Use Customer Lockbox for Azure Data Box (Preview)

Azure Data Box is used to transfer customer data to and from Azure. There are instances where Microsoft Support may need to access customer data during a Support request. You can use Customer Lockbox as an interface to review and approve or reject these data access requests.

This article covers how Customer Lockbox requests are initiated and tracked for Data Box import as well as export orders. The article applies to both Azure Data Box devices and Azure Data Box Heavy devices.

DevOps workflow for data access

The Support and Data Box Operations team at Microsoft typically does not access customer data. They try to resolve issues by using standard tools and telemetry.

If the issues can’t be resolved and require Microsoft Support to investigate or repair data, they request elevated access via Just in Time (JIT) portal. The JIP portal validates permission level, provides multi-factor authentication and also includes an approval from the Internal Microsoft Approvers. For example, the approver could be DevOps Manager.

After your request for elevated access is approved via the JIT portal, if you have enabled Lockbox, Microsoft will also require your explicit consent to access the data. The access is requested and tracked via the Customer Lockbox service in the portal.

If you have not enabled Lockbox, then your consent is not needed to access the data.

Prerequisites for access request

Before you begin, make sure:

1. You have created an Azure Data Box order as per the instructions in:

   1. Tutorial: Order Azure Data Box for import orders.
   2. Tutorial: Order Azure Data Box for export orders.

2. You have configured Customer Lockbox for Data Box. This is an opt-in service.

   1. Customer Lockbox is currently in preview for Data Box service. To enable Customer Lockbox for Data Box for your organization, sign up for Customer Lockbox for Azure Public Preview.
   2. Customer Lockbox is automatically available for all customers who have an Azure support plan with a minimal level of Developer.

3. A service request or a Support ticket is already opened for this issue. For information on support ticket, see File a service request for Data Box.

Track, approve request via Lockbox

To track and approve a request to access customer data, follow these steps:

1. Microsoft detects that there is an issue during the upload or download of the data at Azure datacenter. For example, the Data Box order is halted during the Data Copy stage.

   The support engineer connects to Data Box via Support session and tries to troubleshoot the issue by using standard tools and telemetry. If the Data Box disks are locked and shares are not accessible, then the Support engineer creates a Lockbox request.

2. When the request is created, usually the notification goes to subscription administrator but you can also configure a group for notifications.

3. You can see the lockbox request in the Azure portal for your approval.

   

   To approve the lockbox request from portal, you can select Approve.

   

   Once the request is approved, the device disks are unlocked and shares are accessible in the support session.

4. The support engineer resolves the upload issue and then disables the support session.

After the issue is resolved, the data copy job will progress to completion.

Next steps

• Customer Lockbox for Microsoft Azure