Microsoft 365 Lighthouse Preview
‘Azure Lighthouse transformed the game for managed company provides for Azure, and I believe this new support will do the same for M365.’
Contacting Managed Service Companies (MSPs) all around the environment: There is certainly a new device coming to your toolbelt — Microsoft 365 Lighthouse, at this time in general public preview. This is not the exact same technologies as Azure Lighthouse, exactly where a assistance service provider can handle client’s Azure resources using delegated permissions. Microsoft 365 Lighthouse is conceptually similar nevertheless, furnishing the capacity for an MSP to manage client’s Business office/Microsoft 365 (M365) tenants with delegated permissions.
Azure Lighthouse transformed the match for managed assistance provides for Azure, and I believe this new company will do the very same for M365.
Obtaining Started off
If you’re an MSP and you’d like to kick the tires (it can be no cost), the 1st step is to add the assistance to your management tenant. Go to admin.microsoft.com and increase Billing, Buy expert services, Other providers and research for Lighthouse. “Buy” a one license of the Microsoft 365 Lighthouse public preview. It can get up to 24 hrs to be activated in your tenant, but in my scenario it only took a few hours before I received the notification email.
The general public preview has no added expense, and Azure Lighthouse also won’t price tag everything, so I suspect the Standard Availability (GA) release also won’t charge just about anything.
Demands for Microsoft 365 Lighthouse
As for every common for these kinds of a essential shift in a platform, there are a several prerequisites for M365 Lighthouse.
Your MSP have to be enrolled in Microsoft’s Cloud Resolution Company (CSP) plan, both as an Indirect Reseller or Direct Bill husband or wife. Offered that the CSP application has been all-around for pretty a several yrs now and has been expanded to involve not only cloud licensing but also on-premises perpetual licenses, I presume most Microsoft associates are by now on board.
For each and every consumer that you want to manage, you will have to have Delegated Admin Privileges (DAP) approved to you. I suspect numerous compact companies basically enable their MSP to create 1 or additional Global Admin accounts in their tenants for management, but DAP is the “official way” to have a company company control your tenant for you.
There are a few other restrictions that I suspect will be changed at or soon after GA, these kinds of as each customer tenant acquiring at minimum 1 Microsoft 365 Organization Quality license and acquiring no far more than 500 licensed consumers. Because Microsoft 365 Enterprise tops out at 300 licenses, I believe these are preview restrictions only.
It can make sense to emphasis on the SMB market place to start off with and necessitating M365 Business enterprise Quality makes sure a baseline of safety attributes. In my screening I found that tenants with other licensing SKUs did clearly show up in the portal, but of class the accessible management choices change based mostly on characteristics enabled for each individual person/gadget account.
The capacity to handle products in each and every tenant depends on them currently being enrolled in Microsoft Endpoint Manager (MEM), previously known as Intune. User info visibility in reviews demand at minimum Azure Lively Listing Quality P1, which is involved in Microsoft 365 Business enterprise Quality. To see Risk info, Home windows units have to have Microsoft Defender Antivirus enabled.
Completing the Prerequisites
Here’s the official documentation for getting a CSP reseller, both as an oblique reseller (you invest in Microsoft 365/Azure as a result of a distributor and then monthly bill your clients) or a immediate bill husband or wife. To be a direct bill husband or wife you’ve acquired to generate at the very least 300,000 USD earnings in cloud gross sales in a 12-month period, as perfectly as control client billing, provisioning, and tier 1 guidance.
The Associate Middle has a CSP spot in which you can handle customers, administer their cloud estates (for each and every client separately) and send Delegated Admin Privileges invites.
Whomever you send the url to should be a world admin for the client’s tenant, when they click on the backlink, they’re requested to indication-in to their tenant and then settle for the marriage by clicking Authorize.
The moment which is completed, they demonstrate up as a shopper in your CSP portal and you can see their units, analytics for their subscription, their license allotments, open up services requests, account facts and administer their providers.
Microsoft 365 Lighthouse Portal
Companion Middle only makes it possible for a constrained check out of every shopper, and only on a single consumer foundation. The power of Microsoft 365 Lighthouse is that you can see all your client’s consumer and device accounts in one particular position. Go to https://lighthouse.microsoft.com with your MFA enabled Worldwide Admin account for your MSPs tenant. The Lighthouse portal enforces MFA, but I suggest that access need to also be constrained to specified administrative workstations.
The Property blade gives tiles with summaries across all tenants for protection threats identified, Defender for Antivirus position, end users flagged as dangerous and gadget compliance.
The Tenants blade gives you a filterable look at of your tenants and their position, whereas the Consumers blade has 4 tabs — including a Lookup tab where by you can quickly obtain a person and reset their password or block their indicator-ins. This may well look like a modest enhancement but resetting passwords by logging in individually to every single tenant’s admin console and finding the user is far far more time consuming so I can see a ton of saved time throughout a large user population.
The next tab lists Dangerous customers (from Azure Advert Top quality P1 details), the 3rd the Azure MFA position for each individual tenant and the fourth reveals the Self-Assistance Password Reset (SSPR) standing for every single tenant.
The Devices blade has an overview of all devices and their compliance with your MEM procedures, a tab with a record of Equipment, the particular person MEM insurance policies in each and every tenant and the Configurations tab lists non-compliant configurations across your client’s device fleets.
The Risk administration blade has an overview tab, a Threats tab that reveals Energetic, Mitigated, Resolved or Authorized threats while the Antivirus defense tab addresses Defender AV position on all products.
Clicking an particular person unit allows you run brief or whole scans on it, or reboot it, you can also pick out numerous gadgets and operate these responsibilities on all of them.
Baselines and Purpose Dependent Accessibility Command
Microsoft 365 Lighthouse has two RBAC roles, Admin Agent and Helpdesk Agent. The Admin Agent can improve most options, whereas the Helpdesk Agent can block sign-ins, reset passwords and update client web site and speak to specifics.