Customer Lockbox for Microsoft Fabric: A New Way to Control Your Data

Microsoft Fabric is a new cloud platform that enables you to build, deploy, and manage distributed applications across multiple regions and zones. Microsoft Fabric provides a rich set of services and tools to help you create scalable, reliable, and secure applications. However, as with any cloud service, you may have concerns about how Microsoft accesses your data and content when you use Microsoft Fabric.

That’s why Microsoft has introduced Customer Lockbox for Microsoft Fabric, a feature that gives you more control and visibility over how Microsoft engineers access your data. Customer Lockbox for Microsoft Fabric is based on the same technology that powers Customer Lockbox for Microsoft Azure, which is already available for other Microsoft 365 services such as Exchange Online, SharePoint Online, OneDrive for Business, and Teams.

In this blog post, we will explain what Customer Lockbox for Microsoft Fabric is, how it works, and how you can enable it for your organization. We will also answer some frequently asked questions about Customer Lockbox for Microsoft Fabric.

What is Customer Lockbox for Microsoft Fabric?

Customer Lockbox for Microsoft Fabric is a feature that ensures that Microsoft can’t access your data and content to do service operations without your explicit approval. Customer Lockbox for Microsoft Fabric brings you into the approval workflow process that Microsoft uses to ensure only authorized requests allow access to your data.

Occasionally, Microsoft engineers may need to access your data and content to troubleshoot and fix issues that arise with the service. Usually, engineers can fix issues using extensive telemetry and debugging tools that Microsoft has in place for its services. However, some cases may require a Microsoft engineer to access your data and content to determine the root cause and fix the issue. For example, in cases where remote desktop access to a customer’s virtual machine is needed.

Customer Lockbox for Microsoft Fabric requires the engineer to request access from you as a final step in the approval workflow. This gives you the option to approve or deny the request for your organization, and provide direct-access control to your data and content.

Navigating the Lakehouse Ecosystem with VS Code

How does Customer Lockbox for Microsoft Fabric work?

Customer Lockbox for Microsoft Fabric works as follows:

  • When a Microsoft engineer needs to access your data and content to troubleshoot a Microsoft Fabric service support request, they submit a request using the Just-In-Time (JIT) access service. The request includes the following information:
    • The scope of the resource
    • The service request number
    • The expected start time of access
    • The estimated amount of time the engineer needs access to the data
    • The service the request is for
  • The request is then evaluated by the JIT service, considering factors such as:
    • Whether the requester is an isolated identity or using multi-factor authentication
    • The permissions levels
  • Based on the JIT role, the request may also include an approval from internal Microsoft approvers, such as the customer support lead or the DevOps manager.
  • When the request requires direct access to customer data and content, a Customer Lockbox request is initiated and sent to the designated approver at your organization. The designated approver is the Azure AD Global Administrator by default, but you can change it to another role or user.
  • The designated approver receives an email notification about the pending access request from Microsoft. The email provides a link to Customer Lockbox in the Azure Administration module.
  • Using the link, the designated approver signs in to the Azure portal to view any pending Customer Lockbox requests. The request remains in the customer queue for four days. After that, the access request automatically expires and no access is granted to Microsoft engineers.
  • To get the details of the pending request, the designated approver can select the Customer Lockbox request from the Pending Requests menu option. After reviewing the request, the designated approver enters a justification and selects one of the options below:
    • Approve: The Microsoft engineer is granted access to the data and content for the specified duration and scope. The access is logged and audited for later reviews.
    • Deny: The Microsoft engineer is denied access to the data and content. The access is logged and audited for later reviews.
    • Escalate: The designated approver can escalate the request to another user or role in the organization for further review and action.

How to enable Customer Lockbox for Microsoft Fabric?

To enable Customer Lockbox for Microsoft Fabric, you must be an Azure AD Global Administrator or have the Customer Lockbox Approver role. To assign roles in Azure AD, see Assign Azure AD roles to users.

To enable Customer Lockbox for Microsoft Fabric, follow these steps:

  • Open the Azure portal.
  • Go to Customer Lockbox for Microsoft Azure.
  • In the Administration tab, select Enabled.

Google Data Studio vs. Tableau: A Detailed Data Visualization Tool Comparison

Frequently Asked Questions

Here are some common questions and answers about Customer Lockbox for Microsoft Fabric:

  • Q: What are the benefits of Customer Lockbox for Microsoft Fabric?
  • A: Customer Lockbox for Microsoft Fabric provides you with the following benefits:
    • Increased control and visibility over how Microsoft accesses your data and content
    • Enhanced security and compliance for your data and content
    • Reduced risk of unauthorized or malicious access to your data and content
  • Q: What are the prerequisites for Customer Lockbox for Microsoft Fabric?
  • A: Customer Lockbox for Microsoft Fabric requires the following prerequisites:
    • A Microsoft Fabric subscription
    • A Microsoft 365 E5 or Microsoft 365 E5 Compliance license
    • An Azure AD Global Administrator or Customer Lockbox Approver role
  • Q: How can I change the designated approver for Customer Lockbox requests?
  • A: You can change the designated approver for Customer Lockbox requests by following these steps:
    • Open the Azure portal.
    • Go to Customer Lockbox for Microsoft Azure.
    • In the Administration tab, select Change approver.
    • Select the user or role you want to assign as the designated approver.
  • Q: How can I view the logs and audits of Customer Lockbox requests?
  • A: You can view the logs and audits of Customer Lockbox requests by following these steps:
    • Open the Azure portal.
    • Go to Customer Lockbox for Microsoft Azure.
    • In the Logs tab, select the time range and filter options you want to apply.
    • View the details of the Customer Lockbox requests, such as the request ID, status, requester, approver, justification, and actions.

Conclusion

Customer Lockbox for Microsoft Fabric is a new feature that gives you more control and visibility over how Microsoft engineers access your data and content when you use Microsoft Fabric. Customer Lockbox for Microsoft Fabric ensures that Microsoft can’t access your data and content to do service operations without your explicit approval. Customer Lockbox for Microsoft Fabric also provides you with enhanced security and compliance for your data and content, and reduces the risk of unauthorized or malicious access to your data and content.

If you want to learn more about Customer Lockbox for Microsoft Fabric, you can check out the following resources: