Overview of permissions in Microsoft 365 Lighthouse
Microsoft 365 Lighthouse permissions are primarily managed by the following:
- Lighthouse role-based access control (RBAC) in the partner tenant
- Granular delegated administrative privileges (GDAP) in the customer tenant
To use Lighthouse, you need a combination of roles assigned via RBAC and GDAP.
Global Administrator permissions in the partner tenant
Partner tenant users assigned the Global Administrator role in Microsoft Entra ID can do the following:
- Sign up for Lighthouse in the Microsoft 365 admin center.
- Activate and inactive a tenant.
- Create, update, and delete tags.
- Assign tags to and remove tags from a customer tenant.
- Review audit logs.
- Create, edit, and view alert rules.
Managing Lighthouse RBAC permissions in the partner tenant
Lighthouse permissions in the partner tenant are managed by assigning RBAC roles. Each role has a set of permissions that determines which data users can access and change within the partner tenant.
RBAC roles are managed from the Lighthouse permissions page in Lighthouse. To access the Lighthouse permissions page and manage permissions, you must be a Global Administrator in Microsoft Entra ID. To learn more, see Manage Lighthouse RBAC permissions in Microsoft 365 Lighthouse.
There's currently only one Lighthouse RBAC role: Lighthouse Account Manager. The following table describes the Lighthouse Account Manager role.
Lighthouse RBAC role | Description |
---|---|
Lighthouse Account Manager | Provides full access to Sales Advisor pages and data across the entire partner tenant. Lighthouse Account Managers can export Sales Advisor data. |
Lighthouse RBAC roles and capabilities
The following table describes the actions that Lighthouse Account Managers can perform in Lighthouse.
Area | Actions | Lighthouse Account Manager |
---|---|---|
Tenants | View the Tenants page | ✓ |
Manage tags | ||
Activate and inactivate a tenant | ||
View delegated status | ✓ | |
View baseline assignment | ||
View deployment status | ✓ | |
View and edit customer contact information and website | ✓ | |
Baselines | View baselines (default, custom) | |
Create, edit, and assign baselines | ||
Alerts | View alerts | ✓ |
Manage alerts (change severity, status, or assignment) | ||
Create, edit, and delete alert rules | ||
Permissions | Set up and manage Lighthouse permissions | |
Set up and manage GDAP | ||
View GDAP status detail | ||
Audit logs | View audit logs | |
Sales Advisor | View Sales Advisor reports and manage data | ✓ |
Support | Open and manage service requests | |
Service health | Monitor service health |
Managing GDAP in the customer tenant
GDAP gives you a high level of control and flexibility by providing access to customer tenants through Microsoft Entra built-in roles. Assigning the least-privileged roles by task through GDAP to MSP technicians reduces security risk for both MSPs and customers.
For more information about setting up a GDAP relationship with a customer tenant in Lighthouse, see Obtain granular admin permissions to manage a customer's service - Partner Center.
For more information about least-privileged roles by task, see Least-privileged roles - Partner Center and Least privileged roles by task in Microsoft Entra ID.
For more information about GDAP or delegated administrative privileges (DAP) deprecation, see GDAP frequently asked questions - Partner Center, or search the Partner Center announcements for dates and timelines.
The following tasks in Lighthouse have specific Microsoft Entra role requirements:
To create and manage service requests, Lighthouse users must have at least one Microsoft Entra role assigned to them with the following property set: microsoft.office365.supportTickets/allEntities/allTasks.
To monitor service health, Lighthouse users must have at least one Microsoft Entra role assigned to them with the following property set: microsoft.office365.serviceHealth/allEntities/allTasks.
For a complete list of Microsoft Entra roles, see Microsoft Entra built-in roles. For information on how to assign roles, see Assign Microsoft Entra roles to users.
Related content
Requirements for Microsoft 365 Lighthouse (article)
View your Microsoft Entra roles in Microsoft 365 Lighthouse (article)
Assign roles and permissions to users - Partner Center (article)
Overview of Microsoft 365 Lighthouse (article)
Sign up for Microsoft 365 Lighthouse (article)
Microsoft 365 Lighthouse FAQ (article)