Here are some related docs. Quick summary:
Lighthouse works using a small ARM template. Security groups in the managing tenant (or provider) are linked to the GUIDs of one or more built-in Azure RBAC roles. The managed tenant (or customer) deploys the template, granting access. There are many advantages of this method over user accounts or guest accounts. One benefit being that the provider can add and remove users to the group(s) without needing to bother the customer admin. Lighthouse users can also manage multiple tenants from the same logon and browser. Limitations include that this only works with built-in RBAC roles and there are some tenant-level admin tasks than cannot be performed over Lighthouse. Both the provider and customer have a management portal and auditing to track Lighthouse activity down to the user level and either side can terminate the agreement at any time. From the customer's perspective, they can grant access to an MSP without managing accounts, track the provider's user activity, and evict the MSP in one click if needed.
https://learn.microsoft.com/en-us/azure/lighthouse/overview
Azure Sentinel’s Technical Playbook for MSSPs: https://lnkd.in/emsR5Rz