This chapter covers Microsoft 365 Lighthouse, a multi-tenant management tool for Managed Service Providers (MSPs) to monitor and secure customer tenants at scale. For the MS-102 exam, Lighthouse appears under Tenant Management objective 1.2, typically accounting for 5-10% of questions. You must understand its licensing requirements, architecture, role delegation via GDAP, baseline management, and how it differs from other Microsoft portals like Azure Lighthouse or Microsoft 365 admin center. We will dive deep into its mechanism, configuration steps, and exam focus areas.
Jump to a section
Imagine an MSP managing 50 different office buildings (tenants), each with its own security guard (admin). Each guard checks IDs manually and logs entries in a local book. When a new security policy comes (e.g., enforce MFA), the MSP must send a memo to all 50 guards, then visit each building to verify compliance. This is slow and error-prone. Microsoft 365 Lighthouse is like installing a centralized control tower with a giant dashboard. Each building's guard now reports real-time data to the tower: number of users, devices, MFA status, risky sign-ins, etc. The tower displays all 50 buildings on one screen with color-coded statuses (green = compliant, red = issue). The MSP can deploy policies (like baseline security standards) with a single click, and the tower pushes them to each building automatically. If a building falls out of compliance, the tower flashes an alert. The MSP can also drill down into a specific building to see exactly which user didn't enable MFA, then take remote action—like locking that user's door remotely. The tower never stores user passwords; it only monitors and manages. This mirrors Lighthouse: it aggregates data from all managed tenants using delegated admin privileges (GDAP), displays cross-tenant insights, and allows policy deployment via baseline templates.
What is Microsoft 365 Lighthouse?
Microsoft 365 Lighthouse is a multi-tenant administration portal provided within the Microsoft 365 admin center, designed specifically for Managed Service Providers (MSPs) who manage multiple customer tenants. Launched in July 2021, it centralizes security, compliance, and device management across tenants, offering a unified view of customer environments. The primary goal is to reduce the operational overhead of managing disparate tenants by providing cross-tenant insights, baseline policy deployment, and incident response capabilities.
Licensing Requirements
Lighthouse has strict licensing prerequisites. The MSP partner tenant must have at least one of the following licenses: Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, or Microsoft 365 F5 Security add-on. Each customer tenant being managed must also have at least one paid license from the same set. Additionally, the customer tenant must have at least 10 active users to appear in Lighthouse. Note: Government clouds (GCC, GCC High, DoD) are not supported. The exam often tests these numbers: minimum 10 users per customer, and specific SKUs.
Architecture and Data Flow
Lighthouse uses delegated administration via Granular Delegated Admin Privileges (GDAP). The MSP must establish a GDAP relationship with each customer tenant. Once set up, Lighthouse reads data from customer tenants using read-only roles (e.g., Global Reader, Security Reader, Reports Reader). Data flows one-way: from customer tenant to Lighthouse. Lighthouse does not store customer data permanently; it caches aggregated data for up to 48 hours. The data includes user risk, device compliance, MFA status, and threat detections. The MSP can view this data in the Lighthouse dashboard but cannot modify customer data directly unless they have write permissions via GDAP (e.g., Security Administrator).
Key Components and Defaults
Dashboard: Displays overall tenant health with tiles for Users, Devices, Threat Management, and Baselines. Each tile shows counts and status bars (compliant, non-compliant, not applicable).
Tenant list: Lists all managed tenants with columns for tenant name, number of users, MFA status, device compliance, etc. Default sorting by tenant name.
User page: Detailed view of users across all tenants, including risk level (low, medium, high), MFA registration status, and passwordless status. The exam may ask that Lighthouse shows users from all tenants in a single list.
Device page: Shows device compliance (Intune), OS versions, and antivirus status. Devices are grouped by tenant.
Baselines: Pre-defined security configurations (e.g., MFA baseline, device compliance baseline) that can be deployed to multiple tenants simultaneously. Baselines are based on Microsoft's recommended security settings. There are four default baselines: MFA, Device Compliance, Threat Protection, and Identity Protection.
Deployment plans: When deploying a baseline, you create a deployment plan that tracks progress per tenant. The plan shows which settings have been applied and which remain.
