You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security/fundamentals/customer-lockbox-overview.md
+27-5Lines changed: 27 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -84,18 +84,17 @@ The following steps outline a typical workflow for a Customer Lockbox for Micros
84
84
- Permissions levels.
85
85
Based on the JIT rule, this request might also include an approval from Internal Microsoft Approvers. For example, the approver might be the Customer support lead or the DevOps Manager.
86
86
1. When the request requires direct access to customer data, a Customer Lockbox request is initiated. For example, remote desktop access to a customer's virtual machine.
87
-
87
+
88
88
The request is now in a **Customer Notified** state, waiting for the customer's approval before granting access.
89
89
1. One or more approvers at the customer organization for a given Customer Lockbox request are determined as follows:
90
90
- For Subscription scoped requests (requests to access specific resources contained within a subscription), users with the Owner role or the Azure Customer Lockbox Approver for Subscription role (currently in public preview) on the associated subscription.
91
91
- For Tenant scope requests (requests to access the Microsoft Entra tenant), users with the Global Administrator role on the Tenant.
92
92
> [!NOTE]
93
93
> Role assignments must be in place before Customer Lockbox for Microsoft Azure starts to process a request. Any role assignments made after Customer Lockbox for Microsoft Azure starts to process a given request will not be recognized. Because of this, to use PIM eligible assignments for the Subscription Owner role, users are required to activate the role before the Customer Lockbox request is initiated. Refer to [Activate Microsoft Entra roles in PIM](../../active-directory/privileged-identity-management/pim-how-to-activate-role.md) / [Activate Azure resource roles in PIM](../../active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles.md#activate-a-role) for more information on activating PIM eligible roles.
94
-
>
94
+
>
95
95
> **Role assignments scoped to management groups are not supported in Customer Lockbox for Microsoft Azure at this time.**
96
96
1. At the customer organization, designated lockbox approvers ([Azure Subscription Owner](../../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles)/[Microsoft Entra Global admin](../../role-based-access-control/rbac-and-directory-admin-roles.md#azure-ad-roles)/Azure Customer Lockbox Approver for Subscription receive an email from Microsoft to notify them about the pending access request. You can also use the [Azure Lockbox alternate email notifications](customer-lockbox-alternative-email.md) feature (currently in public preview) to configure an alternate email address to receive lockbox notifications in scenarios where Azure account is not email enabled or if a service principal is defined as the lockbox approver.
97
97
98
-
99
98
Example email:
100
99
:::image type="content" source="./media/customer-lockbox-overview/customer-lockbox-email-notification.png" lightbox="./media/customer-lockbox-overview/customer-lockbox-email-notification.png" alt-text="A screenshot of the email notification.":::
101
100
@@ -111,12 +110,17 @@ The following steps outline a typical workflow for a Customer Lockbox for Micros
111
110
As a result of the selection:
112
111
-**Approve**: Access is granted to the Microsoft engineer for the duration specified in the request details, which is shown in the email notification and in the Azure portal.
113
112
-**Deny**: The elevated access request by the Microsoft engineer is rejected and no further action is taken.
114
-
113
+
115
114
For auditing purposes, the actions taken in this workflow are logged in [Customer Lockbox request logs](#auditing-logs).
116
115
117
116
## Auditing logs
118
117
119
-
Customer Lockbox logs are stored in activity logs. In the Azure portal, select **Activity Logs** to view auditing information related to Customer Lockbox requests. You can filter for specific actions, such as:
118
+
The auditing logs for Customer Lockbox for Azure are written to the activity logs for subscription-scoped requests and to the [Entra Audit Log](/entra/identity/monitoring-health/concept-audit-logs) for tenant-scoped requests.
119
+
120
+
### Subscription-scoped requests - Activity Logs
121
+
122
+
In the Azure portal, Customer Lockbox for Microsoft Azure blade, select **Activity Logs** to view auditing information related to Customer Lockbox requests. You can also view the **Activity Logs** in the subscription details blade for the subscription in question. In both cases, you can filter for specific operations, such as:
123
+
120
124
-**Deny Lockbox Request**
121
125
-**Create Lockbox Request**
122
126
-**Approve Lockbox Request**
@@ -126,6 +130,24 @@ As an example:
126
130
127
131
:::image type="content" source="./media/customer-lockbox-overview/customer-lockbox-activitylogs.png" lightbox="./media/customer-lockbox-overview/customer-lockbox-activitylogs.png" alt-text="A screenshot of the activity logs.":::
128
132
133
+
### Tenant-Scoped requests - Audit Log
134
+
135
+
For tenant-scoped Customer Lockbox requests, log entries are wrriten to the [Entra Audit Log](/entra/identity/monitoring-health/concept-audit-logs). These Log entries are created by the Access Reviews service with activities such as:
136
+
137
+
-**Create request**
138
+
-**Request approved**
139
+
-**Request denied**
140
+
141
+
You can fiiter for ```Service = Access Reviews``` and ```Activity = one of the above activities```.
142
+
143
+
As an example:
144
+
145
+
:::image type="content" source="./media/customer-lockbox-overview/customer-lockbox-entra-audit-logs.png" lightbox="./media/customer-lockbox-overview/customer-lockbox-entra-audit-logs.png" alt-text="A screenshot of the audit log.":::
146
+
147
+
> [!NOTE]
148
+
> The History tab in the Azure Lockbox portal has been removed due to existing technical limitations. To see
149
+
Customer Lockbox request history, please use the Activity Log for subscription-scoped requests and the [Entra Audit Log](/entra/identity/monitoring-health/concept-audit-logs) for tenant-scoped requests.
150
+
129
151
## Customer Lockbox for Microsoft Azure integration with the Microsoft cloud security benchmark
130
152
131
153
We introduced a new baseline control ([PA-8: Determine access process for cloud provider support](/security/benchmark/azure/mcsb-privileged-access#pa-8-determine-access-process-for-cloud-provider-support)) in the Microsoft cloud security benchmark that covers Customer Lockbox applicability. Customers can now use the benchmark to review Customer Lockbox applicability for a service.
0 commit comments