Overview of permissions in Microsoft 365 Lighthouse

Delegated access to customer tenants is required for Managed Service Providers (MSPs) to use Microsoft 365 Lighthouse. Granular Delegated Admin Privileges (GDAP) give MSPs a high level of control and flexibility by providing customer access through Azure Active Directory (Azure AD) built-in roles. Assigning the least privileged roles by task through GDAP to MSP technicians reduces security risk for both MSPs and customers. For more information on least privileged roles by task, see Least-privileged roles - Partner Center and Least privileged roles by task in Azure Active Directory. For more information on setting up a GDAP relationship with a customer tenant, see Obtain granular admin permissions to manage a customer's service - Partner Center.

We recommend assigning roles to groups of MSP technicians based on the tasks each group needs to perform on behalf of the customer. For example, Service Desk Technicians may just need to read customer tenant data or reset user passwords. In contrast, Escalation Engineers may need to take more corrective actions to update customer tenant security settings. It's a best practice to assign the least permissive role required to complete a task so that customer and partner data is kept secure. We recommend using Privileged Identity Management (PIM) to enable time-scoped access to the Global Administrator role, if needed. Giving too many users global access is a security risk, and we recommend limiting it as much as possible. For more information on how to enable PIM, see Set up Azure AD PIM.

The tables in the next section describe which GDAP roles grant permission to read customer data and take action on customer tenants in Lighthouse. See Permissions in the partner tenant in this article for additional roles required to manage Lighthouse entities (for example, tags and Lighthouse service requests).

The following table lists the recommended GDAP roles for some example MSP service tiers.

Account Managers Service Desk Technicians System Administrators Escalation Engineers
Recommended GDAP roles
  • Helpdesk Administrator
  • Security Reader
    +
  • Helpdesk Administrator
  • Global Reader
    +
  • User Administrator
    +
  • Authentication Administrator
  • Global Reader
    +
  • User Administrator
    +
  • Intune Administrator
    +
  • Security Administrator

The following table lists the actions that the example MSP service tiers can perform on the different Lighthouse pages as determined by their assigned GDAP roles (which are indicated in the previous table).

Lighthouse page Account Managers allowed actions Service Desk Technicians allowed actions System Administrators allowed actions Escalation Engineers allowed actions
Home
  • View all data
  • View all data
  • View all data
  • View all data
Tenants
  • View tenants list
  • Update customer contacts and website
  • View deployment plans
  • View tenants list
  • Update customer contacts and website
  • View deployment plans
  • View tenants list
  • Update customer contacts and website
  • View deployment plans
  • View Microsoft 365 services usage
  • View tenants list
  • Update customer contacts and website
  • View deployment plans
  • View Microsoft 365 services usage
Users
  • View tenant level (non-user specific) data
  • Search user accounts across tenants
  • Reset password for non-administrators*
  • View all user-specific data
  • Search user accounts across tenants
  • Reset password for non-administrators*
  • View all user-specific data
  • Search user accounts across tenants
  • Reset password for non-administrators*
  • Block sign-in
  • View all user-specific data
  • Search user accounts across tenants
  • Reset password for non-administrators*
  • Block sign-in
  • Confirm compromised users
  • Dismiss risk for users
Devices
  • View all data
  • View all data
  • View all data
  • View all data
  • Sync device
  • Restart device
  • Collect diagnostics
Threat management
  • View all data
  • View all data
  • View all data
  • View all data
  • Run full scan
  • Run quick scan
  • Update antivirus protection
  • Reboot device
Baselines
  • View all data
  • View all data
  • View all data
  • View all data
Windows 365
  • View all data
  • View all data
  • View all data
  • View all data
Service health**       N/A       N/A       N/A       N/A
Audit logs**       N/A       N/A       N/A       N/A

*See Password reset permissions for a table that lists which roles are required to reset passwords for customer tenant administrators.

**Different roles and permissions are required to view Service health and Audit logs. For more information, see Permissions in the partner tenant.

Note

If you get a message in Lighthouse saying that you don't have permission to view or edit information, you're assigned a role that doesn't have the appropriate permissions to perform the action. You'll need to reach out to an admin in your partner tenant who can assign you the appropriate role for the action you're trying to perform.

Delegated Admin Privileges (DAP) in Lighthouse

GDAP will eventually replace DAP as the primary method to configure delegated access for customer tenants. However, if GDAP hasn't been set up, MSP technicians may still access Lighthouse by using the Helpdesk Agent or Admin Agent roles granted through DAP. For customers where GDAP and DAP coexist, roles granted to MSP technicians through GDAP take precedence. For more information on GDAP or DAP deprecation, see GDAP frequently asked questions or the Partner Center announcements for dates and timelines.

For customers with DAP and no GDAP, the Admin Agent role grants permissions to view all tenant data and take any action in Lighthouse (see below for other actions that also require a role in the partner tenant).

The Helpdesk Agent role grants permissions to view all tenant data and take limited action in Lighthouse, such as resetting user passwords, blocking user sign-ins, and updating customer contact information and websites.

Given the broad permissions granted to partner users with DAP roles, we recommend adopting GDAP as soon as possible.

Permissions in the partner tenant

For certain actions in Lighthouse, role assignments in the partner tenant are required. The following table lists partner tenant roles and their associated permissions.

Partner tenant roles Permissions
Global Administrator of partner tenant
  • Sign up for Lighthouse in the Microsoft 365 admin center.
  • Accept partner contract amendments during the first-run experience.
  • Activate and inactivate a tenant.
  • Create, update, and delete tags.
  • Assign and remove tags from a customer tenant.
  • Review audit logs
Partner tenant member with at least one Azure AD role assigned with the following property set:
microsoft.office365.supportTickets/allEntities/allTasks
(For a complete list of Azure AD roles, see Azure AD built-in roles.)
Create Lighthouse service requests.
Partner tenant member who meets both of the following requirements:
  • Has at least one Azure AD role assigned with the following property set:
    microsoft.office365.serviceHealth/allEntities/allTasks
    (For a complete list of Azure AD roles, see Azure AD built-in roles.)
  • Has at least one DAP delegated role assigned (Admin Agent or Helpdesk Agent)
View service health information.

Requirements for Microsoft 365 Lighthouse (article)
Delegated administration privileges (DAP) FAQ (article)
View your Azure Active Directory roles in Microsoft 365 Lighthouse (article)
Assign roles and permissions to users (article)
Overview of Microsoft 365 Lighthouse (article)
Sign up for Microsoft 365 Lighthouse (article)
Microsoft 365 Lighthouse FAQ (article)