Copilot Support Access
Customer Lockbox is a Microsoft 365 compliance feature that gives you explicit control over when Microsoft support engineers can access your tenant data. For Copilot, this includes content from prompts, generated responses, and grounded data from Microsoft Graph such as emails, documents, and calendar entries. The Lockbox workflow ensures that no engineer can view your Copilot data without your organization’s explicit approval.
The workflow is triggered only when a support case requires direct data access to resolve a problem. Standard support troubleshooting that uses logs and telemetry does not require Lockbox. The feature is part of the Microsoft 365 compliance center and is available in specific licensing tiers.
Prerequisites for Customer Lockbox
To use Customer Lockbox for Copilot, your organization must meet these requirements:
- An eligible Microsoft 365 subscription: E5, A5, G5, or add-on licenses for E3 or E1 tenants.
- Global admin or Compliance admin role to enable and manage Customer Lockbox.
- An active Microsoft support plan that includes support case creation.
Steps to Enable and Configure Customer Lockbox for Copilot
Before the Lockbox workflow can work for Copilot support requests, you must enable the service in the Microsoft 365 admin center. Follow these steps:
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with an account that has Global admin or Compliance admin permissions. - Navigate to Customer Lockbox settings
Select Settings > Org Settings > Security & Privacy. Under the list of services, find and select Customer Lockbox. - Enable Customer Lockbox
Toggle the setting to On. You can also configure notification preferences here. Choose to send approval requests to up to 10 email addresses. These recipients will receive requests when a Microsoft engineer needs data access. - Assign approval roles
By default, Global admins and Compliance admins can approve Lockbox requests. To delegate approval to other users, assign the Customer Lockbox access approver role in the Microsoft 365 admin center under Roles > Role assignments. - Confirm the configuration
After saving, verify that Customer Lockbox is active by checking the status indicator in the same settings pane. The status should show Enabled.
The Customer Lockbox Workflow for Copilot Support
Once Customer Lockbox is enabled, the following workflow applies when a Microsoft support engineer needs access to your Copilot data:
- Support case escalation
You submit a support request through the Microsoft 365 admin center or the Microsoft 365 admin app. The support engineer first attempts to resolve the issue using logs and telemetry. If this is insufficient, the engineer escalates the case to a senior engineer who may request data access. - Engineer submits a Lockbox request
The senior engineer creates a Customer Lockbox request through an internal Microsoft portal. The request specifies the tenant ID, the support case number, the data scope, and the estimated duration of access. - Notification sent to approvers
Microsoft sends an email notification to the recipients configured in the Customer Lockbox settings. The email includes a link to the Microsoft 365 admin center where you can review and act on the request. - Approver reviews and acts
You or another designated approver signs in to the Microsoft 365 admin center and navigates to Support > Customer Lockbox Requests. Here you can see the request details: case number, engineer name, data scope, and duration. You have three options: Approve, Reject, or Request more info. - Time window for response
You must respond within 12 hours. If you do not act, the request expires automatically. The engineer cannot access data until you approve. - Access granted and logged
If you approve, the engineer gains access to the specified Copilot data for the duration stated. All access events are logged in the Microsoft 365 audit log and the Customer Lockbox audit log. You can review these logs at any time. - Access revoked
After the approved duration ends, Microsoft automatically revokes the engineer’s access. No further action is needed from you.
Common Issues and Limitations of Customer Lockbox for Copilot
Customer Lockbox Is Not Enabled by Default
Many organizations assume Customer Lockbox is active after purchasing an eligible license. You must manually enable it in the admin center. Until you do, support engineers can access data without your approval in certain escalation scenarios.
Lockbox Requests Are Only for Specific Escalations
Not every support request triggers a Lockbox request. Only cases where standard troubleshooting fails and a senior engineer determines that direct data access is necessary will initiate the workflow. Routine support cases do not use Lockbox.
Notification Emails May Be Missed
If your notification recipients have strict spam filters or do not check email frequently, the 12-hour approval window may expire. Assign at least two approvers and verify that notification emails from Microsoft are not blocked.
Copilot Data Access Scope Is Broad
When an engineer requests Lockbox access, the scope typically includes all Copilot-related data in your tenant. You cannot restrict access to specific users, prompts, or responses. The request description includes the approximate scope, but the actual access may cover more data than you expect.
Audit Logs Require Separate Configuration
Lockbox access events are recorded in the Microsoft 365 audit log, but audit logging must be enabled separately. Go to Microsoft 365 admin center > Security & Compliance > Audit and turn on audit log recording. Without this, you cannot review who accessed your data.
Customer Lockbox vs Standard Support Access for Copilot
| Item | Customer Lockbox | Standard Support Access |
|---|---|---|
| Approval required | Yes, explicit approval from your organization | No, engineer accesses data based on internal policy |
| Data scope | Copilot data including prompts, responses, and grounded data | Logs and telemetry only, no direct data access |
| Notification | Email sent to designated approvers | No notification |
| Response window | 12 hours to approve or reject | Not applicable |
| Audit trail | Logged in audit log and Lockbox audit log | Logged in standard support case history |
| License required | E5, A5, G5, or add-on license | Any Microsoft 365 subscription with support plan |
The table above shows that Customer Lockbox adds a layer of consent and auditability that standard support access lacks. For organizations with strict compliance requirements, Lockbox is the recommended method for managing support access to Copilot data.
You can now enable Customer Lockbox, configure notification recipients, and manage approval workflows for Copilot support requests. To verify your setup, create a test support case and confirm that the Lockbox request appears in the admin center. For ongoing compliance, review the Customer Lockbox audit log monthly and ensure at least two approvers are configured to avoid missed notifications.