Azure is very user-friendly and has plenty of documentation that users can read and understand very easily. As an administrator, you might find ample knowledge to handle the situations that can disturb the live systems at times. There are clear guidelines for troubleshooting most of the issues that come in. You have proper UI, if not logs that can be accessed via scripts.
But after all, cloud is someone else's computer. In Azure's case, it is Microsoft's. So there can be situations where all those lengthy detailed documentations that are provided by Microsoft can also not be enough to handle some situations. But these instances are very rare.
So, what can you do? Call a human? May be a super human, likely come in as a Microsoft Support Engineer.
A Microsoft Support Engineer might need to access your portal content, may be data to resolve the issue.
The Support Engineer will make a request to access data in your subscription. When they do, they will appear in the Customer LockBox. They do not need to access all the services on your subscription to fix that issue. Also this does not mean you need to share the subscription access for days and forget to revoke the access once the engineer task is completed.
Customer Lockbox allows setting access that is time-bound and limited to the particular service. For example, you may allow an Azure WebApp to be accessed by the support engineer between 7pm to 9pm your local time for resolving an issue. How easy is that? If the time is not enough, the engineer can make another request.
|Source: Azure Blog|
The whole process is audited and the customer has visibility over the process to best possible extent. It works like an activity log. The entire Customer Lockbox activity will be available in Azure Portal.
The full article including how to enable the Customer Lockbox with commands is Microsoft Azure blog can be found here.