Overview of permissions in Microsoft 365 Lighthouse
Microsoft 365 Lighthouse permissions are primarily managed by the following:
- Lighthouse role-based access control (RBAC) in the partner tenant
- Granular delegated administrative privileges (GDAP) in the customer tenant
To use Lighthouse, you need a combination of roles assigned via RBAC and GDAP.
Manage Lighthouse RBAC permissions in the partner tenant
Lighthouse permissions in the partner tenant are managed by assigning RBAC roles in Lighthouse. Each role has a set of permissions that determines which data users can access and change within the partner tenant. Lighthouse RBAC roles don't provide access to customer data. Access to customer data is governed by a Lighthouse user's GDAP permissions (see Manage GDAP in the customer tenant).
RBAC roles are managed from the Lighthouse permissions page in Lighthouse. To access the Lighthouse permissions page and manage permissions, you must hold one of the following roles:
- Privileged Role Administrator in Microsoft Entra ID
- Administrator in Lighthouse
To learn more, see Manage Lighthouse RBAC permissions in Microsoft 365 Lighthouse.
The following table provides an overview of each Lighthouse RBAC role. For a list of actions each role can perform in the partner tenant, see Lighthouse RBAC roles and capabilities.
| Lighthouse RBAC role | Overview |
|---|---|
| Account Manager | Account Managers have full access to Sales Advisor pages and data across the entire partner tenant. Account Managers can export Sales Advisor data. |
| Administrator | Administrators have full administrative permissions in Lighthouse. Administrators can manage RBAC and GDAP permissions and can create baselines, tags, and alerts. Administrators are automatically assigned the Privileged Role Administrator, User Administrator, and Group Administrator roles in Microsoft Entra ID and the Admin Agent role in Partner Center. |
| Operator | Operators manage customer tenants in Lighthouse based on the GDAP permissions assigned to them for each customer tenant that they manage. Operators can view high-level customer tenant status and manage alerts. Lighthouse users who hold at least one Microsoft Entra role are automatically assigned the Operator role. Note: Lighthouse Administrators can use templates on the Delegated access page to assign GDAP permissions to Lighthouse users. |
| Reader | Readers have read-only access to data in Lighthouse. Lighthouse Readers can view high-level customer tenant status and alerts. |
Lighthouse RBAC roles and capabilities
The following table describes the actions that each Lighthouse RBAC role can perform in Lighthouse. For some actions, you need to hold a Microsoft Entra role in addition to a Lighthouse RBAC role. For other actions, only a Microsoft Entra role is required. Microsoft Entra role requirements are indicated in the last column of the table. For a complete list of Microsoft Entra roles and the actions they can perform, see Microsoft Entra built-in roles.
| Area | Actions | Account Manager | Administrator | Operator | Reader | Need Microsoft Entra role? |
|---|---|---|---|---|---|---|
| Home page | View data on cards | Yes | ||||
| Add users | Yes | |||||
| Reset password | Yes | |||||
| Offboard users | Yes | |||||
| Alerts | View alerts and alert rules | ✓ | ✓ | ✓ | No | |
| Manage alerts (change severity, status, or assignment) | ✓ | No | ||||
| Create, edit, and delete alert rules | ✓ | No | ||||
| Copilot insights | View opportunities and adoption data | Yes | ||||
| Tenants | View the Tenants page | ✓ | ✓ | ✓ | ✓ | No |
| View tenant details | Yes | |||||
| Export data | ✓ | ✓ | ✓ | ✓ | No | |
| View tags | ✓ | ✓ | ✓ | ✓ | No | |
| Create, update, and delete tags in Lighthouse | ✓ | No | ||||
| Assign and remove tags from tenants | ✓ | No | ||||
| Activate and inactivate a tenant | ✓ | No | ||||
| View delegated access status | ✓ | ✓ | ✓ | ✓ | No | |
| View Microsoft Secure Score | Yes | |||||
| View baseline assignments | ✓ | ✓ | ✓ | ✓ | No | |
