MicrosoftDocs
diff --git a/‎articles/security/fundamentals/TOC.yml
Lines changed: 10 additions & 4 deletions b/‎articles/security/fundamentals/TOC.yml
Lines changed: 10 additions & 4 deletions
diff --git a/‎articles/security/fundamentals/customer-lockbox-alternative-email.md
Lines changed: 73 additions & 0 deletions b/‎articles/security/fundamentals/customer-lockbox-alternative-email.md
Lines changed: 73 additions & 0 deletions
diff --git a/‎articles/security/fundamentals/customer-lockbox-faq.yml
Lines changed: 77 additions & 0 deletions b/‎articles/security/fundamentals/customer-lockbox-faq.yml
Lines changed: 77 additions & 0 deletions
@@ -177,10 +177,16 @@
       href: database-security-checklist.md
   - name: Storage security guide
     href: ../../storage/blobs/security-recommendations.md?toc=/azure/security/fundamentals/toc.json&bc=/azure/security/breadcrumb/toc.json
-  - name: Customer Lockbox
-    href: customer-lockbox-overview.md
-  - name: Security baseline for Customer Lockbox
-    href: /security/benchmark/azure/baselines/lockbox-security-baseline?toc=/azure/security/fundamentals/TOC.json
+  - name: Customer Lockbox for Microsoft Azure
+    items:
+    - name: Overview
+      href: customer-lockbox-overview.md
+    - name: Alternate email notifications
+      href: customer-lockbox-alternative-email.md
+    - name: FAQ
+      href: customer-lockbox-faq.yml
+    - name: Security baseline for Customer Lockbox
+      href: /security/benchmark/azure/baselines/lockbox-security-baseline?toc=/azure/security/fundamentals/TOC.json
   - name: Trusted Hardware Identity Management
     href: trusted-hardware-identity-management.md
 
 
@@ -0,0 +1,73 @@
+---
+title: Customer Lockbox for Microsoft Azure alternate email feature
+description: Customer Lockbox for Microsoft Azure alternate email feature
+author: msmbaldwin
+ms.service: information-protection
+ms.topic: article
+ms.author: mbaldwin
+ms.date: 03/15/2024
+---
+
+# Customer Lockbox for Microsoft Azure alternate email notifications (public preview)
+
+> [!NOTE]
+> To use this feature, your organization must have an [Azure support plan](https://azure.microsoft.com/support/plans/) with a minimal level of **Developer**.
+
+Customer Lockbox for Microsoft Azure is launching a new feature that enables customers to use alternate email IDs for getting Customer Lockbox notifications. This enables Customer Lockbox for Microsoft Azure customers to receive notifications in scenarios where their Azure account is not email enabled or if they have a service principal defined as the tenant admin or subscription owner.
+
+> [!IMPORTANT]
+> This feature only enables Customer Lockbox notifications to be sent to alternate email IDs. It does not enable alternate users to act as approvers for Customer Lockbox requests.
+>
+> For example, Alice has the subscription owner role for subscription X and she adds Bob's email address as alternate email/other email in her user profile who has a reader role. When a Customer Lockbox request is created for a resource scoped to subscription 'X', Bob will receive the email notification, but he'll not be able to approve/reject the Customer Lockbox request as he does not have the required privileges for it (subscription owner role).
+
+## Prerequisites
+
+To take advantage of the Customer Lockbox for Microsoft Azure alternate email feature, you must have:
+
+- A Microsoft Entra ID tenant that has Customer Lockbox for Microsoft Azure enabled on it.
+- A Developer or above Azure support plan.
+- Role Assignments:
+    - A user account with Tenant admin/privileged authentication administrator/User administrator role to update user settings.
+    - [Optional] Subscription owner or the new Azure Customer Lockbox Approver for Subscription role if you’d like to approve/reject Customer Lockbox requests.
+
+## Set up
+
+Here are the steps to set up the Customer Lockbox for Microsoft Azure alternate email feature.
+
+1. Access the [Azure portal](https://portal.azure.com/).
+1. Sign in with the user account with tenant/privileged authentication administrator/User administrator role privileges.
+1. Search for Users at the home page:
+    :::image type="content" source="./media/customer-lockbox-overview/customer-lockbox-alternative-email-home.png" lightbox="./media/customer-lockbox-overview/customer-lockbox-alternative-email-home.png" alt-text="A screenshot of the home screen.":::
+1. Search for the user for whom you want to add alternate email address.