Incidents: List of active incidents from Microsoft 365 Defender across tenants, allowing cross-tenant triage.
How Lighthouse Works Internally
When an MSP logs into the Microsoft 365 admin center (admin.microsoft.com) and selects Lighthouse, the backend authenticates the partner's GDAP tokens. For each customer tenant with an active GDAP relationship, Lighthouse queries the following endpoints:
Azure AD (Entra ID): User risk detections, MFA registration status, sign-in logs.
Microsoft 365 Defender: Alerts and incidents.
Intune: Device compliance policies, device health.
Exchange Online: Mailbox audit logs (limited).
The data is aggregated and presented in the Lighthouse UI. The aggregation process runs every 4 hours for most data, but some real-time data (like incidents) may update faster. The cache duration is 48 hours; if a customer tenant becomes unreachable, Lighthouse will show stale data for up to 48 hours before marking it as unavailable.
Configuration and Verification
To set up Lighthouse, an MSP must first establish GDAP with each customer. This is done via the Microsoft Partner Center. Steps:
In Partner Center, create a GDAP relationship with the customer tenant, specifying the required roles (e.g., Global Reader, Security Reader).
The customer must approve the relationship in their tenant.
Once approved, the customer tenant appears in Lighthouse automatically (may take up to 24 hours).
To verify Lighthouse is working:
Open Lighthouse from the Microsoft 365 admin center (left nav under Admin centers).
Check the Tenant list for the expected customers.
Drill into a tenant's User page to see MFA status.
Using PowerShell:
# Requires Microsoft Graph PowerShell SDK
Connect-MgGraph -Scopes "Directory.Read.All", "SecurityEvents.Read.All"
# Get managed tenants (requires GDAP)
Get-MgTenantRelationshipDelegatedAdminCustomerInteraction with Related Technologies
Azure Lighthouse: Azure Lighthouse manages Azure resources across tenants (VMs, subscriptions). Microsoft 365 Lighthouse manages Microsoft 365 workloads (Entra ID, Intune, Defender). They are separate but complementary. The exam may contrast them: Azure Lighthouse uses Azure delegated resource management, while M365 Lighthouse uses GDAP.
Microsoft 365 admin center: The admin center is the overarching portal; Lighthouse is a section within it. The admin center shows a single tenant; Lighthouse shows multiple.
Microsoft 365 Defender: Incidents in Defender are surfaced in Lighthouse's Threat Management section, allowing cross-tenant incident response.
Entra ID Identity Protection: User risk data comes from Identity Protection. Lighthouse displays risk levels but cannot modify risk policies unless the MSP has write permissions.
Limitations
Lighthouse does not support managing security defaults; it uses Conditional Access policies for MFA baselines.
Lighthouse cannot manage Exchange Online or SharePoint settings directly.
Customer tenants with fewer than 10 users are hidden from the tenant list.
Lighthouse is not available in sovereign clouds (GCC, GCC High, DoD).
GDAP roles must be assigned with care; excessive permissions can be a security risk.
Exam-Relevant Numbers
Minimum 10 users per customer tenant to appear in Lighthouse.
Data cache duration: up to 48 hours.
Default baselines: 4 (MFA, Device Compliance, Threat Protection, Identity Protection).
Supported licenses: Business Premium, E3, E5, F5 Security.
Roles required: Global Reader (minimum) for read-only access; Security Reader for security data; Security Administrator for baseline deployment.
Common Misconfigurations
Not establishing GDAP correctly: if GDAP is not set up or is expired, the tenant will not appear.
Using Azure Lighthouse instead of GDAP: Azure Lighthouse does not grant access to Microsoft 365 workloads.
Assigning too few roles: e.g., only Global Reader may prevent deployment of baselines.
Ignoring the 10-user threshold: small tenants are invisible.
Summary
Microsoft 365 Lighthouse is a powerful tool for MSPs to gain visibility and control across customer tenants. The exam focuses on its architecture, licensing, GDAP dependency, baseline management, and comparison with Azure Lighthouse. Understanding the data flow and limitations is critical for answering scenario-based questions.
