Microsoft 365 Lighthouse: MSP Multi-Tenant Management Complete Guide

Microsoft Fix Intermediate 14 min read Official Docs Grounded Updated April 20, 2026
What's in This Guide
  1. Why This Is Happening
  2. The Quick Fix
  3. Step-by-Step Solution
  4. Advanced Troubleshooting
  5. Prevention & Best Practices
  6. FAQ

Why This Is Happening

I've worked with dozens of MSPs who open Microsoft 365 Lighthouse for the first time, and the reaction is almost always the same: there's a brief moment of optimism , "finally, one dashboard for all my customers" , followed quickly by confusion. Deployment plans showing "Not compliant." Roles that don't seem to do anything. Sales Advisor features that exist in the docs but aren't showing up on screen. Tenants that refuse to onboard cleanly. I get it. The product is genuinely powerful, but the gap between "it's available" and "it's working correctly" is wider than Microsoft's getting-started wizard would have you believe.

Microsoft 365 Lighthouse is a Microsoft partner portal built specifically for Managed Service Providers who handle multiple customer tenants under the Cloud Solution Provider (CSP) program. The core promise is centralized visibility: security posture, device compliance, subscription renewals, and deployment plans, all in one place, across every customer you manage. That's real value when it works.

But here's what the official overview glosses over: Lighthouse is deeply dependent on your Granular Delegated Administrative Privileges (GDAP) relationships being configured correctly for each customer tenant before anything meaningful lights up. If your GDAP relationships are missing, expired, or don't include the right Microsoft Entra roles, you'll see tenants that appear onboarded but refuse to surface real data. You'll see deployment sub-tasks stuck in "Not compliant" with no clear explanation. You'll open the Assigned roles page and wonder why certain actions are grayed out even though you're a global admin on your own partner tenant.

The other big source of confusion: Lighthouse has two distinct role layers that interact in non-obvious ways. Lighthouse RBAC roles control what data you can see and change inside your own partner tenant, they do not grant access to customer data. Microsoft Entra roles, granted through GDAP, are what actually let you reach into a customer's environment. Mix these up and you'll spend hours troubleshooting permissions that were never the problem in the first place.

Feature rollout timing is another real frustration. Microsoft 365 Lighthouse rolls out new features gradually, which means your partner tenant might not have access to a feature that the documentation already describes in detail. The pinned subscription renewals feature, the updated Assigned roles page, the Executive Summary report generator, all of these arrived in waves across 2024 and 2025, and not every tenant got them on day one.

If any of this sounds familiar, you're in the right place. This Microsoft 365 Lighthouse MSP multi-tenant management guide walks through the exact steps to get things working correctly, from GDAP setup and role assignment through deployment plan compliance, subscription management, and the newer Sales Advisor capabilities. Browse all Microsoft fix guides →

The Quick Fix, Try This First

If Lighthouse is showing "Not compliant" on a deployment sub-task and you're not sure why, nine times out of ten the fastest resolution path is to simply re-deploy the sub-task rather than diagnose it. Microsoft updates sub-tasks periodically, adding new underlying settings, and when that happens, previously compliant sub-tasks flip to "Not compliant" automatically. This is by design, not a bug.

The most common recent example: the "Configure Microsoft Edge profile for Windows 10 and later" sub-task. In May 2025, Microsoft added two new underlying settings, AutoFill Credit Card and Enhance Security, to this sub-task. Any tenant where this sub-task was previously deployed and marked compliant would have flipped to "Not compliant" after the update. The fix is straightforward:

  1. In Lighthouse, go to Tenants in the left navigation pane.
  2. Find the affected tenant showing "Not compliant" and select it to open the tenant details page.
  3. Select the Deployment plan tab.
  4. Locate the Configure Microsoft Edge task and expand it.
  5. Select the Configure Microsoft Edge profile for Windows 10 and later sub-task.
  6. Select Deploy.

That pushes the updated Intune device configuration profile, now including the AutoFill Credit Card and Enhance Security settings, out to the tenant's devices. Once devices check in and report compliance against the new profile, the sub-task status will update back to compliant.

One thing to check before you do this across all your tenants: if you previously cloned the "Configure Microsoft Edge" deployment task as part of a custom baseline, that cloned version is now out of date. You'll need to go back to the default baseline, re-clone the updated task, and apply it to each custom baseline that included the original. The cloned copy does not auto-update when Microsoft changes the source task.

Pro Tip
After a Microsoft-initiated sub-task update, the Detection history tab for that sub-task resets. Any historical compliance data from before the update is no longer accessible. Screenshot your compliance reports before major sub-task updates if you need to show customers a historical security posture trend, once that data is gone, it's gone.
1
Verify Your GDAP Relationships and Entra Role Assignments

Before you troubleshoot anything else in Microsoft 365 Lighthouse, confirm that your GDAP relationships are set up correctly for each customer tenant. This is the root cause of more Lighthouse problems than any other single factor. Without valid GDAP relationships that include the right Microsoft Entra roles, Lighthouse simply cannot pull meaningful data from customer tenants, and it won't always tell you that's the problem.

