Overview of permissions in Microsoft 365 Lighthouse
Microsoft 365 Lighthouse permissions are primarily managed by the following:
- Lighthouse role-based access control (RBAC) in the partner tenant
- Granular Delegated Admin Privileges (GDAP) in the customer tenant
To use Lighthouse, you need a combination of roles assigned via RBAC and GDAP.
Managing Lighthouse RBAC permissions in the partner tenant
Lighthouse permissions in the partner tenant are managed by assigning RBAC roles. Each role has a set of permissions that determines which data users can access and change within the partner tenant.
RBAC roles are managed from the Lighthouse permissions page in Lighthouse. To access the Lighthouse permissions page and manage permissions, you must be a Global Administrator in Microsoft Entra ID. To learn more, see Manage Lighthouse RBAC permissions in Microsoft 365 Lighthouse.
There's currently only one Lighthouse RBAC role: Lighthouse Account Manager. The following table describes the Lighthouse Account Manager role.
| Lighthouse RBAC role | Description |
|---|---|
| Lighthouse Account Manager | Provides full access to Sales Advisor pages and data across the entire partner tenant. Lighthouse Account Managers can export Sales Advisor data. |
Lighthouse RBAC roles and capabilities
The following table describes the actions that Lighthouse Account Managers can perform in Lighthouse.
| Area | Actions | Lighthouse Account Manager |
|---|---|---|
| Tenants | View the Tenants page | ✓ |
| Manage tags | ||
| Activate and inactivate a tenant | ||
| View delegated status | ✓ | |
| View baseline assignment | ||
| View deployment status | ✓ | |
| View and edit customer contact information and website | ✓ | |
| Baselines | View baselines (default, custom) | |
| Create, edit, and assign baselines | ||
| Alerts | View alerts | ✓ |
| Manage alerts (change severity, status, or assignment) | ||
| Create, edit, and delete alert rules | ||
| Permissions | Set up and manage Lighthouse permissions | |
| Set up and manage GDAP | ||
| View GDAP status detail | ||
| Audit logs | View audit logs | |
| Sales Advisor | View Sales Advisor reports and manage data | ✓ |
| Support | Open and manage service requests | |
| Service health | Monitor service health |
Managing GDAP in the customer tenant
GDAP gives you a high level of control and flexibility by providing access to customer tenants through Microsoft Entra built-in roles. Assigning the least-privileged roles by task through GDAP to MSP technicians reduces security risk for both MSPs and customers.
For more information about setting up a GDAP relationship with a customer tenant in Lighthouse, see Obtain granular admin permissions to manage a customer's service - Partner Center.
For more information about least-privileged roles by task, see Least-privileged roles - Partner Center and Least privileged roles by task in Microsoft Entra ID.
For more information about GDAP or Delegated Admin Privileges (DAP) deprecation, see GDAP frequently asked questions - Partner Center, Delegated administration privileges (DAP) FAQ - Partner Center, or search the Partner Center announcements for dates and timelines.
Related content
Requirements for Microsoft 365 Lighthouse (article)
Delegated administration privileges (DAP) FAQ (article)
View your Microsoft Entra roles in Microsoft 365 Lighthouse (article)
Assign roles and permissions to users (article)
Overview of Microsoft 365 Lighthouse (article)
Sign up for Microsoft 365 Lighthouse (article)
Microsoft 365 Lighthouse FAQ (article)
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for