How-To
Microsoft 365 Lighthouse Preview
'Azure Lighthouse changed the game for managed service offers for Azure, and I think this new service will do the same for M365.'
Calling Managed Service Providers (MSPs) around the world: There's a new tool coming to your toolbelt -- Microsoft 365 Lighthouse, currently in public preview. This is not the same technology as Azure Lighthouse, where a service provider can manage client's Azure resources using delegated permissions. Microsoft 365 Lighthouse is conceptually similar however, providing the ability for an MSP to manage client's Office/Microsoft 365 (M365) tenants with delegated permissions.
Azure Lighthouse changed the game for managed service offers for Azure, and I think this new service will do the same for M365.
Getting Started
If you're an MSP and you'd like to kick the tires (it's free), the first step is to add the service to your management tenant. Go to admin.microsoft.com and expand Billing, Purchase services, Other services and search for Lighthouse. "Purchase" a single license of the Microsoft 365 Lighthouse public preview. It can take up to 24 hours to be activated in your tenant, but in my case it only took a few hours before I received the notification email.
The public preview has no additional cost, and Azure Lighthouse also doesn't cost anything, so I suspect the General Availability (GA) release also won't cost anything.
Requirements for Microsoft 365 Lighthouse
As per usual for such a fundamental shift in a platform, there are a few prerequisites for M365 Lighthouse.
Your MSP must be enrolled in Microsoft's Cloud Solution Provider (CSP) program, either as an Indirect Reseller or Direct Bill partner. Given that the CSP program has been around for quite a few years now and has been expanded to include not only cloud licensing but also on-premises perpetual licenses, I assume most Microsoft partners are already on board.
For each client that you want to manage, you must have Delegated Admin Privileges (DAP) authorized to you. I suspect many small businesses simply allow their MSP to create one or more Global Admin accounts in their tenants for management, but DAP is the "official way" to have a service provider manage your tenant for you.
There are a few other limitations that I suspect will be changed at or after GA, such as each client tenant having at least one Microsoft 365 Business Premium license and having no more than 500 licensed users. Since Microsoft 365 Business tops out at 300 licenses, I think these are preview limitations only.
It makes sense to focus on the SMB market to start with and requiring M365 Business Premium ensures a baseline of security features. In my testing I found that tenants with other licensing SKUs did show up in the portal, but of course the available management options vary based on features enabled for each user/device account.
The ability to manage devices in each tenant relies on them being enrolled in Microsoft Endpoint Manager (MEM), formerly known as Intune. User data visibility in reports require at least Azure Active Directory Premium P1, which is included in Microsoft 365 Business Premium. To see Threat information, Windows devices must have Microsoft Defender Antivirus enabled.
Completing the Prerequisites
Here's the official documentation for becoming a CSP reseller, either as an indirect reseller (you buy Microsoft 365/Azure through a distributor and then bill your clients) or a direct bill partner. To be a direct bill partner you've got to generate at least 300,000 USD revenue in cloud sales in a 12-month period, as well as manage customer billing, provisioning, and tier 1 support.
The Partner Center has a CSP area where you can manage clients, administer their cloud estates (for each client individually) and send Delegated Admin Privileges invitations.
Whomever you send the link to should be a global admin for the client's tenant, when they click the link, they're asked to sign-in to their tenant and then accept the relationship by clicking Authorize.
Once that's completed, they show up as a client in your CSP portal and you can see their devices, analytics for their subscription, their license allotments, open service requests, account information and administer their services.
Microsoft 365 Lighthouse Portal
Partner Center only allows a limited view of each client, and only on a single client basis. The power of Microsoft 365 Lighthouse is that you can see all your client's user and device accounts in one place. Go to https://lighthouse.microsoft.com with your MFA enabled Global Admin account for your MSPs tenant. The Lighthouse portal enforces MFA, but I suggest that access should also be limited to specified administrative workstations.
The Home blade gives tiles with summaries across all tenants for security threats found, Defender for Antivirus status, users flagged as risky and device compliance.
The Tenants blade gives you a filterable view of your tenants and their status, whereas the Users blade has four tabs -- including a Search tab where you can quickly find a user and reset their password or block their sign-ins. This might seem like a small improvement but resetting passwords by logging in individually to each tenant's admin console and finding the user is far more time consuming so I can see a lot of saved time across a large user population.
The second tab lists Risky users (from Azure AD Premium P1 data), the third the Azure MFA status for each tenant and the fourth shows the Self-Service Password Reset (SSPR) status for each tenant.
The Devices blade has an overview of all devices and their compliance with your MEM policies, a tab with a list of Devices, the individual MEM policies in each tenant and the Settings tab lists non-compliant settings across your client's device fleets.
The Threat management blade has an overview tab, a Threats tab that shows Active, Mitigated, Resolved or Allowed threats whereas the Antivirus protection tab covers Defender AV status on all devices.
Clicking an individual device lets you run quick or full scans on it, or reboot it, you can also select multiple devices and run these tasks on all of them.
Baselines and Role Based Access Control
Microsoft 365 Lighthouse has two RBAC roles, Admin Agent and Helpdesk Agent. The Admin Agent can change most settings, whereas the Helpdesk Agent can block sign-ins, reset passwords and update client website and contact details.
There are also Security baselines which is another value proposition of M365 Lighthouse, in the current preview you can't create your own but that's coming. The ability to easily establish a set of default security settings and then apply them across all your tenants is going to be powerful. The policies are:
-
Require MFA for admins (CA report only policy)
-
Require MFA for end users (CA report only policy)
-
Block legacy authentication (CA report only policy)
-
Enroll devices in MEM & Azure AD Join
-
Antivirus policy -- a Device Configuration profile
-
Windows 10 Compliance policy
The next blade is Windows 365 that gives you a list of Cloud PCs in your client's tenants and their network connections to on-premises. The final blade is Service health, it shows the same data as in the Microsoft 365 Admin Centre with advisories and incidents across Teams/Microsoft 365/Exchange Online and another 20 services.
Conclusion
This public preview is limited in both functionality and the strict requirements, I think this will change as feedback flows back to Microsoft, during the public preview. Microsoft 365 Lighthouse has its own UserVoice for Microsoft 365 Lighthouse here.
Microsoft 365 Lighthouse isn't a replacement (today) for a third-party Remote Management and Monitoring (RMM) tool, but given recent security issues with Solarwinds and Kaseya I think it'll find a home at most MSPs. First as a complement to third-party offerings, but gradually, as functionality increases, as a replacement. I have two facts to support that assertion. First that I would trust Microsoft's developers to get security right over nearly any other software vendor. Secondly, the bundled security tools are getting so good that third-party tools may not be required. Many MSPs, for instance, use their favorite antivirus/endpoint detection and response (AV/EDR) tool (or the one that comes bundled with their RMM tool, but Microsoft 365 Defender for Endpoint is a top-notch EDR tool for Windows, macOS, Linux, Android and iOS. MSPs that understand that security must be baked into everything they deliver to their clients are starting to require those clients to have the full M365 E5 suite and M365 Lighthouse will fit right into that suite of tools.
If you're an MSP, give the public preview a whirl. Or if you're an Office/Microsoft 365 client that relies on an MSP to manage your tenant for you -- ask them if they're using M365 Lighthouse yet.