+  
+    > [!NOTE]
+    > The user must have tenant admin/subscription owner/Azure Customer Lockbox Approver for Subscription role privileges to act on Lockbox requests.
+
+    :::image type="content" source="./media/customer-lockbox-overview/customer-lockbox-alternative-email-user-search.png" lightbox="./media/customer-lockbox-overview/customer-lockbox-alternative-email-user-search.png" alt-text="A screenshot of the search for users interface.":::
+1. Select the user and select on edit properties.
+    :::image type="content" source="./media/customer-lockbox-overview/customer-lockbox-alternative-email-edit-properties.png" lightbox="./media/customer-lockbox-overview/customer-lockbox-alternative-email-edit-properties.png" alt-text="A screenshot of the edit properties interface.":::
+1. Navigate to Contact Information tab.
+    :::image type="content" source="./media/customer-lockbox-overview/customer-lockbox-alternative-email-contact-information.png" lightbox="./media/customer-lockbox-overview/customer-lockbox-alternative-email-contact-information.png" alt-text="A screenshot of the Contact Information tab.":::
+1. Select Add email under 'Other emails' category and then select Add.
+    :::image type="content" source="./media/customer-lockbox-overview/customer-lockbox-alternative-email-add-email.png" lightbox="./media/customer-lockbox-overview/customer-lockbox-alternative-email-add-email.png" alt-text="A screenshot of the Other emails add interface.":::
+1. Add alternate email address in the text field and select save.
+    :::image type="content" source="./media/customer-lockbox-overview/customer-lockbox-alternative-email-other-email.png" lightbox="./media/customer-lockbox-overview/customer-lockbox-alternative-email-other-email.png" alt-text="A screenshot of the alternative email input interface.":::
+1. Select the save button in the Contact Information tab to save the updates.
+    :::image type="content" source="./media/customer-lockbox-overview/customer-lockbox-alternative-email-save.png" lightbox="./media/customer-lockbox-overview/customer-lockbox-alternative-email-save.png" alt-text="A screenshot of the Contact Information table, emphasizing the save interface.":::
+1. The contact information tab for this user should now show updated information with alternate email:
+    :::image type="content" source="./media/customer-lockbox-overview/customer-lockbox-alternative-email-contact-information-updated.png" lightbox="./media/customer-lockbox-overview/customer-lockbox-alternative-email-contact-information-updated.png" alt-text="A screenshot of the updated information.":::
+1. Anytime a lockbox request is triggered and if the above user is identified as a Lockbox approver, the Lockbox email notification is sent to both primary and other email addresses, notifying that the Microsoft Support is trying to access a resource within their tenant, and they should take an action by logging into Azure portal to approve/reject the request. Here is an example screenshot:
+    :::image type="content" source="./media/customer-lockbox-overview/customer-lockbox-alternative-email-notification.png" lightbox="./media/customer-lockbox-overview/customer-lockbox-alternative-email-notification.png" alt-text="A screenshot of the email notification.":::
+
+## Known Issues
+
+Here are the known issues with this feature:
+
+- Duplicate emails are sent if the value for primary and other email is same.
+- Notifications are sent to only the first email address in 'other emails' despite multiple email IDs configured in other email field.
+- If the primary email is not set, and the other email is set, two emails are sent to the alternate email address.
+
+## Next steps
+
+- [Customer Lockbox for Microsoft Azure](customer-lockbox-overview.md)
+- [Customer Lockbox for Microsoft Azure frequently asked questions](customer-lockbox-faq.yml)
@@ -0,0 +1,77 @@
+### YamlMime:FAQ
+metadata:
+  title: Customer Lockbox for Microsoft Azure frequently asked questions
+  description: Frequently asked questions about Customer Lockbox
+  services: information-protection
+  ms.service: information-protection
+  ms.topic: overview
+  ms.date: 03/15/2024
+  author: msmbaldwin
+  ms.author: mbaldwin
+title: Customer Lockbox for Microsoft Azure frequently asked questions
+summary: This article answers frequently asked questions about Customer Lockbox for Microsoft Azure.
+
+sections:
+  - name: General
+    questions:
+      - question: |
+          Can I enable Customer Lockbox for Microsoft Azure at management group or subscription level?
