Microsoft 365 Lighthouse is a solution designed to simplify and optimize security and compliance management for managed service providers (MSPs) and organizations that use Microsoft 365. This tool allows you to centralize the monitoring, automation, and control of security configurations in multi-tenant environments, offering greater visibility over managed resources. In this article, we are going to take a closer look at what it is, what are its characteristics and the requirements for its use.
Managed Service Providers often reach a point where switching from one tenant to another for each customer becomes impractical and time-consuming. In addition, there are several settings common to all customers, such as security baselines and endpoint configurations.
Several solutions can assist with this task, including Remote Management and Monitoring (RMM) tools. However, if the goal is to have a highly consolidated Microsoft ecosystem, there is a solution launched by Microsoft that represents an alternative to using another provider for infrastructure management, namely Microsoft 365 Lighthouse.
Lighthouse is a unified portal that was created with the purpose of aggregating all the tenants that are managed in a single console and combining them with the telemetry data that has already been collected and helps managed service providers to protect devices, data and users on a large scale for small and medium-sized business customers that use Microsoft 365 Business Premium.
Before we start talking about Lighthouse's features, let's take a second for a brief review.
What is an RMM? An acronym for Remote Monitoring and Management, an RMM is a platform or software used primarily by IT service providers (MSPs) to remotely monitor and manage their customers' devices and networks. With an RMM, technicians can control computers, servers, and other connected devices without having to be physically present.
Microsoft 365 Lighthouse helps managed service providers (MSPs) to grow their business and provide services to customers on a large scale through a single RMM portal with which it is possible to standardize configurations, manage risks and interact with their tenants quickly and efficiently, allowing them to anticipate their needs and maximize the investment of their customers in Microsoft 365.
The portal not only simplifies tenant on-boarding, but it also helps MSPs by recommending security configurations optimized for SMEs and providing cross-management overviews of their customers' environments, as well as allowing partners to quickly identify and act on threats, abnormal accesses and device compliance alerts.
You can configure a series of action-oriented dashboards on the homepage that allow you to identify and focus on priority customers and also provide quick contextual links to configuration, settings and documentation pages that would otherwise take a long time to navigate.
For MSPs with delegated administrative privileges (DAP), Lighthouse simplifies the integration of customer tenants by recommending customized basic security configurations for small and medium-sized businesses (SMBs) and providing a multi-tenant view of all customer environments. With Lighthouse, service engineers can scale their customer management, focus on what's most important, quickly identify risks, and take action to bring customers to a state of security and stability.
Lighthouse also offers functionality for account managers. With the information generated by AI, Lighthouse provides proactive, practical, and personalized recommendations to help acquire new customers, improve loyalty, and expand business with premium offers.
Lighthouse helps MSPs grow securely and manage Microsoft 365 services and connected endpoints at scale through:
To successfully implement business processes within the Microsoft 365 ecosystem, the following skills are needed:
Dev4Side Software has the vertical technical skills to provide you with a single, transversal point of contact for all the elements of your subscription.
Now that we have a better idea of what Microsoft 365 Lighthouse is and what are the features of Microsoft 365 Lighthouse, it's time to discuss requirements.
In fact, there are some things that need to be fixed in order to adopt it and take full advantage of it.
The last three points on the list of requirements will not prevent the use of Microsoft 365 Lighthouse, but they could significantly limit its functionality such as user management, device monitoring, threat management, etc.
Microsoft 365 Lighthouse is gratuitous for Microsoft partners using Microsoft 365.
It has no direct additional costs for use, as it is included for partners who have customers with Microsoft 365 Business Premium, Microsoft 365 E3 or higher licenses. However, partners must be enrolled in the Cloud Solution Provider (CSP) program in order to use Lighthouse, so the costs depend on the type of Microsoft 365 licenses used by customers.
Lighthouse is free to use because it is part of Microsoft's strategy to support partners who manage multi-tenant environments for small and medium-sized businesses. As a tool intended for managed service providers (MSPs) that use Microsoft 365, Microsoft's goal is to encourage the adoption of Microsoft 365 Business Premium and E3 licenses, creating value for partners at no additional cost.