Establish GDAP Relationship
In Partner Center, create a GDAP relationship with each customer tenant. Specify the roles needed: at minimum Global Reader for visibility, Security Reader for threat data, and Security Administrator for baseline deployment. The customer must approve the request in their tenant. Without GDAP, Lighthouse cannot access the customer's data. GDAP replaces the older DAP (Delegated Admin Privileges) with granular, time-limited permissions. The relationship can be set to auto-renew or expire after a set period (default 1 year). Once approved, the customer tenant will appear in Lighthouse within 24 hours.
Access Lighthouse Portal
Navigate to admin.microsoft.com, then under Admin centers, select Microsoft 365 Lighthouse. The dashboard loads aggregated data from all tenants with active GDAP. The first load may take several minutes as Lighthouse queries each customer tenant. The dashboard shows tiles for Users, Devices, Threat Management, and Baselines. Each tile displays summary counts and status breakdowns. The Tenant list tab shows all managed tenants with key metrics. If a tenant is missing, check GDAP status and the 10-user minimum.
Review Tenant Health
Use the Tenant list to quickly identify tenants with issues. Columns include MFA status (registered, not registered), device compliance (compliant, non-compliant), and user risk (low, medium, high). Click on a tenant name to drill into its details. The tenant details page shows user-specific data: each user's MFA registration, risk level, and passwordless status. This allows the MSP to pinpoint which users need attention. Data is cached for up to 48 hours, so recent changes may not appear immediately.
Deploy Baseline Policies
Select Baselines from the left menu. Choose a baseline (e.g., MFA baseline). Review the baseline settings, which include Conditional Access policies requiring MFA for all users. Click 'Create deployment plan' to start deploying to one or more tenants. The deployment plan tracks progress: pending, in progress, applied, or failed. You can monitor the plan from the Deployment plans tab. Baselines can be customized, but deviations from Microsoft's recommended settings may reduce security posture. The exam may ask that baselines are deployed via deployment plans, not directly.
Monitor and Respond to Incidents
The Threat Management tab lists active incidents from Microsoft 365 Defender across all tenants. Each incident shows severity, status, and affected users. You can click an incident to view details and link to Defender for deeper investigation. If you have Security Administrator role, you can take actions like closing incidents or initiating automated investigations. This cross-tenant view is unique to Lighthouse; in the standard admin center, you can only see incidents for one tenant at a time.
Enterprise Scenario 1: MSP with 200 SMB Customers
A Managed Service Provider manages 200 small businesses, each with 10-50 users. Before Lighthouse, the MSP had to log into each tenant's admin center individually to check MFA compliance, device health, and security alerts. This took hours daily. With Lighthouse, the MSP's helpdesk team uses the dashboard to quickly identify tenants with low MFA registration rates. They deploy the MFA baseline to 50 tenants simultaneously, reducing manual effort by 80%. The deployment plan shows exactly which tenants succeeded and which failed (e.g., due to existing Conditional Access policies). The MSP also uses the user risk view to spot compromised accounts across tenants and take immediate action via GDAP. Performance is generally smooth, but the 48-hour cache can cause delays in seeing changes. The MSP learned to wait at least 48 hours before escalating if a tenant doesn't appear after GDAP approval.
Enterprise Scenario 2: Large MSP with Complex GDAP Hierarchy
A large MSP with 500+ customers uses Lighthouse for cross-tenant monitoring but also needs to delegate management to different teams (e.g., Level 1 support, Level 2 security). They create multiple GDAP relationships per customer with different role sets: Level 1 gets Global Reader, Level 2 gets Security Administrator. Lighthouse respects these roles; a Level 1 technician cannot deploy baselines. The MSP also uses Azure Lighthouse for Azure resource management, but they keep Microsoft 365 Lighthouse separate for M365 workloads. A common misconfiguration they encountered: assigning Global Administrator role via GDAP, which gave too much power and violated least privilege. They now use only the roles required. Additionally, they found that customers with fewer than 10 users are invisible, so they use alternative tools (e.g., custom scripts) for those small tenants.
