Hello Partners!


My name is Lauren and I’m the new Microsoft Modern Workplace BDM at Dicker Data!


Previously I was the Modern Workplace Consultant for a Microsoft partner, where I lead the implementation of Modern Work & Security solutions for a wide range of NZ-based customers. I have a good understanding of the challenges partners face and I’m looking forward to bringing this along with my technical experience to help support Dicker Data’s partners in growing their M365 services.


I’m super excited to meet more partners over the next few weeks and will hopefully see you at TechX later this month.


In this blog, I’m going to do a deep dive into Microsoft 365 Lighthouse, which I have personally found to be very valuable for its multi-tenant management features.


Let’s start with a recap on M365 Lighthouse – Announced at Inspire 2021 and made generally available in March this year, M365 Lighthouse aggregates user, device, etc data from all qualifying tenants into a single, unified portal to help MSPs manage and secure their customers.


The key benefits of M365 Lighthouse are:

  • Managing customers at scale
  • Proactive risk management
  • Improved security
  • Standardised configuration


As indirect Resellers, all Dicker Data Microsoft partners can access the M365 Lighthouse portal. Customer tenants that meet the below requirements qualify for Lighthouse and can be managed in the Lighthouse portal:

 

  • Delegated access set up for the MSP (DAP or GDAP)
  • Have at least one of the following licenses
    • M365 Business Premium
    • M365 E3
    • M365 E5
    • Windows 365 Business
    • Microsoft Defender for Business
  • Have less than 2,500 licensed users (the limit increased from 1,000 users in June)
  • The device compliance and threat management capabilities are visible for devices enrolled in Microsoft Intune

 

Tenants

The Tenants windows list all your customer tenants and their lighthouse onboarding status.

 

11

 

I recommend tagging your tenants based on their priority or support agreement. For example, if you have different levels of managed service plans, such as bronze, silver, and gold, you may include things like managing device compliance, inactive user audits, or managing risk detections in some of your managed service offerings. By creating tags that reflect your managed service plans, such as “Gold level” or “Unmanaged”, your team will know which tenants to prioritise.  

 

12-2

 

Risky Users

13

In M365 Lighthouse you can view all risky users from qualifying tenants in a single list, making it easier to proactively respond to risk events. While you can configure risky user email notifications in Azure AD, it requires Azure Active Directory P2, so Lighthouse provides MSPs a tool to detect and act on suspicious activity early, without the license uplift. I have previously stopped account breaches in the very early stages of the attack by proactively monitoring the risky sign-ins in M365 Lighthouse and taking immediate action on risky user detections to remediate the incident before further impact is caused.

 

Password Reset
In M365 lighthouse you can perform password resets for all users in qualifying tenants, without the need to log in/log out of individual tenants. You can also see a list of your customer tenants and see how many users are enabled and registered for self-service password reset (SSPR).

 

Multifactor Authentication 
In the multifactor authentication window, you can what method of MFA is enabled for your customer via Security Defaults or Conditional Access, or if it’s not enabled via not one of the recommended methods (e.g. if per-user MFA or no MFA is being used). This can help you keep track of the MFA deployment across the tenants you manage and identify which customers to work with to roll out MFA or move them to a recommended method.

14

For each tenant, you can also see a list of users who are not capable of MFA. You can select one or multiple users from this list and select the “Create email” button to pull up your default email client to send a pre-generated message to all selected users, reminding them to register for MFA.

 

15

Baselines
In M365 Lighthouse you can deploy standard baseline configurations in a repeatable and scalable way, to secure your customer's tenants with the core security policies. The following configurations are included in the default baseline:

  • Require MFA for admins (conditional access policy)
  • Require MFA for end users (conditional access policy)
  • Block legacy authentication (conditional access policy)
  • Set up device enrolment
  • Set up Microsoft Defender for Business
  • Set up Exchange Online Protection and Microsoft Defender for Office 365
  • Configure Microsoft Defender Firewall for Windows 10 and later
  • Configure Microsoft Edge

 

There is a deployment plan for every active tenant with has a status for each of the deployment steps (e.g., Fully applied, to address) so you can track progress towards completing deployment of the M365 Lighthouse baseline.

 

16

 

You can also manage exclusions from the deployment plan. When you click on one of the deployment steps and select “Review and deploy”, you can modify which users, groups, roles, applications, locations, or platforms are excluded or included in the policy before you deploy it.

 

17

Devices
In the Device Compliance section of M365 Lighthouse, you can view the device compliance policies assigned to your tenants and the compliance statuses for the tenant devices – Compliant, Not Compliant, In grace period, and Not evaluated. You can also see a list of all non-compliant settings across your tenants in drill into them to see the specific devices that have the non-compliant setting.

18

The Threat management section allows you to view and manage active threats affecting your customer's environments. The overview tab reports the number of threats mitigated by Microsoft Defender, active and suspicious threats, and the number of devices needing Antivirus protection or an Antivirus scan. In the Threats tab, you can the list of threats and their status – Active, Mitigated, Resolved, or Allowed. In the Antivirus protection tab, you have options to Update Antivirus and run scans on vulnerable devices.


Recent Updates

Microsoft Defender for Business integration

You can now see a list of customer devices onboarded to Microsoft Defender for Business, and a list of incidents and alerts from these devices in the Device Security section of M365 Lighthouse (Devices > Device Security > Incidents and alerts tab).


Microsoft has also since added “Set up Microsoft Defender for Business” as a new step to the baseline which when deployed will automatically provision Microsoft Defender for Business for the tenant and automatically onboard Intune-enrolled devices.


Multifactor authentication list filtering 


I was very glad when this update was released as I previously found it pretty frustrating to work with the “Users not registered for MFA” list when it only included all account types (admins, members, and guests). You can now filter this list by account type and exclude service and break-glass accounts, so you can focus on which ‘real’ people still need to register.


View and manage inactive users 
Inactive user accounts represent a security risk as they could be used by an external attacker or former employee to attack the organisation if they are not deleted or disabled when no longer required. M365 Lighthouse now provides visibility of user accounts across your tenants that have been inactive for at least 6 months. I recommend using this feature in Lighthouse to keep on top of inactive user accounts in your customer's tenants and perform regular clean-ups. In M365 Lighthouse you can view up to 500 inactive users per tenant and can delete or disable the inactive account directly from the portal.


View quarantined email messages
A new Data Protection section has been added to M365 Lighthouse where you can see the status of quarantined messages for active tenants. You can see data from the last 30 days for the total number of messages in quarantine, the number of messages awaiting review, messages approaching the quarantine limit, released messages, and the number of impacted mailboxes across all active tenants. You can see information about the policy type (e.g., Anti-phishing, Anti-spam) and the reason why the email was quarantined (e.g., Phishing, Malware).


The previously mentioned features plus many more are available in M365 Lighthouse to help partners manage their customer tenants at scale. If you are interested in learning more about Lighthouse or activating it for your partner tenant, please feel free to reach out to me