| View deployment status | ✓ | Yes | ||||
| View apps and services usage | ✓ | Yes | ||||
| View and edit customer contact and website info | ✓ | ✓ | ✓ | ✓ | No | |
| Users | Search for users | Yes | ||||
| View user metrics | Yes | |||||
| Onboard new users | Yes | |||||
| Offboard users | Yes | |||||
| View inactive users | Yes | |||||
| View shared mailboxes | Yes | |||||
| View and manage risky users | Yes | |||||
| View and manage multifactor authentication | Yes | |||||
| View and manage self-service password reset | Yes | |||||
| Devices | View device security data | Yes | ||||
| View vulnerability management data | Yes | |||||
| View device compliance data | Yes | |||||
| View threat management data | Yes | |||||
| View device health data | Yes | |||||
| View Windows 365 data | Yes | |||||
| View Windows event logs | Yes | |||||
| Apps | View app performance and app management data | Yes | ||||
| Quarantined messages | View and manage quarantined messages | Yes | ||||
| Baselines | View baselines (default, custom) and task details | ✓ | ✓ | ✓ | No | |
| Create, clone, edit, and assign baselines | ✓ | No | ||||
| View deployment insights | Yes | |||||
| Service health | Monitor service health1 | No | ||||
| Support | Create and manage service requests2 | No | ||||
| Audit logs | View audit logs | ✓ | Yes | |||
| Permissions | View the Lighthouse Permissions page | ✓ | No | |||
| Set up and manage Lighthouse permissions | ✓ | No | ||||
| View, set up, and manage GDAP on the Delegated access page | ✓ | No | ||||
| Sales Advisor | View opportunities | ✓ | ✓ | No | ||
| View subscription renewals | ✓ | ✓ | No | |||
| View license requests | ✓ | ✓ | No |
1 To monitor service health, Lighthouse users must hold at least one Microsoft Entra role in the partner tenant with the following property set: microsoft.office365.serviceHealth/allEntities/allTasks. The users must also have at least the Admin Agent role or Helpdesk Agent role assigned to them in Partner Center.
2 To create and manage service requests, Lighthouse users must hold at least one Microsoft Entra role in the partner tenant with the following property set: microsoft.office365.supportTickets/allEntities/allTasks.
Manage GDAP in the customer tenant
Just as Lighthouse RBAC roles manage permissions in the partner tenant, GDAP manages permissions in the customer tenants. GDAP gives you a high level of control and flexibility by providing access to customer tenants through Microsoft Entra built-in roles. Assigning the least-privileged roles by task to MSP technicians through GDAP reduces security risk for both MSPs and customers. We recommend that you use GDAP reader roles across customer tenants to give Lighthouse users an aggregate view across all customer tenants.
For more information about setting up a GDAP relationship with a customer tenant in Lighthouse, see Obtain granular admin permissions to manage a customer's service - Partner Center.
For more information about least-privileged roles by task, see Least-privileged roles - Partner Center and Least privileged roles by task in Microsoft Entra ID.
For more information about GDAP or delegated administrative privileges (DAP) deprecation, see GDAP frequently asked questions - Partner Center, or search the Partner Center announcements for dates and timelines.
For a complete list of Microsoft Entra roles and the actions they can perform, see Microsoft Entra built-in roles. For information on how to assign roles, see Assign Microsoft Entra roles to users.
Related content
View your Microsoft Entra roles in Microsoft 365 Lighthouse (article)
Manage Lighthouse RBAC permissions in Microsoft 365 Lighthouse (article)
Set up GDAP in Microsoft 365 Lighthouse (article)
Overview of the Delegated access page in Microsoft 365 Lighthouse (article)
Assign roles and permissions to users - Partner Center (article)
GDAP frequently asked questions - Partner Center (article)
Microsoft 365 Lighthouse frequently asked questions (FAQs) (article)