Browse all topics
All guidesGlossary
Microsoft 365 essentials

Microsoft 365 Lighthouse for MSPs

Microsoft 365 Lighthouse is the multi-tenant management portal for managed service providers running many SMB tenants.

Microsoft 365 Lighthouse is the multi-tenant management portal designed for Managed Service Providers (MSPs) running Microsoft 365 for many small and mid-size customers. It gives a single pane of glass across all the tenants an MSP manages, surfaces deviation from security baselines, and supports standardised remediation at scale.

What Lighthouse provides

For an MSP managing dozens or hundreds of SMB tenants:

  • Unified tenant list with health, alerts, security posture, deployment status per tenant.
  • Baselines — standard configurations the MSP wants applied across all customers (MFA enforced, Conditional Access policies, Intune compliance, etc.). Lighthouse flags deviations.
  • Cross-tenant alerts — Defender XDR-style incident view across the entire customer base.
  • Bulk actions — apply a configuration change across many tenants from one click.
  • Tenant onboarding wizard — standardised setup for new tenant additions.
  • User insights at a tenant level — risky users, sign-in failures, anomalies.
  • Reporting suitable for monthly customer business reviews.

Who Lighthouse is for

  • CSP partners (Cloud Solution Provider) — Microsoft's reseller channel.
  • MSPs managing Microsoft 365 for many SMB customers.
  • Internal IT in conglomerates running many tenants (less common, but works).

Lighthouse is not for enterprise IT managing a single large tenant — for that use case, the standard admin centers are richer. Lighthouse trades depth for breadth.

Tenant requirements

For Lighthouse to manage a customer tenant, the customer needs:

  • Microsoft 365 Business Premium or higher (lower SKUs don't qualify).
  • Or specific Microsoft 365 E3 / E5 SKUs.
  • A CSP relationship with the MSP, or appropriate GDAP (Granular Delegated Admin Privileges) roles.

GDAP replaced the older DAP (Delegated Admin Privileges) model, which gave partners broad Global Admin rights across customer tenants. GDAP scopes the partner's access to specific Entra ID roles, time-bound — much safer.

Operational model

An MSP running Lighthouse typically:

  1. Defines a baseline — what every managed tenant should have configured (MFA, CA policies, Intune compliance, Defender baselines).
  2. Onboards tenants through the wizard, with the baseline applied automatically.
  3. Monitors daily for deviations and alerts.
  4. Remediates from Lighthouse when possible, or pivots into the specific tenant's admin center for deeper work.
  5. Reviews monthly with customers using Lighthouse reports.

This standardisation is the main value: instead of managing each customer's tenant in isolation, the MSP runs the fleet with consistent practices.

What Lighthouse doesn't do

  • It's not a SIEM — security signals exist but aren't analyst-grade hunting.
  • It's not a full admin replacement — for deep configuration, you still go into the tenant's admin centers.
  • It's not for end-user activities — it's for the MSP's IT operations team.

Cost

Lighthouse is free for partners — no per-tenant or per-user cost. The qualifying customer SKU is the constraint.

For MSPs serious about Microsoft 365 as a managed service, Lighthouse is essentially mandatory. Operating dozens of tenants without it isn't a sustainable model.