Configure Microsoft 365 Lighthouse portal security

Protecting access to customer data when a Managed Service Provider (MSP) has delegated access permissions to its tenants is a cybersecurity priority. Microsoft 365 Lighthouse comes with both required and optional capabilities to help you configure Lighthouse portal security. You must set up specific roles with multifactor authentication (MFA) enabled before you can access Lighthouse. You can optionally set up Microsoft Entra Privileged Identity Management (PIM) and Conditional Access.

Set up multifactor authentication (MFA)

As mentioned in the blog post Your Pa$$word doesn't matter:

"Your password doesn't matter, but MFA does. Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA."

When users access Lighthouse for the first time, they'll be prompted to set up MFA if their Microsoft 365 account doesn't already have it configured. Users won't be able to access Lighthouse until the required MFA setup step is completed. To learn more about authentication methods, see Set up your Microsoft 365 sign-in for multifactor authentication.

Set up role-based access control

Role-based access control (RBAC) grants access to resources or information based on user roles. Access to customer tenant data and settings in Lighthouse is restricted to specific roles from the Cloud Solution Provider (CSP) program. To set up RBAC roles in Lighthouse, we recommend using granular delegated admin privileges (GDAP) to implement granular assignments for users. Delegated admin privileges (DAP) is still required for the tenant to onboard successfully, but GDAP-only customers will soon be able to onboard without a dependency on DAP. GDAP permissions take precedence when DAP and GDAP coexist for a customer.

To set up a GDAP relationship, see Obtain granular admin permissions to manage a customer's service. For more information on which roles we recommend use Lighthouse, see Overview of permissions in Microsoft 365 Lighthouse.

MSP technicians may also access Lighthouse by using Admin Agent or Helpdesk Agent roles via delegated admin privileges (DAP).

For non-customer tenant-related actions in Lighthouse (for example, onboarding, customer deactivating/reactivating, managing tags, reviewing logs), MSP technicians must have an assigned role in the partner tenant. See Overview of permissions in Microsoft 365 Lighthouse for more details on partner tenant roles.

Set up Microsoft Entra Privileged Identity Management (PIM)

MSPs can minimize the number of people who have high-privilege role access to secure information or resources by using PIM. PIM reduces the chance of a malicious person gaining access to resources or authorized users inadvertently impacting a sensitive resource. MSPs can also grant users just-in-time high privilege roles to access resources, make broad changes, and monitor what the designated users are doing with their privileged access.


Using Microsoft Entra PIM requires a Microsoft Entra ID P2 license in the partner tenant.

The following steps elevate partner tenant users to time-scoped higher privilege roles by using PIM:

  1. Create a role-assignable group as described in the article Create a group for assigning roles in Microsoft Entra ID.

  2. Go to Microsoft Entra ID – All Groups and add the new group as a member of a security group for high-privilege roles (for example, Admin Agents security group for DAP or a similarly respective security group for GDAP roles).

  3. Set up privileged access to the new group as described in the article Assign eligible owners and members for privileged access groups.

To learn more about PIM, see What is Privileged Identity Management?

Set up risk-based Microsoft Entra Conditional Access

MSPs may use risk-based Conditional Access to make sure their staff members prove their identity by using MFA and by changing their password when detected as a risky user (with leaked credentials or per Microsoft Entra threat intelligence). Users must also sign in from a familiar location or registered device when detected as a risky sign-in. Other risky behaviors include signing in from a malicious or anonymous IP address or from an atypical or impossible travel location, using an anomalous token, using a password from a password spray, or exhibiting other unusual sign-in behavior. Depending on a user's risk level, MSPs may also choose to block access upon sign-in. To learn more about risks, see What is risk?


Conditional Access requires a Microsoft Entra ID P2 license in the partner tenant. To set up Conditional Access, see Configuring Microsoft Entra Conditional Access.

Password reset permissions (article)
Overview of permissions in Microsoft 365 Lighthouse (article)
View your Microsoft Entra roles in Microsoft 365 Lighthouse (article)
Requirements for Microsoft 365 Lighthouse (article)
Overview of Microsoft 365 Lighthouse (article)
Sign up for Microsoft 365 Lighthouse (article)
Microsoft 365 Lighthouse FAQ (article)