Power Platform Customer Lockbox
Query
PowerPlatformAdminActivity
| where EventOriginalType == "TenantLockboxOperation"
| where EventResult == "Succeeded"
| where Properties.["powerplatform.analytics.activity.name"] == "TenantLockboxOperation"
| extend LockBoxEnabled = tostring(Properties.["powerplatform.analytics.resource.tenant.is_lockbox_enabled"])
| project TimeGenerated, ActorName, ActorUserId, LockBoxEnabledAbout this query
Power Platform - Customer Lockbox
Query Information
Description
This query retrieves events for enabling or disabling Power Platform Customer Lockbox.
References
Author
- Alex Verboon
Defender XDR
CloudAppEvents
| where ActionType == "TenantLockboxOperation"
| where parse_json(tostring(RawEventData.JsonPropertiesCollection)).["powerplatform.analytics.activity.name"] == "TenantLockboxOperation"
| extend LockBoxEnabled = tostring(parse_json(tostring(RawEventData.JsonPropertiesCollection)).["powerplatform.analytics.resource.tenant.is_lockbox_enabled"])
| project TimeGenerated, AccountDisplayName, LockBoxEnabled
Explanation
This KQL query is designed to track events related to the enabling or disabling of the Customer Lockbox feature in Power Platform. Here's a simplified breakdown of what the query does:
-
Data Source: The query pulls data from two sources:
PowerPlatformAdminActivityandCloudAppEvents. -
Event Filtering:
- It specifically looks for events where the type is "TenantLockboxOperation" and the result is "Succeeded". This means it only considers successful operations related to the Customer Lockbox.
- For
CloudAppEvents, it parses the JSON data to filter events with the same "TenantLockboxOperation" activity name.
-
Data Extraction:
- It extracts the status of the Customer Lockbox (whether it is enabled or not) from the event properties.
- It also retrieves the time the event was generated and the name or ID of the user who performed the action.
-
Output:
- The query outputs a list of events showing when the Customer Lockbox was enabled or disabled, who performed the action, and whether the lockbox is currently enabled.
This query is useful for administrators who want to monitor changes to the Customer Lockbox settings in their Power Platform environment, ensuring that only authorized changes are made and tracking who made those changes.
Details

Alex Verboon
Released: April 20, 2026
Tables
PowerPlatformAdminActivityCloudAppEvents
Keywords
PowerPlatformAdminActivityCloudAppEventsEventOriginalTypeEventResultPropertiesTimeGeneratedActorNameActorUserIdLockBoxEnabledActionTypeRawEventDataJsonPropertiesCollectionAccountDisplayName
Operators
where==extendtostringprojectparse_json