For those who already work with Office 365, you may be aware of the Customer Lockbox capability. In a nutshell, this feature (available with E5 or as add-on) allows Office 365 administrators to control how Microsoft engineers access your data – particularly during support.

Now, you can take advantage of it also with Azure.

To enable Customer Lockbox for Azure VM, you need to use Azure PowerShell (at least version 6.10 available here for 64 bits https://github.com/Azure/azure-powershell/releases/download/v6.10.0-October2018/Azure-Cmdlets-6.10.0.23377-x64.msi or here for 32 bits https://github.com/Azure/azure-powershell/releases/download/v6.10.0-October2018/Azure-Cmdlets-6.10.0.23377-x86.msi)

  • Connect to your Azure tenant

Connect-AzureRmAccount

image

  • Gather your tenant and subscription ID (this can be done also from the Azure administration portal) or from the Connect-AzureRmAccount result

image

    • If you want to use another subscription use the command

Select-AzureRmSubscription –TenantID “<your tenant ID>” –SubscriptionID “<subscription ID to use>”

  • Create 2 new Azure Service ID Principal to enable the Customer Lockbox

New-AzureRmADServicePrincipal –ApplicationID a0551534-cfc9-4e1f-9a7a-65093b32bb38

New-AzureRmADServicePrincipal –ApplicationID 01fc33a7-78ba-4d2f-a4b7-768e336e890e

NOTE you may have errors as result, telling you “Another object with the same value for property servicePrincipalNames already exists”, this is fine; the Service Principal were already there.

  • You can check if the creation has been successful (or if they already exist) using the commands

Get-AzureRmADServicePrincipal | ? { $_.applicationID -match “a0551534-cfc9-4e1f-9a7a-65093b32bb38”}

Get-AzureRmADServicePrincipal | ? { $_.applicationID -match “01fc33a7-78ba-4d2f-a4b7-768e336e890e”}

  • The check results should return the below

ApplicationId         : a0551534-cfc9-4e1f-9a7a-65093b32bb38

DisplayName           : AzureLockbox

ApplicationId         : 01fc33a7-78ba-4d2f-a4b7-768e336e890e

DisplayName           : MS-PIM

image

 

This is it, Customer Lockbox for Azure VM is now enabled Smile

You can now use your Azure portal to check (and approve or deny) requests by searching for “Customer Lockbox for Microsoft Azure”

imageimage

Off course you do not need to continuously check the portal. Global Administrator accounts will be notified by email each time a request is being made.