Microsoft has recently released a multi-tenant management platform for Managed Service Providers called Microsoft 365 Lighthouse. As an Indirect Reseller with Microsoft, you can utilize Lighthouse at no additional cost. The platform provides you aggregate reporting across customers and limited write capabilities (for now). In this article, I will show you how to obtain Lighthouse and walk you through the main features/functionality.
Setting Up Lighthouse
Lighthouse is free to use for Indirect Resellers. In order to utilize the service, you need to order it from your internal office admin portal. If you are signed in as a global admin, you can go to Billing>Purchase Services>Other Services
Scroll down until you see See all Other service products. Here you will find Microsoft 365 Lighthouse.
If you click into Details, you will be able to check out this $0 line item. If you were to go immediately to lighthouse.microsoft.com after checkout, you may see this message:
After the data ingestion period mentioned above is complete, you will see a dashboard on the home page when navigating to lighthouse.microsoft.com
The dashboard is comprised of various widgets that report on the telemetry collected across the customers under management. These widgets will bring you to other locations in Lighthouse with the ultimate goal of providing key insights you would want to investigate or take action on.
One cool feature allows you to drill into specific tenants which automatically updates all of the widgets with just that customer data:
The tenants tab shows all eligible tenants. Microsoft 365 Lighthouse requires a 365 Business Premium Subscription in customer tenants for them to be eligible for the service. Here are some other basic requirements:
- Delegated Administrative Prviledged (As an indirect resller, you are listed under partner relationships for the customer)
- User count restriction =>Microsoft caps the service to customers with <500 licensed users
Tags can be created and applied to one or many customers for management and filtering acorss the service.
Users can be searched for across all tenants. You are able to reset users passwords or block users directly from within Lighthouse.
The remaining tabs on the users page all require that a customer have Azure AD P1 licensing. The risky users tab utilizes the identity protection feature within Azure AD to classify if users are at risk based on suspicious or malicious activity. These could be things such as:
- Impossible location sign-in
- Malicious IP sign-in
- Sign-in from an infrequent location
The MFA tab displays all users who are “registered” for MFA. The platform is encompassing per user mfa (enabled, enforced, disabled through the MFA Portal), Conditional Access Policies, and Security Defaults. The good news is that the reporting does update instantly once a user has enrolled so no delays on reporting back. The bad news is that the “non-registered” MFA users include external accounts and shared mailboxes which leads to somewhat inaccurate data. Additionally, there is no support for 3rd party MFA reporting like DUO.
The password reset tab displays relevant stats about who has registered for Self-Service Password Reset
Device management primarily consist of read only tabs that display things like compliance status, compliance policies, and configuration settings across all tenants. Beyond this visibility, you are taken to individual client endpoint manager admin portals if you want to dive further or perform any write abilities such as changing policies or creating new ones.
The threat management section is useful if you are leveraging Microsoft Defender for your antivirus solution. This section displays active threats and can show devices overdue for a scan.
The threat management solution does include the ability to perform full scans, quick scans, reboot devices, and update the antivirus software across all tenants.
Microsoft has added 6 baseline security configuration settings for devices and identities. These baselines provide you with best practices for adopting more of the M365 BP solution if it detects that a tenant does not have these settings configured. The settings include details and end user impact.
Configuring baselines for a customer can be done from the Tenants section, clicking into an active customer. When you create these policies, they are often put in report-only mode and you still would need to go into the customers AAD environment to scope it to users or groups
The service health tab shows you incents and advisories across the Microsoft suite. The key benefit here is seeing how many of your customer tenants are affected. This should allow for more proactive communications to reduce support tickets across customers.
I think it is great that Microsoft is listening to MSP space and building a tool specifically for multi-tenant management. I feel like Lighthouse is still going to be underutilized today until more customers start adopting Microsoft 365 Business Premium. Additionally, I think Microsoft needs to develop more write capabilities across tenants for the service to truly be useful. As an indirect reseller, you should at least test out the solution as it is no additional charge. Over time, you may see significant savings in operational cost.