Microsoft Entra

New admin role in Microsoft Entra: Entra Customer Lockbox Approver

10. June 2026

Microsoft is preparing a new admin role in Entra: Entra Customer Lockbox Approver. This role is related to Customer Lockbox for Microsoft Azure.

Most operations and support performed by Microsoft personnel and subprocessors do not require access to customer data. In those rare circumstances where such access is required, Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. It is used in cases where a Microsoft engineer needs to access customer data, whether in response to a customer-initiated support ticket or a problem identified by Microsoft.

Note
Newly published roles may take some time to become fully active.


The new role includes one lockbox permission, expected to cover the approval or rejection of lockbox requests. Currently, 42 Azure services support such requests.

Updated:
The documentation notes the Global Administrator role is currently required for tenant scope requests (requests to access the Microsoft Entra tenant). The new role should provide a least privileged option for these requests.

One or more approvers at the customer organization for a given Customer Lockbox request are determined as follows:

  • For Subscription scoped requests (requests to access specific resources contained within a subscription), users with the Owner role or the Azure Customer Lockbox Approver for Subscription role on the associated subscription.
  • For Tenant scope requests (requests to access the Microsoft Entra tenant), users with the Global Administrator role on the Tenant.

Organizations need at least a Developer Azure Support plan to use Customer Lockbox for Microsoft Azure.

New admin role: Entra Customer Lockbox Approver (for Azure lockbox)
New admin role: Entra Customer Lockbox Approver (for Azure lockbox)

Role Template ID: d35481f7-cda1-4fa2-8344-5a21f7f3724d
Role permission: microsoft.directory/lockbox/requests/update

Customer Lockbox in Microsoft Purview

As a reminder, Entra now provides two Lockbox approver roles.

  • For Customer Lockbox in Azure (NEW): Entra Customer Lockbox Approver
  • For Customer Lockbox in Microsoft Purview: Customer LockBox Access Approver
Customer LockBox Access Approver (for Purview lockbox)
Customer LockBox Access Approver (for Purview lockbox)

Customer Lockbox in Microsoft Purview supports requests to access data in Exchange Online, SharePoint, OneDrive, Teams, and Windows 365. Additionally, all Microsoft 365 Copilot interactions are covered by Customer Lockbox through the support available for Exchange Online.

Organizations need one of the following licenses for Customer Lockbox in Microsoft Purview:

  • Microsoft 365 E7/E5/A5/G5
  • Office 365 E5/A5/G5
  • Microsoft Purview Suite
  • Microsoft Defender + Purview Suite FLW
  • Microsoft 365 E5/A5/F5/G5 Insider Risk Management

Tags:

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with more than 10 years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *