We have a constant need to monitor current tenant configurations across all customers. Currently, we have a huge Excel-based spreadsheet that includes all customer tenants and all the configuration settings we see relevant to keep track on. The configuration settings are currently recorded on very general level. Updating this own "centralized monitoring tool" is manual, slow and all the changes may not end up to our spreadsheet. The settings we keep track on include for example:

• MFA status in organisation: yes/no


• MFA type, if enabled: per-user / Conditional Access


• Other Conditional Access rules in place (ie. block legacy auth, require device compliancy)


• is Intune deployed, MDM/MAM


• Autopilot configuration status: affects to process of ordering and delivering new computers


• Intune Device Compliancy policies


• Audit log activated: yes/no


• Blocked legacy auth protocols (default tenant settings): which protocols


• Self-Service Password Reset enabled: yes/no


• Password Expiration Policy


• O365 ATP configured: yes/no


• Message Encyption enabled: yes/no


• AIP enabled: yes/no


• Cloud app security enabled: yes/no


• AAD Security defaults enabled: yes/no


• AAD Company Branding: yes/no


• Teams guest access: yes/no


• Teams Live Events: yes/no


• license type: M365 Business Premium / lower / higher (to filter in spreadsheet which features are available, but not yet enabled)

We have used this report in account/IT management: roadmaps, current state reports, prioritization of new projects, evaluation of changes affecting to customers. Our technical department is also very eager for this information, especially when going onsite to give IT support and different kind of questions and issues arise.

It would be huge for us, if Lighthouse could have a centralized view to all customer tenants with features similar to our current solution. We wouldn't mind, if there is even more details of technical configuration per above listed setting or additional M365-settings, which could be monitored via Lighthouse.

Lighthouse portal could help us to monitor customer tenants more efficiently, if we could see a overall list of new detections and alerts per customer tenant. This could be a trigger for deeper analysis conducted inside the tenant. Below is a list of different Microsoft detections, alerts and user reported content, in which I would personally see this function helpful.

• AAD Risky users


• AAD Risky sign-ins


• AAD Risk detections


• Office 365 Alerts


• Cloud App Security Alerts


• User reported MFA Frauds

Currently, some of these alerts from customer tenants can be sent to email addresses of our choice, ie. Office 365 Alerts if configured right. The centralized view will decrease the amount of manual configurations across all customer tenants and provide a way for technical and management departments to monitor customer tenants. With knowledge of different events across customer tenants, we can provide better IT service more efficiently.

With Azure Lighthouse, we can setup RBAC permissions based on the specific needs and roles our internal MSP employees need to perform their job functions.

As regulatory compliance and security frameworks (including Zero Trust) continue to evolve and MSPs are required to adhere to those same standards, having a capability to define AAD administrative roles to internal AAD SGs that allow very specific levels of access consistently into multiple customer environments.

Microsoft Partner Center (MPC) only allows for Global Administrator (which is way too much) and then Helpdesk Administrator (which is too low) through Delegated Administration without any flexibility to create custom roles that meet partners' unique needs based on their business processes.

This is a huge gap and I hope this can be figured out within this program!

Here are some requests that we as a CSP would be happy to see in the future. Some are just good to have, but most of them are to get ROI on invested time. Also, this is from a view where many customers are outsourcing their IT to our company and we want to take full responsibility for support and drive our customers towards a secure and effective IT.

1. The ability to see alert policies tenant wide – Today we can forward these alerts and react, but we would want to have a central area for this and skip the external forwarding.




2. The ability to see and release quarantined messages. A great responsibility but also a great opportunity.




3. See customers licensed for Defender for Office that is not using our standard recommendation.




4. Global “restricted users”. This would be a great trigger that something happened and we need to react and inform the customer. As today, we need to “wait” for a support ticket before we react.




5. The ability to filter customers scores (security, compliance, productivity). This would place the customer on a road map and we can take action to get them to a more comfortable score.




6. Central deployment / gallery for apps. Would be nice to compare customer tenants apps compared to what we recommend. With this we ensure that all customers possible leverage intune and our custom made app for support and license ordering.




7. An aggregated message trace that is tenant wide. As today if a user get a phishing mail etc we can manually check the message trace to see if more of the domain users got the message and warn them. If we could leverage a tenant wide message trace we could get higher ROI on every search and more secure customers. Same function could be used on content search if we are searching for a malicious file.




8. Something that I would call “hidden attributes” or tags that only we as CSP can see. These attributes should be able to be placed on customers and users for filtering. Tags like “Important account”, branch standard, priority etc would be great.




9. I would like to be able to create templates with all available settings, from AAD, EOP to sharing policies. In the best scenario the different, 1. Default. 2. Our company standard and 3. Strict.

From these templates I would have the possibility to compare against customer tenant settings. With this feature we can make sure that all customers are up our company standards and be secure and productive.

1. A function for customers to create a support ticket / get in contact with us. This would make lighthouse the central place to be proactive and to support on requests.

We need to be able to select customers to be included in our lighthouse view, and deselect others We need to filter those clients that have a security agreement with us and those that do not.

There are a number of court cases where a MSP has access tot eh data or has received the alert, and did not act on it, and the MSP is liable for the data breach. With the change in the cyber laws, we need to explicitly not view clients information if we have do not have a security agreement with them. The legal community can take a position that if we see the information then we are responsible. We only want to look at those clients that we have a security agreement .

We have noticed a need for a log, that lists changes made to M365 services/tenant configuration across all customers. This feature would support MS Partner's internal operations, when the amount of technicians making configuration changes is high, number of customer tenants is high and IT/account management is trying to keep track of activities regarding project management.

This unified change log would include an event, tenant name and time about a change that was made. Eg. to Endpoint Manager device configuration policies, Conditional access rules, Sharepoint sharing settings, Office 365 Alert policies. The scope is wide and in the beginning the log could include only the blueprints.

Use cases for the log:
- Daily monitoring regarding projects and scheduled changes by IT management.
- With filtering option by customer tenant, a list of recent config changes -> information for different roles eg. IT Management, SysAdmins, end user support
* example: 1st line support receives a call from end user, who is having a problem. IT staff can check the config change log to see if configurations have changes recently or not
* The log supports internal communication and documentation of changes