Scenario 3: Incident Response Across Tenants
A security incident (e.g., a phishing campaign) affects multiple customer tenants simultaneously. The MSP uses Lighthouse's Threat Management tab to see all incidents in one place. They filter by severity and identify three tenants with critical incidents. They drill into each incident, link to Defender, and initiate automated investigation. Without Lighthouse, they would have to switch between tenant portals, missing the big picture. The cross-tenant view is crucial for identifying patterns (e.g., same attacker targeting multiple tenants). The MSP also uses Lighthouse to check if any users are marked as high risk across tenants, then force password reset via GDAP with Security Administrator role. One pitfall: if GDAP roles are too restrictive (e.g., no Security Administrator), they cannot take action; they must request elevation from the customer.
The MS-102 exam tests Microsoft 365 Lighthouse under objective 1.2 (Manage tenants). Expect 2-4 questions, often scenario-based. Key areas:
Licensing and minimums: You must know that each customer tenant needs at least 10 active users and a license from the set {Business Premium, E3, E5, F5 Security}. The MSP tenant must also have one of these licenses. The exam loves to ask: 'A customer has 8 users with E3 licenses. Will they appear in Lighthouse?' The answer is no (minimum 10 users). Another trap: 'Can you use Lighthouse with Government clouds?' No.
GDAP vs DAP: GDAP is required; DAP (older delegated admin) is not sufficient. The exam may ask: 'You have DAP with a customer. Can you see them in Lighthouse?' No, you need GDAP.
Baselines and deployment plans: Know the four default baselines: MFA, Device Compliance, Threat Protection, Identity Protection. Understand that baselines are deployed via deployment plans, not directly applied. The exam may ask: 'What is the first step to enforce MFA across tenants?' Answer: Create a deployment plan for the MFA baseline.
Roles: Minimum role to view Lighthouse data is Global Reader. To deploy baselines, you need Security Administrator. The exam may present a scenario where an MSP can see tenants but cannot deploy baselines; answer: assign Security Administrator role via GDAP.
Data freshness: Data is cached for up to 48 hours. A question might say: 'You enabled MFA for a user 2 hours ago, but Lighthouse still shows not registered. Why?' Answer: Data may take up to 48 hours to update.
Common wrong answers:
Choosing Azure Lighthouse instead of Microsoft 365 Lighthouse for M365 management.
Thinking that any M365 license works (e.g., F1 or Business Basic).
Assuming that all customers with GDAP appear (forgetting the 10-user minimum).
Believing that baselines are applied immediately (they go through deployment plans).
Edge cases: If a customer tenant has more than 10 users but no paid license (e.g., trial), it may not appear. Also, if the GDAP relationship expires, the tenant disappears from Lighthouse. The exam may test that GDAP can be set to auto-renew.
How to eliminate wrong answers: Focus on the mechanism. If a question involves cross-tenant M365 management, the answer is Lighthouse. If it involves Azure VMs, it's Azure Lighthouse. If it involves a single tenant, it's the Microsoft 365 admin center. Always check licensing and user count requirements.
Trap pattern: A question might say: 'You need to configure security settings across 50 tenants. What should you use?' Options: a) Azure Lighthouse, b) Microsoft 365 Lighthouse, c) Microsoft 365 admin center, d) Partner Center. The correct answer is b. Some candidates choose Azure Lighthouse because they confuse the names. Remember: Azure Lighthouse is for Azure resources; Microsoft 365 Lighthouse is for M365 workloads.
Numbers to memorize: 10 users, 48 hours, 4 baselines, GDAP (not DAP), roles: Global Reader (read), Security Administrator (write).
Microsoft 365 Lighthouse is for MSPs to manage multiple customer tenants' M365 workloads from a single pane of glass.
Lighthouse requires GDAP (Granular Delegated Admin Privileges) — DAP is not sufficient.
Each customer tenant must have at least 10 active licensed users (Business Premium, E3, E5, or F5 Security).
Data in Lighthouse is cached for up to 48 hours; changes are not reflected in real time.
There are four default baselines: MFA, Device Compliance, Threat Protection, and Identity Protection.
Baselines are deployed via deployment plans, not directly applied.
Minimum role to view Lighthouse data: Global Reader. To deploy baselines: Security Administrator.
Lighthouse is not available in sovereign clouds (GCC, GCC High, DoD).