Microsoft offers Lighthouse for free to encourage the adoption of Microsoft 365 among SMEs, making managing security, policies, and users easier for MSPs. This allows Microsoft to expand its customer base through partners, who benefit from efficient and integrated tools.
After characteristics and requirements, at this point it is appropriate to move forward in our overview of Microsoft Lighthouse with a small guided exploration of the portal, in order to better understand its structure and functionality.
So let's head up https://lighthouse.microsoft.com and we log in with an account in our MSP tenant with Global Admin credentials and MFA enabled. If your account doesn't have MFA enabled, you'll need to enable it before you can finally log in.
If you find all this a bit cumbersome, you should still consider that you are actually accessing all your tenants in one place using Lighthouse, so the application of the MFA is essential. The suggestion in this case is also to limit access to Lighthouse to approved and blocked administrative workstations, something that can be done using the Conditional Access functions in AAD.
According to Microsoft, the process of entering tenants could take up to 48 hours before customer data starts to appear in the portal but, generally, the average time does not exceed two hours.
On the Home page there is an overview of its customers, with panels for threats (Defender Antivirus), devices with Defender installed, users at risk and device compliance. You can filter this overview with the Tenant button at the top left.
The section User Management allows administrators to monitor and manage user accounts across tenants.
When you access the risk users panel, you are redirected to the Lighthouse Users section, where four tabs show the accounts marked as risky and their current status (At risk or resolved).
By clicking on View Risk Detections for an individual account, you are redirected to the AAD portal for that tenant to investigate the risk. The Multi-Factor Authentication tab shows the status of the tenant for enabling MFA and users not registered for MFA.
In contrast, the Password Reset tab shows the status of the tenants and accounts for self-resetting the password (SSPR). You can also search through all the usernames and, when you find a specific user, reset their password or block access.
Resetting your password is a very common action for MSP support staff. Instead of logging into a customer's tenant, finding the user and then resetting the password, you can do it here for any user.
By clicking on one of the Threat or Antivirus panels, we will arrive at the threat management area, where an overview sheet shows us the threats (active, mitigated or resolved), the devices without Defender AV and the devices that have expired for scanning.
The Threats tab shows a list of active, mitigated, resolved, and allowed threats, while the Antivirus Protection tab shows me a list of devices, their status, if the AV is up to date, the status of the real-time protection, and if quick or full scans are expected.
If you see orange warning signs next to the items on the list, it means that that particular item requires a scan or is currently threatened by something.
Note that it is also possible to select multiple devices at the same time and start scans on all of them or even restart them all at once. You can also filter the display of devices based on device status, threat protection, update status, and any expired scans.
The Devices area has four tabs: Overview shows the devices managed by compliance policies in MEM (Microsoft Endpoint Manager), while the Devices tab shows the compliance status for each device, with the possibility of filtering the view based on whether the device is corporate or personal, the operating system used and its status. The Policies tab synchronizes from MEM, while the Settings tab shows non-compliant settings across tenants.
You can also click on an individual device to view details and follow a link to see it in the full Endpoint Manager console.
The Tenant section shows, as you can easily guess from the name, tenants, including those who are not eligible for Lighthouse (for example, because they are not licensed for Microsoft 365 Business Premium) or those who do not yet have the privilege of Chief Executive Officer. You can create and assign tags to various tenants as a way to organize them.
There are two specific access control (RBAC) -based roles associated with Microsoft 365 Lighthouse: Administrator and Helpdesk Agent. The former has the permission to change most of the settings, while the second can view everything, but only reset passwords, block access and update customer contact/website details.
Microsoft recommends using Privileged Identity Management (PIM), a feature of Microsoft Enter ID, to enforce the principle of least privilege. In this way, a Helpdesk Agent may be eligible to become an Admin Agent, but it must go through a PIM workflow, which may include entering a service ticket, approval by a supervisor, and executing MFA to temporarily obtain that permission, for a limited period of a few hours.
In the baselines area, I can see the default baseline and apply it to customer groups.
