Overview of permissions in Microsoft 365 Lighthouse

Microsoft 365 Lighthouse permissions are primarily managed by the following:

  • Lighthouse role-based access control (RBAC) in the partner tenant
  • Granular delegated administrative privileges (GDAP) in the customer tenant

To use Lighthouse, you need a combination of roles assigned via RBAC and GDAP.

Manage Lighthouse RBAC permissions in the partner tenant

Lighthouse permissions in the partner tenant are managed by assigning RBAC roles in Lighthouse. Each role has a set of permissions that determines which data users can access and change within the partner tenant. Lighthouse RBAC roles don't provide access to customer data. Access to customer data is governed by a Lighthouse user's GDAP permissions (see Manage GDAP in the customer tenant).

RBAC roles are managed from the Lighthouse permissions page in Lighthouse. To access the Lighthouse permissions page and manage permissions, you must hold one of the following roles:

  • Privileged Role Administrator in Microsoft Entra ID
  • Administrator in Lighthouse

To learn more, see Manage Lighthouse RBAC permissions in Microsoft 365 Lighthouse.

The following table provides an overview of each Lighthouse RBAC role. For a list of actions each role can perform in the partner tenant, see Lighthouse RBAC roles and capabilities.

Lighthouse RBAC role Overview
Account Manager Account Managers have full access to Sales Advisor pages and data across the entire partner tenant.

Account Managers can export Sales Advisor data.
Administrator Administrators have full administrative permissions in Lighthouse.

Administrators can manage RBAC and GDAP permissions, view audit logs, and create baselines, tags, and alerts.

Administrators are automatically assigned the Privileged Role Administrator, User Administrator, and Group Administrator roles in Microsoft Entra ID and the Admin Agent role in Partner Center.
Author Authors can manage tenants, tags, alert rules, and baselines to deploy tenant configurations.
Operator Operators manage customer tenants in Lighthouse based on the GDAP permissions assigned to them for each customer tenant that they manage.

Operators can view high-level customer tenant status and manage alerts.

Lighthouse users who hold at least one Microsoft Entra role are automatically assigned the Operator role.

Note: Lighthouse Administrators can use templates on the Delegated access page to assign GDAP permissions to Lighthouse users.
Reader Readers have read-only access to data in Lighthouse.

Lighthouse Readers can view high-level customer tenant status and alerts.

Lighthouse RBAC roles and capabilities

The following table describes the actions that each Lighthouse RBAC role can perform in Lighthouse. For some actions, you need to hold a Microsoft Entra role in addition to a Lighthouse RBAC role. For other actions, only a Microsoft Entra role is required. Microsoft Entra role requirements are indicated in the last column of the table. For a complete list of Microsoft Entra roles and the actions they can perform, see Microsoft Entra built-in roles.

Area Actions Account Manager Administrator Author Operator Reader Need Microsoft Entra role?
Home page View data on cards Yes
Add users Yes
Reset password Yes
Offboard users Yes
Alerts View alerts and alert rules No
Manage alerts (change severity, status, or assignment) No
Create, edit, and delete alert rules No
Copilot insights View opportunities and adoption data Yes
Tenants View the Tenants page No
View tenant details Yes
Export data No
View tags No
Create, update, and delete tags in Lighthouse No
Assign and remove tags from tenants No
Activate and inactivate a tenant No
View delegated access status No
View Microsoft Secure Score Yes
View baseline assignments No
View deployment status Yes
View apps and services usage Yes
View and edit customer contact and website info No
Users Search for users Yes
View user metrics Yes
Onboard new users Yes
Offboard users Yes
View inactive users Yes
View shared mailboxes Yes
View and manage risky users Yes
View and manage multifactor authentication Yes
View and manage self-service password reset Yes
Devices View device security data Yes
View vulnerability management data Yes
View device compliance data Yes
View threat management data Yes
View device health data Yes
View Windows 365 data Yes
View Windows event logs Yes
Apps View app performance and app management data Yes
Quarantined messages View and manage quarantined messages Yes
Baselines View baselines (default, custom) and task details No
Create, clone, edit, and assign baselines No
Extract a task from a tenant to add to a baseline Yes
View deployment insights Yes
Service health Monitor service health1 No
Support Create and manage service requests2 No
Audit logs View audit logs Yes
Permissions View the Lighthouse Permissions page No
Set up and manage Lighthouse permissions No
View, set up, and manage GDAP on the Delegated access page No
Sales Advisor View opportunities No
View subscription renewals No
View license requests No

1 To monitor service health, Lighthouse users must hold at least one Microsoft Entra role in the partner tenant with the following property set: microsoft.office365.serviceHealth/allEntities/allTasks. The users must also have at least the Admin Agent role or Helpdesk Agent role assigned to them in Partner Center.

2 To create and manage service requests, Lighthouse users must hold at least one Microsoft Entra role in the partner tenant with the following property set: microsoft.office365.supportTickets/allEntities/allTasks.

Manage GDAP in the customer tenant

Just as Lighthouse RBAC roles manage permissions in the partner tenant, GDAP manages permissions in the customer tenants. GDAP gives you a high level of control and flexibility by providing access to customer tenants through Microsoft Entra built-in roles. Assigning the least-privileged roles by task to MSP technicians through GDAP reduces security risk for both MSPs and customers. We recommend that you use GDAP reader roles across customer tenants to give Lighthouse users an aggregate view across all customer tenants.

For more information about setting up a GDAP relationship with a customer tenant in Lighthouse, see Obtain granular admin permissions to manage a customer's service - Partner Center.

For more information about least-privileged roles by task, see Least-privileged roles - Partner Center and Least privileged roles by task in Microsoft Entra ID.

For more information about GDAP or delegated administrative privileges (DAP) deprecation, see GDAP frequently asked questions - Partner Center, or search the Partner Center announcements for dates and timelines.

For a complete list of Microsoft Entra roles and the actions they can perform, see Microsoft Entra built-in roles. For information on how to assign roles, see Assign Microsoft Entra roles to users.

View your Microsoft Entra roles in Microsoft 365 Lighthouse (article)
Manage Lighthouse RBAC permissions in Microsoft 365 Lighthouse (article)
Set up GDAP in Microsoft 365 Lighthouse (article)
Overview of the Delegated access page in Microsoft 365 Lighthouse (article)
Assign roles and permissions to users - Partner Center (article)
GDAP frequently asked questions - Partner Center (article)
Microsoft 365 Lighthouse frequently asked questions (FAQs) (article)