To check your own role assignments, go to Lighthouse and select Roles in the left navigation pane, then choose Assigned roles. The updated Assigned roles page (rolled out March 2025) shows you two distinct things:

  • Lighthouse RBAC roles, these determine what you can see and change inside your own partner tenant within Lighthouse. They do not touch customer data.
  • Microsoft Entra roles, these are the roles granted through your GDAP relationships with specific customers. These are what actually give you access to customer tenant data.

If you see Lighthouse RBAC roles listed but no Microsoft Entra roles, that explains why customer tenant data isn't surfacing. You'll need to go into Microsoft Partner Center, navigate to your customer relationships, and confirm that GDAP relationships are active and include roles like Global Reader, Intune Administrator, or Security Administrator depending on what data you need Lighthouse to show.

A working GDAP setup for full Lighthouse functionality typically requires at minimum: Global Reader for visibility, Intune Administrator for deployment plan management, and Security Administrator for security posture data. Missing any of these will cause specific Lighthouse sections to show incomplete or no data for affected tenants, with no obvious error message explaining why.

2
Fix Deployment Plan Compliance Errors Across Tenants

Once your GDAP relationships are healthy, deployment plan compliance issues are the next most common thing MSPs ask about. The "Not compliant" label in Lighthouse doesn't always mean something is broken, sometimes it just means Microsoft updated a sub-task and the new version hasn't been deployed yet. But you still need to act on it.

For each tenant showing "Not compliant" on any deployment task:

  1. Navigate to Tenants and select the affected tenant.
  2. Open the Deployment plan tab.
  3. Expand the flagged task to see which sub-task is non-compliant.
  4. Select the sub-task and review what action is required, in most cases, it will be Deploy.
  5. Select Deploy and confirm the deployment through the wizard.

If the sub-task requires deploying an Intune configuration profile (as the Microsoft Edge profile sub-task does), the compliance status won't update immediately. Devices need to check in with Intune, which typically happens within 15 minutes for online devices, or up to 8 hours for devices that are offline or in a deferred check-in schedule. Don't assume the deployment failed just because the status doesn't flip instantly.

For custom baselines: if you built your deployment plan around cloned tasks from the default baseline, you need to revisit this regularly. Microsoft's default baseline is a living document, tasks get new settings added, thresholds change, and new sub-tasks appear. Your cloned copy does not inherit those changes. Build a monthly review step into your Lighthouse workflow to compare your custom baselines against the current default.

3
Pin and Prioritize Subscription Renewals

Subscription renewal management is one of the genuinely underused areas of Microsoft 365 Lighthouse, and the April 2025 update made it significantly more useful by adding subscription pinning. If you're managing renewals across 50 or 100 customer tenants, the ability to pin high-priority renewals so they stay visible is a real workflow improvement, not a gimmick.

Here's how the pinning system works in practice:

  1. In the Lighthouse left navigation pane, select Subscription renewals.
  2. You'll see tabs: High Priority, Upcoming, and Expired.
  3. On any tab, find the subscription you want to track closely and click in the Pin column next to it.
  4. Pinned subscriptions automatically move to the top of the subscriptions list on the High Priority tab.
  5. A pin icon appears next to the subscription on the Upcoming or Expired tab as well, so you can see its pinned status from any view.

Pins are persistent, they stay in place until you manually remove them. This is intentional. You're not going to lose track of a critical renewal just because you closed the browser tab. For MSPs running quarterly business reviews with customers, I'd recommend pinning any subscription up for renewal in the next 90 days about two weeks before that QBR so it's always front-of-mind.

The February 2025 update added a Licenses tab inside the subscription renewals detail pane. Select any tenant from the Subscription renewals list, open the detail pane, and switch to the Licenses tab to see exactly how many licenses are assigned per subscription plan for that tenant. This is the data you need before a renewal conversation, knowing whether a customer is sitting on 40 unused seats of Microsoft 365 Business Premium changes the renewal discussion entirely.

4
Use Sales Advisor Opportunities and Filters Effectively

Sales Advisor inside Microsoft 365 Lighthouse is the tool most MSPs ignore but shouldn't. The February 2025 update added an Opportunity column to the Subscription renewals page, which surfaces potential upsell and cross-sell opportunities tied to the renewal conversation you're already having. The logic is sound: if a customer is renewing Microsoft 365 Business Standard and they have 20+ users, flagging Microsoft 365 Business Premium or Microsoft Copilot as an opportunity during that renewal discussion is exactly the right moment.