Security baselines are a key feature in Lighthouse and are, in a nutshell, recommendations developed by Microsoft to configure security settings, in order to protect Microsoft 365 environments. There are six predefined baselines:
There are two other areas in Microsoft 365 Lighthouse: Windows 365 provides an overview of the Cloud PCs in your customers' tenants and their network connections to on-premises infrastructures.
The final area is Service Health, which shows alerts and incidents related to Teams, Microsoft 365, Exchange Online, and 20 other services. It is the same view present in the Microsoft 365 Administrative Center, but having it available in this portal is extremely convenient and fits perfectly into the perspective of a portal that centralizes all the functionality necessary to carry out the activity of an MSP in the same portal.
If you are an MSP, you fully understand how having a centralized solution for managing your tenants is now much more than a convenience, but a real necessity if you want them to operate in secure and uniform environments, without wasting incredible amounts of time and resources to make everything work.
Microsoft 365 Lighthouse, after its counterpart Azure Lighthouse (dedicated to the Redmond giant's cloud platform environments), is proposed to providers as the ideal answer to their needs, providing through its portal all the management and monitoring functions that an RMM should have.
With Lighthouse, it will not only be possible to standardize configurations and manage risks, but also to significantly improve the interactions and management of its customers' tenants, allowing them to anticipate their needs and make significant use of their investment in Microsoft 365 licenses.
The constant updates of the service by Microsoft will only expand and improve the functionality of the platform in the near future and the fact that it is also free no longer leaves any excuse not to try it and see if it can also meet your needs and those of your customers. So what are you waiting for?
Microsoft 365 Lighthouse is a free platform offered by Microsoft for managed service providers (MSPs), designed to simplify security and compliance management in customers' Microsoft 365 tenants. It allows monitoring, automating and intervening from a single centralized interface, facilitating the work of MSPs in multi-tenant environments.
It is designed specifically for Managed Service Providers who operate in the Cloud Solution Provider program and who manage customers with Microsoft 365 Business Premium or higher licenses. The platform is ideal for those who offer services to small and medium-sized businesses and who need to monitor multiple tenants at the same time.
No, Microsoft 365 Lighthouse is free for qualified Microsoft partners. Its use does not involve additional costs, provided that end customers use the expected Microsoft 365 licenses, such as Business Premium, E3 or E5. Access is included as part of Microsoft's strategy to encourage the adoption of its solutions among SMEs.
To use Lighthouse, the MSP must be enrolled in the CSP program as an indirect reseller or direct billing partner. Customer tenants must assign managing director privileges (DAP or GDAP) and have at least one compatible license. Adopting advanced features such as device management, threat monitoring or risk analysis also requires Microsoft Defender Antivirus, Microsoft Endpoint Manager and Entra ID Premium P1. If these are not there, Lighthouse will still work but with limited functionality.
It does not completely replace them, but it represents a valid alternative integrated into the Microsoft ecosystem for those who prefer not to rely on external tools. It allows for an RMM-like experience when it comes to managing users, devices, and security configurations.
Generally, the data starts to appear in the portal within two hours of integrating a tenant, although Microsoft reports that in some cases it could take up to forty-eight hours.
Yes, to log in to Lighthouse it is required that the Global Admin account has MFA enabled. This requirement serves to ensure secure access, considering that the platform allows the direct management of multiple tenants.
Yes, it is advisable to configure conditional access in Azure AD to allow the use of the platform only from approved administrative locations, thus increasing the security of operations carried out by MSPs.
The portal includes a homepage with a summary of risks, devices, users, and compliance; a user management section with tools for MFA, license management, and password reset; a threat monitoring dashboard integrated with Microsoft Defender; a device area synchronized with Endpoint Manager; a section for viewing and organizing tenants; tools for applying security baselines recommended by Microsoft; and a centralized view of the status of Microsoft 365 services, such as Teams or Exchange Online.
The Modern Work team specializes in developing and integrating custom solutions across the entire Microsoft 365 ecosystem. We design native applications for Microsoft and Azure platforms, and we implement business processes that maximize the return on investment in Microsoft 365.
