Power Platform Customer Lockbox

# Power Platform - Customer Lockbox ![KQL](https://img.shields.io/badge/language-KQL-blue.svg) ![Status: Testing](https://img.shields.io/badge/status-testing-blue.svg) ## Query Information ### Description This query retrieves events for enabling or disabling Power Platform Customer Lockbox. #### References - [Securely access customer data by using Customer Lockbox in Power Platform and Dynamics 365](https://learn.microsoft.com/en-us/power-platform/admin/about-lockbox) ### Author - **Alex Verboon** ## Defender XDR ```kql PowerPlatformAdminActivity | where EventOriginalType == "TenantLockboxOperation" | where EventResult == "Succeeded" | where Properties.["powerplatform.analytics.activity.name"] == "TenantLockboxOperation" | extend LockBoxEnabled = tostring(Properties.["powerplatform.analytics.resource.tenant.is_lockbox_enabled"]) | project TimeGenerated, ActorName, ActorUserId, LockBoxEnabled ``` ```kql CloudAppEvents | where ActionType == "TenantLockboxOperation" | where parse_json(tostring(RawEventData.JsonPropertiesCollection)).["powerplatform.analytics.activity.name"] == "TenantLockboxOperation" | extend LockBoxEnabled = tostring(parse_json(tostring(RawEventData.JsonPropertiesCollection)).["powerplatform.analytics.resource.tenant.is_lockbox_enabled"]) | project TimeGenerated, AccountDisplayName, LockBoxEnabled ```

Explanation

This KQL query is designed to track events related to the enabling or disabling of the Customer Lockbox feature in Power Platform. Here's a simplified breakdown of what the query does:

Data Source: The query pulls data from two sources: PowerPlatformAdminActivity and CloudAppEvents.
Event Filtering:
- It specifically looks for events where the type is "TenantLockboxOperation" and the result is "Succeeded". This means it only considers successful operations related to the Customer Lockbox.
- For CloudAppEvents, it parses the JSON data to filter events with the same "TenantLockboxOperation" activity name.
Data Extraction:
- It extracts the status of the Customer Lockbox (whether it is enabled or not) from the event properties.
- It also retrieves the time the event was generated and the name or ID of the user who performed the action.
Output:
- The query outputs a list of events showing when the Customer Lockbox was enabled or disabled, who performed the action, and whether the lockbox is currently enabled.

This query is useful for administrators who want to monitor changes to the Customer Lockbox settings in their Power Platform environment, ensuring that only authorized changes are made and tracking who made those changes.

Details

Alex Verboon

Released: April 20, 2026

Tables

PowerPlatformAdminActivityCloudAppEvents

Keywords

PowerPlatformAdminActivityCloudAppEventsEventOriginalTypeEventResultPropertiesTimeGeneratedActorNameActorUserIdLockBoxEnabledActionTypeRawEventDataJsonPropertiesCollectionAccountDisplayName

Operators

where==extendtostringprojectparse_json

KQL Search