L2 BIO 15.01 ISO A.15.1.2 CIS 1.2.1

Customer Lockbox Ingeschakeld

📅 2025-10-29

•

⏱️ 6 minuten lezen

•

🟢 Should-Have

💼 Management Samenvatting

Customer Lockbox vereist your approval voordat Microsoft engineers access your data tijdens ondersteunen cases.

Aanbeveling

IMPLEMENT

Risico zonder

Medium

Risk Score

5/10

Implementatie

3u (tech: 1u)

Van toepassing op:

✓ M365

Microsoft ondersteunen may need gegevenstoegang voor troubleshooting. Zonder Lockbox: Microsoft decides Wanneer to access. met Lockbox: YOU approve every access request. data sovereignty control.

PowerShell Modules Vereist

Primary API: M365 Admin Center
Connection: N/A
Required Modules:

Implementatie

Schakel in Customer Lockbox. Microsoft engineers moet request approval voor gegevenstoegang. You approve/deny each request. vereist E5/equivalent.

M365 Admin Center → Settings → Security & privacy → Customer Lockbox
Schakel in Customer Lockbox
Designate approvers
Monitor requests in Admin Center

Vereisten

M365 E5 of equivalent
Globale beheerder rechtenistrator

Implementatie

M365 Admin Center → Settings → Security & privacy → Customer Lockbox
Schakel in Customer Lockbox
Designate approvers
Monitor requests in Admin Center

Compliance en Auditing

CIS M365 - regelen 1.2.1
BIO 15.01
ISO 27001 A.15.1.2
AVG Artikel 28

Monitoring

Gebruik PowerShell-script customer-lockbox-enabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script customer-lockbox-enabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

CIS M365: Control 1.2.1 (L2) - Schakel in Customer Lockbox
BIO: 15.01 - Supplier Toegangscontrole en authenticatie
ISO 27001:2022: A.15.1.2 - Supplier access

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell

<#
.SYNOPSIS
    Customer Lockbox Enabled
.DESCRIPTION
    Ensures Customer Lockbox is enabled (approve Microsoft support access)
.NOTES
    NL Baseline v2.0
    Requires: E5 or Advanced Compliance license
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement

[CmdletBinding()]
param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert,
    [switch]$WhatIf)

$ErrorActionPreference = 'Stop'

Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Customer Lockbox" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan

function Invoke-Monitoring {
    try {
        Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
        
        $orgConfig = Get-OrganizationConfig
        $enabled = $orgConfig.CustomerLockBoxEnabled
        
        if ($enabled) {
            Write-Host "  [OK] Customer Lockbox: ENABLED" -ForegroundColor Green
            Write-Host "  Microsoft support requests require your approval" -ForegroundColor Cyan
            Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green
            exit 0
        }
        else {
            Write-Host "  [FAIL] Customer Lockbox: DISABLED" -ForegroundColor Red
            Write-Host "  Microsoft can access data without approval" -ForegroundColor Red
            Write-Host "`n  ⚠️  Note: Requires E5 or Advanced Compliance license" -ForegroundColor Yellow
            Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red
            exit 1
        }
    }
    catch {
        Write-Host "ERROR: $_" -ForegroundColor Red
        exit 2
    }
}

function Invoke-Remediation {
    try {
        Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
        
        Set-OrganizationConfig -CustomerLockBoxEnabled $true -ErrorAction Stop
        
        Write-Host "`n[OK] Customer Lockbox enabled" -ForegroundColor Green
        Write-Host "Support requests now require approval" -ForegroundColor Cyan
        exit 0
    }
    catch {
        Write-Host "ERROR: $_" -ForegroundColor Red
        Write-Host "Ensure E5 or Advanced Compliance license" -ForegroundColor Yellow
        exit 2
    }
}

function Invoke-Revert {
    try {
        Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
        Set-OrganizationConfig -CustomerLockBoxEnabled $false -ErrorAction Stop
        Write-Host "  ⚠️  Disabled" -ForegroundColor Yellow
        exit 0
    }
    catch {
        Write-Host "ERROR: $_" -ForegroundColor Red
        exit 2
    }
}

try {
    if ($Revert) { Invoke-Revert }
    elseif ($Monitoring) { Invoke-Monitoring }
    elseif ($Remediation) { Invoke-Remediation }
    else { Write-Host "Use: -Monitoring | -Remediation | -Revert" -ForegroundColor Yellow }
}
catch { throw }
finally {
    Write-Host "`n========================================`n" -ForegroundColor Cyan
}

Risico zonder implementatie

Medium: Medium - Microsoft ondersteunen toegang tot data zonder approval. data sovereignty concern.

Management Samenvatting

Customer Lockbox: approve Microsoft engineer gegevenstoegang. vereist E5. Voldoet aan CIS 1.2.1 L2, AVG 28. Setup: 1u.

Implementatietijd: 3 uur
FTE required: 0.02 FTE

Customer Lockbox Ingeschakeld

💼 Management Samenvatting

Implementatie

Vereisten

Implementatie

Compliance en Auditing

Monitoring

Remediatie

Compliance & Frameworks

Automation

Risico zonder implementatie

Management Samenvatting

Share artikel