What is Microsoft 365 Lighthouse? 

 

What is Microsoft 365 Lighthouse

 

 

  • A cloud-based service that helps MSPs deliver security and device management for SMBs using Microsoft 365.

  • A single dashboard that provides visibility and control over multiple tenants and devices.

  • A way to simplify and streamline the management of Microsoft 365 subscriptions. 


 

Why is it important for MSPs and SMBs? 

  • MSPs face challenges in managing multiple clients, ensuring security and compliance, and delivering value-added services. 

  • SMBs need reliable and secure IT solutions that enable productivity, collaboration, and growth. 

  • Microsoft 365 Lighthouse helps MSPs and SMBs address these challenges and opportunities by providing: 

  • A unified and consistent experience across tenants and devices. 

  • A set of best practices and recommendations for security and device management. 

  • A way to monitor and remediate issues, alerts, and policies. 

  • A way to optimize costs and resources. 

 

What are the benefits and features of Microsoft 365 Lighthouse? 

  • Improve operational efficiency and scalability. 

  • Enhance customer satisfaction and retention. 

  • Grow revenue and profitability. 

  • Improve security and compliance posture. 

  • Enhance productivity and collaboration. 

  • Reduce IT complexity and costs.

  • Security posture management: View and manage the security posture of multiple tenants and devices, including security score, device compliance, and threat protection.

  • Device management: View and manage the device inventory, configuration, and update status of multiple tenants and devices, including device actions, device health, and device compliance.

  • User management: View and manage the user accounts, licenses, and groups of multiple tenants, including user actions, user roles, and user status.

  • Alerts and remediation: View and manage the alerts and issues of multiple tenants and devices, including alert severity, alert status, and alert resolution.

  • Policies and settings: View and manage the policies and settings of multiple tenants and devices, including device configuration policies, device compliance policies, and security policies. 

 

Before you can use Microsoft 365 Lighthouse, you need to meet the following requirements: 

  1. You must be a Microsoft partner with an active Microsoft Partner Network (MPN) ID and a valid Microsoft Cloud Agreement. 

  2. You must have delegated admin privileges (GDAP) for the customer tenants that you want to manage through Microsoft 365 Lighthouse. 

 

Microsoft 365 Lighthouse permissions are primarily managed by the following: 

  1.  Lighthouse role-based access control (RBAC) in the partner tenant 

  2.  Granular Delegated Admin Privileges (GDAP) in the customer tenant

     
    IMPORTANT:  To use Lighthouse, you need a combination of roles assigned via RBAC and GDAP. Global reader role in the GDAP tenant. You also need to have a valid Microsoft 365 license assigned to your account. These permissions allow you to access the Microsoft 365 lighthouse portal and perform actions such as assigning and removing baselines, viewing tenant health and security scores, and managing alerts and incidents. For more details on the required permissions and roles, please see https://learn.microsoft.com/en-us/microsoft-365/lighthouse/m365-lighthouse-overview-of-permissions?view=o365-worldwide 

  3. You must register for Microsoft 365 Lighthouse and onboard your customer tenants using the Partner Centre. 

 

Implementing baselines across multiple tenants 

One of the key features of Microsoft 365 Lighthouse is the ability to apply security and device management baselines to multiple customer tenants at once. Baselines are predefined sets of policies and settings that help you enforce best practices and compliance standards for your customers. You can use the default baselines provided by Microsoft or customize them to suit your needs. 

 

To implement baselines across multiple tenants, you need to follow these steps: 

  • Log in to the Microsoft 365 Lighthouse portal with your MSP credentials. 

  • Select the Baselines tab from the left navigation pane. 

  • Choose the type of baseline you want to apply: Security baseline or Device management baseline. 

  • Select the baseline you want to use: Default or Custom.

  • Select the tenants you want to apply the baseline to. You can filter by tenant name, status, or subscription.

  • Review the baseline details and settings and click Apply.  

 

You can monitor the progress and status of the baseline implementation from the Baselines tab. You can also view the baseline compliance and remediation reports for each tenant from the Customers tab. 

 

Creating custom baselines 

If the predefined baselines do not meet your needs, you can create your own custom baselines based on the best practices and standards of your industry or organization. To create a custom baseline, follow these steps: 

  1. From the Baselines tab, click Create baseline. 

  2. Enter a name and description for your custom baseline. 

  3. Create a new task as part of the new baseline, Use import from existing baseline. 

  4. Choose the settings and policies you want to apply to your custom baseline. You can select from the available categories, such as security, identity, networking, storage, and so on. You can also customize the parameters and thresholds for each setting and policy. 

  5. Review your custom baseline and click Save. 

 

You can edit or delete your custom baselines at any time from the Baselines tab. You can also apply your custom baselines to new or existing tenants from the Customers tab. 

Creating custom baselines

Microsoft 365 Lighthouse Revisited A Solution for MSPs and SMB

 

Applying baselines to groups of tenants 

If you want to apply the same baseline settings and policies to multiple tenants, you can create or use a group of tenants. A group of tenants is a collection of tenants that share some common characteristics, such as location, industry, size, or service level. You can create groups of tenants by tagging. 

To apply a baseline to a group of tenants, follow these steps: 

  1. Create a tag and then assign to tenants 
     Applying baselines to groups of tenants

  2. Click on the Baseline button and choose the baseline you want to apply from the drop-down menu. You can choose from the default baseline or any of your custom baselines. 

  3. Confirm your selection and click Apply. The baseline settings and policies will be applied to all the tenants in the group. You can monitor the progress and status of the baseline application from the Baseline History tab.

  4. If you want to apply a different baseline to the group, you can go back to the Baseline button and choose Assign Baseline. You can also create your own custom baseline by clicking on the Create Baseline button.  

 

Note: Microsoft 365 lighthouse is still in development and some of the documentation may not reflect the current features or functionality. Always test and review the results of applying a baseline in your own lighthouse environment, with demo tenants, before rolling out to production tenants. This blog was accurate at the time of writing 24/5/24.