Azure Lighthouse is for Azure resources; Microsoft 365 Lighthouse is for M365 workloads — they are complementary, not interchangeable.
The 10-user minimum is per customer tenant; tenants with fewer users are hidden.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft 365 Lighthouse
Manages Microsoft 365 workloads (Entra ID, Intune, Defender, Exchange Online).
Uses Granular Delegated Admin Privileges (GDAP) for tenant access.
Requires each customer tenant to have at least 10 licensed users.
Provides cross-tenant dashboards for user risk, device compliance, MFA status, and incidents.
Available within the Microsoft 365 admin center (admin.microsoft.com).
Azure Lighthouse
Manages Azure resources (VMs, subscriptions, Azure Policy, etc.).
Uses Azure delegated resource management via ARM and Azure Lighthouse onboarding.
No minimum user count; works with any Azure subscription.
Provides cross-tenant management of Azure infrastructure, including Azure Policy and Blueprints.
Available via Azure portal (portal.azure.com) under Service Providers.
Mistake
Microsoft 365 Lighthouse can manage any customer tenant regardless of user count.
Correct
Customer tenants must have at least 10 active licensed users to appear in Lighthouse. Tenants with fewer than 10 users are hidden from the dashboard, even if GDAP is established.
Mistake
Azure Lighthouse and Microsoft 365 Lighthouse are the same tool.
Correct
Azure Lighthouse manages Azure resources (VMs, subscriptions) across tenants using Azure delegated resource management. Microsoft 365 Lighthouse manages Microsoft 365 workloads (Entra ID, Intune, Defender) using GDAP. They are separate portals and solve different problems.
Mistake
You can deploy baselines directly to tenants without a deployment plan.
Correct
Baselines must be deployed via deployment plans. The plan tracks progress and allows monitoring. Direct application is not supported; the deployment plan is a required step.
Mistake
Lighthouse data is real-time and updates instantly.
Correct
Data is cached for up to 48 hours. Changes like MFA registration or device compliance may take up to 48 hours to reflect in Lighthouse. Some data, like incidents, may update more frequently but still not real-time.
Mistake
Any Microsoft 365 license allows a tenant to be managed via Lighthouse.
Correct
Only specific licenses are supported: Microsoft 365 Business Premium, E3, E5, or F5 Security add-on. Tenants with only F1, E1, or Business Basic licenses will not appear even if they have 10+ users.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The minimum is 10 active licensed users. If a customer has fewer than 10 users, the tenant will not appear in Lighthouse even if GDAP is established. This is a common exam trap: always check the user count. For example, a customer with 8 users will not be visible.
No. Azure Lighthouse is designed for Azure resource management (VMs, subscriptions, etc.). For Microsoft 365 workloads like Entra ID, Intune, and Defender, you must use Microsoft 365 Lighthouse with GDAP. The exam often presents a scenario where you need to manage M365 settings across tenants; the correct answer is Microsoft 365 Lighthouse.
Data is cached for up to 48 hours. For example, if you enable MFA for a user, it may take up to 48 hours for Lighthouse to reflect the change. Some data like incidents may update more frequently, but you should not rely on real-time updates. The exam may test this by asking why a recent change is not visible.
To deploy baselines, you need the Security Administrator role assigned via GDAP. The minimum read-only role is Global Reader. If you can see tenants but cannot deploy baselines, you likely lack Security Administrator. The exam may ask you to assign the appropriate role.
No. Microsoft 365 Lighthouse is not supported in sovereign clouds (GCC, GCC High, DoD). It is only available in commercial cloud environments. If a question involves a government tenant, Lighthouse is not an option.
GDAP (Granular Delegated Admin Privileges) is required for Lighthouse. DAP (Delegated Admin Privileges) is an older, less granular delegation method that does not work with Lighthouse. You must establish GDAP relationships with customers. The exam may ask: 'You have DAP with a customer. Can you see them in Lighthouse?' The answer is no.
You create a deployment plan for a baseline (e.g., MFA baseline) and select the target tenants. The plan tracks progress. You cannot apply a baseline directly; the deployment plan is mandatory. The exam may ask about the first step: 'Create a deployment plan.'
You've just covered Microsoft 365 Lighthouse for MSPs — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?