
close
close
Despite assurances, some customers are worried that Microsoft support engineers or operators might have unfettered access to their data in the cloud. We can use bring-your-own-key encryption, such as BitLocker inside of Azure virtual machines, but that extreme action can have negative side effects.
Office 365 has an opt-in feature called Customer Lockbox. This lockbox concept is not new – some of you working in controlled environments probably experience something like this:
advertisment
The Lockbox concept in Office 365 works as follows:
This feature is being brought to Azure, starting with a preview for Azure virtual machines:
Granting Microsoft access via the Customer Lockbox for Azure [Image Credit: Microsoft]
Customer Lockbox is disabled by default and you must opt into this lockdown feature. Enablement is done on a per-tenant basis using AzureRM PowerShell cmdlets. If you have access to multiple tenants then you will need to identify the Tenant ID of the required Azure AD domain. You can select the correct tenant by doing the following:
Tip: Make sure you have updated to the latest version of the AzureRM PowerShell modules first!
Log into Azure using PowerShell:
advertisment
Login-AzureRmAccount
Choose the correct tenant and subscription ID:
Select-AzureRmSubscription -TenantID "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -SubscriptionID "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
Now you will create two Service Principals (SPN) in Azure AD; the first is the Customer Lockbox Service Principal – type it exactly as shown:
New-AzureRmADServicePrincipal -ApplicationID a0551534-cfc9-4e1f-9a7a-65093b32bb38
The second SPN is for PIM:
New-AzureRmADServicePrincipal –ApplicationID 01fc33a7-78ba-4d2f-a4b7-768e336e890e
Note that if PIM was previously enabled in the tenant then you might get this error, so don’t worry about it:
advertisment
New-AzureRmADServicePrincipal : Another object with the same value for property servicePrincipalNames already exists.
Now you can verify the SPNs:
Get-AzureRmADServicePrincipal | ? { $_.applicationID -match “a0551534-cfc9-4e1f-9a7a-65093b32bb38”}
That should return something like:
ServicePrincipalNames : {a0551534-cfc9-4e1f-9a7a-65093b32bb38}
ApplicationId : a0551534-cfc9-4e1f-9a7a-65093b32bb38
DisplayName : AzureLockbox
Id : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
AdfsId :
Type : ServicePrincipal
Get-AzureRmADServicePrincipal | ? { $_.applicationID -match "01fc33a7-78ba-4d2f-a4b7-768e336e890e"}
And that should return something like:
ServicePrincipalNames : {01fc33a7-78ba-4d2f-a4b7-768e336e890e, https://api.aadr.mspim.azure.com/, https://api.azrbac.mspim.azure.com/, https://mspim.onmicrosoft.com/}
ApplicationId : 01fc33a7-78ba-4d2f-a4b7-768e336e890e
DisplayName : MS-PIM
Id : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
AdfsId :
Type : ServicePrincipal
With the above confirmed, you have enabled the preview of Customer Lockbox for Azure virtual machines.
More from Aidan Finn
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Microsoft Azure
Microsoft's Azure AD Conditional Access Service Can Now Require Reauthentication
May 13, 2022 | Rabia Noureen
Microsoft Addresses Cross-Tenant Database Vulnerability in Azure PostgreSQL
Apr 29, 2022 | Rabia Noureen
Microsoft Simplifies IT Monitoring with New Azure Managed Grafana Service
Apr 19, 2022 | Rabia Noureen
System Center 2022 is Now Available with New Datacenter Management Capabilities
Apr 4, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group