Microsoft already has a very secure process about when and how support staff may access your Office 365 tenant data. Here’s a great video that explains this:
The recent addition of Customer Lockbox provides additional control for the customer.
Basically, once Customer Lockbox has been enabled the user has the final say over when and for how long Microsoft may access the tenant data to provide support.
To enable Customer Lockbox you’ll need to have the appropriate license (i.e. the new E5 SKU includes Customer Lockbox for example), then you’ll need to login as an administrator to the Office 365 admin center.
If you then locate and expand the Service Settings option on the left hand side of the screen, you should see the list shown above. In the list is the option Customer Lockbox, which you should select.
Now on the right you should see the above screen. To eanble Customer Lockbox simply change the switch to ON (i.e. move to right).
You’ll then receive the above warning. Select Yes to enable.
You should now see that Customer Lockbox is enabled as shown above.
To find out more about Customer Lockbox visit:
and note once Customer Lockbox has been enabled:
If a content access request is denied or isn't approved within 12 hours, the request expires. If this happens, you might continue to experience a specific service issue that could be resolved by allowing an engineer to access the content. We'll (Microsoft) let you know if this happens.
So in summary, Customer Lockbox is a feature you can add on to Office 365 to prevent Microsoft accessing your data with out your specific permission once enabled.
Here is also an overview video from Microsoft: