For those who already work with Office 365, you may be aware of the Customer Lockbox capability. In a nutshell, this feature (available with E5 or as add-on) allows Office 365 administrators to control how Microsoft engineers access your data – particularly during support.
Now, you can take advantage of it also with Azure.
To enable Customer Lockbox for Azure VM, you need to use Azure PowerShell (at least version 6.10 available here for 64 bits https://github.com/Azure/azure-powershell/releases/download/v6.10.0-October2018/Azure-Cmdlets-6.10.0.23377-x64.msi or here for 32 bits https://github.com/Azure/azure-powershell/releases/download/v6.10.0-October2018/Azure-Cmdlets-6.10.0.23377-x86.msi)
- Connect to your Azure tenant
Connect-AzureRmAccount
- Gather your tenant and subscription ID (this can be done also from the Azure administration portal) or from the Connect-AzureRmAccount result
- If you want to use another subscription use the command
Select-AzureRmSubscription –TenantID “<your tenant ID>” –SubscriptionID “<subscription ID to use>”
- Create 2 new Azure Service ID Principal to enable the Customer Lockbox
New-AzureRmADServicePrincipal –ApplicationID a0551534-cfc9-4e1f-9a7a-65093b32bb38
New-AzureRmADServicePrincipal –ApplicationID 01fc33a7-78ba-4d2f-a4b7-768e336e890e
NOTE you may have errors as result, telling you “Another object with the same value for property servicePrincipalNames already exists”, this is fine; the Service Principal were already there.
- You can check if the creation has been successful (or if they already exist) using the commands
Get-AzureRmADServicePrincipal | ? { $_.applicationID -match “a0551534-cfc9-4e1f-9a7a-65093b32bb38”}
Get-AzureRmADServicePrincipal | ? { $_.applicationID -match “01fc33a7-78ba-4d2f-a4b7-768e336e890e”}
- The check results should return the below
ApplicationId : a0551534-cfc9-4e1f-9a7a-65093b32bb38
DisplayName : AzureLockbox
ApplicationId : 01fc33a7-78ba-4d2f-a4b7-768e336e890e
DisplayName : MS-PIM
This is it, Customer Lockbox for Azure VM is now enabled
You can now use your Azure portal to check (and approve or deny) requests by searching for “Customer Lockbox for Microsoft Azure”
Off course you do not need to continuously check the portal. Global Administrator accounts will be notified by email each time a request is being made.