+        answer: |
+          No, Customer Lockbox for Microsoft Azure can only be enabled at tenant-level, and is applicable to all the subscriptions and resources under that tenant.
+      - question: |
+          What does Microsoft do when a customer rejects a Customer Lockbox request?
+        answer: |
+          If a customer rejects a Customer Lockbox request, no access to customer content occurs. If a user in your organization continues to experience a service issue requiring Microsoft to access customer content to resolve the issue, then the service issue might persist and Microsoft will inform the user.
+      - question: |
+          Can I assign the Customer Lockbox approver role at the management group level?
+        answer: |
+          No, role assignments scoped to management groups are not supported in Customer Lockbox for Microsoft Azure at this time.
+      - question: |
+          Can I use Privileged Identity Management (PIM) to activate the Customer Lockbox approver role after a Customer Lockbox request is initiated?
+        answer: |
+          Role assignments must be in place before Customer Lockbox for Microsoft Azure starts to process a request. Any role assignments made after Customer Lockbox for Microsoft Azure starts to process a given request will not be recognized. Using PIM eligible assignments for the Customer Lockbox approver role requires users to activate the role before the Customer Lockbox request is initiated.
+
+  - name: Customer Lockbox Approver Role for Subscriptions (public preview)
+    questions:
+      - question: |
+          Can I use the new Customer Lockbox approver role for tenant-scoped requests as well?
+        answer: |
+          No, Azure Customer Lockbox Approver for Subscription role works only for subscription-scoped requests. The Customer Lockbox for Microsoft Azure team will be creating a lesser privilege role for tenant-scoped requests in subsequent releases.
+      - question: |
+          Can I use the new Customer Lockbox approver role with Microsoft Purview Customer Lockbox or Customer Lockbox for Power Platform and Dynamics 365?
+        answer: |
+          No, the Azure Customer Lockbox Approver for Subscription role works only for subscription-scoped requests created by Customer Lockbox for Microsoft Azure.
+      - question: |
+          Can I use PIM to activate the new Customer Lockbox approver role after a Customer Lockbox request is initiated?
+        answer: |
+          Role assignments must be in place before Customer Lockbox starts to process a request. Any role assignments made after Customer Lockbox for Microsoft Azure starts to process a given request will not be recognized. Because of this, to use PIM eligible assignments for the Customer Lockbox approver role, users are required to activate the role before the Customer Lockbox request is initiated.
+
+  - name: Alternative email feature (public preview)
+    questions:
+      - question: |
+          Can I add a different user email address as an alternate email to another user's account?
+        answer: |
+          Yes, you can add any email address in the other emails field to be used as alternate email for receiving Customer Lockbox notifications.
+      - question: |
+          If I add a second user's email address as an alternate email to an existing Customer Lockbox approver user's account, will the second user be able to see and approve/reject Customer Lockbox requests?
+        answer: |
+          No, this feature only allows customers to receive Customer Lockbox request notifications on alternate email addresses, but it does not provide the ability to configure other users as Customer Lockbox approvers. For example, Alice has the subscription owner role for subscription X and she adds Bob's email address as alternate email/other email in her user profile who has a reader role. When a Customer Lockbox request is created for a resource scoped to subscription "X", Bob receives the email notification, but he'll not be able to approve/reject the Customer Lockbox request as he does not have the required privileges for it (subscription owner role).
+      - question: |
+          Can I add more than one alternate email address to a user account?
+        answer: |
+          You can add multiple email addresses in the other field but currently Customer Lockbox for Microsoft Azure supports sending notifications only to the first email address in "other emails" despite multiple email IDs configured.
+      - question: |
+          Can I use alternate email notification functionality with Microsoft Purview Customer Lockbox or Customer Lockbox for Power Platform and Dynamics 365?
+        answer: |
+          No, this feature is limited to Customer Lockbox for Microsoft Azure.
+      - question: |
+          Will the alternate email notification work for both tenant-scoped and subscription-scoped Customer Lockbox requests?
+        answer: |
+          Yes, alternate email notifications work for all Customer Lockbox requests.
+
+additionalContent: |
+
+  ## Next steps
+  
+  - [Customer Lockbox for Microsoft Azure overview](customer-lockbox-overview.md)
+  - [Customer Lockbox for Microsoft Azure alternate email notifications](customer-lockbox-overview.md)