Microsoft today announced Customer Lockbox, a new feature for several of its products that will give Office 365 commercial users more control over access to their content by Microsoft employees.

Microsoft also said it’s bringing more powerful encryption capability to portions of Office 365.

Customer Lockbox, for its part, could help Microsoft — one of several companies said to be participating in the PRISM program, according to documents leaked in 2013 — make customers feel better about using a cloud service.

Microsoft already has approval processes — under the name Lockbox — in place internally, and now customers are being brought into the loop.

“When the customer gets the request for access, they can scrutinize the request and either approve or reject it,” senior product marketing manager Vijay Kumar and Office 365 security team principal program manager Raji Dani wrote in a blog post today. “Until the request is approved, the Microsoft engineer will not be granted access.”

The new feature will become available for Exchange Online by the end of this year, and SharePoint Online will get it by the first quarter of next year, they wrote.

Requests through the new program will have a lifetime of 12 hours by default. After that, they’ll expire, and a Microsoft employee won’t be granted access to content they want to inspect. Customer Lockbox activity will be included in Office 365 Activity Logs, Dani and Kumar wrote.

The Customer Lockbox announcement was one of several Microsoft made today in conjunction with the RSA security conference happening in San Francisco this week.

Also announced today: new levels of encryption for email in Office 365, including giving users control over their own encryption keys for the suite of cloud software. In a separate blog post, Office 365 corporate vice president Rajesh Jha provides some detail on the upgrades:

Today, Office 365 encrypts customer content at rest and in transit. In addition, Office 365 has a number of customer-controlled encryption solutions such as Rights Management, S/MIME and Office 365 Message Encryption. In 2014, in addition to BitLocker for drive level encryption, we implemented content level encryption with per-file encryption for documents in SharePoint Online and OneDrive for Business.

In the next few months, we will add a similar content level encryption for email in Office 365. Implementing this feature will increase the separation of server administration from the data stored in Office 365, resulting in an added layer of security. This new layer of content level encryption uses keys that are protected using hardware security modules certified to FIPS 140-2 Level 2. This new advanced encryption for email will be provided in Office 365 by the end of 2015.