The bigger workflow improvement came with the new Group and Product filters on the Opportunities page, also added in February 2025:

  1. In Lighthouse, select Sales Advisor > Opportunities from the left navigation.
  2. Use the Group filter to select either:
    • New, opportunities added since you last opened Sales Advisor. Check this first every time you open the tool so you don't miss fresh leads.
    • High priority, opportunities ranked by upcoming renewal dates, seat size, and product relevance. These are the deals most likely to close.
  3. Use the Product filter to narrow by specific products, for example, filtering for Microsoft Copilot opportunities across all your tenants at once, or finding all tenants with Microsoft 365 Business Premium renewal potential.

In practice, the most efficient Sales Advisor workflow is: open Lighthouse on Monday morning, go to Opportunities, set Group filter to "New," scan for anything that needs immediate action, then switch to "High priority" for the week's outreach list. The Product filter is especially useful if your team has product specialists, you can filter the entire opportunity list down to Copilot or Security products and hand that list directly to the right person.

5
Generate and Share Executive Summary Reports

The Executive Summary report feature, added in January 2025, solves a real problem: MSPs who were building monthly or quarterly business review decks manually, pulling data from a half-dozen different portals and stitching it together in PowerPoint. Lighthouse now generates a report per customer tenant that covers security posture, business status, and a summary of what your organization has done in Lighthouse to keep that customer protected.

To generate a report for a specific customer:

  1. Go to Tenants in the left navigation pane.
  2. Select the customer tenant from the list to open the tenant details page.
  3. Select the Overview tab.
  4. In the left pane within Overview, select Summary.
  5. Select Create report.

The report generates as a shareable document that covers key security and compliance metrics alongside a record of actions your partner organization took in Lighthouse. That second part, documenting what you actually did, is what makes this valuable in a QBR. Customers often don't see the work that goes into keeping their environment healthy. An Executive Summary that shows "We deployed 3 configuration profiles, flagged and remediated 2 non-compliant devices, and renewed 4 subscriptions on your behalf this quarter" makes your value tangible.

A few practical notes: the report reflects current state, not a historical snapshot. Generate it close to your QBR date rather than weeks in advance. And while this is described by Microsoft as "the first step towards building end-to-end views" for customer reviews, expect the feature set to expand, Microsoft has signaled this is an area of active development.

Advanced Troubleshooting

When the standard fix paths don't work, you're usually dealing with one of three deeper issues: permission inheritance problems from your CSP structure, Group Policy conflicts blocking Intune profile application at the device level, or Lighthouse data sync delays that make the portal show stale information.

GDAP permission inheritance and CSP tier issues. If you're operating as an indirect reseller under an indirect provider, your GDAP relationships may be structured differently than a direct bill partner. Lighthouse expects specific GDAP configurations, and indirect reseller setups sometimes result in tenants that appear in your Lighthouse portal but where your effective permissions are more limited than expected. Check Partner Center under Customers > select the customer > Administration to verify the active GDAP relationships and which roles are currently granted. If you see relationships listed as "Expired" or with a red status indicator, those need to be renewed before Lighthouse can pull current data for that tenant.

Intune profile deployment failures not showing in Lighthouse. When a deployment sub-task says it's been deployed but devices aren't becoming compliant, the issue is usually at the Intune level rather than the Lighthouse level. Sign into the Microsoft Intune admin center directly for the customer tenant (using your GDAP-delegated access) and navigate to Devices > Configuration profiles. Find the profile that Lighthouse deployed and check the device check-in status. If devices show "Error" or "Not applicable," the profile targeting may be misconfigured, typically because the device group the profile was assigned to doesn't contain the expected devices. Lighthouse deploys profiles to the groups defined in the deployment task, which assumes your tenant's device groups are set up to match.

Group Policy conflicts blocking Intune settings. In hybrid-joined environments (devices both domain-joined and enrolled in Intune), Group Policy can override Intune configuration profiles. The Microsoft Edge security settings that Lighthouse deploys, specifically the Enhance Security mode setting, have known conflicts with legacy Group Policy objects that configure Edge through the ADMX templates. If devices are domain-joined, run this on a test machine to see what's winning:

gpresult /H C:\gpresult.html /F

Open the resulting HTML report, search for "Edge" or "Microsoft Edge," and look for any GPO-enforced settings. If you see domain GPOs locking Edge configurations, those will take precedence over Intune MDM policies unless MDM wins have been explicitly configured via the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge registry path or through Group Policy's "MDM wins over Group Policy" setting.

Lighthouse data appearing stale. Lighthouse syncs data from customer tenants on a schedule, it's not real-time. If you've made changes in a customer tenant but Lighthouse still shows the old state, wait 15-30 minutes and refresh. For security-related data that's taking longer than an hour to update, check Event Viewer on a representative device under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider for Intune sync event IDs 404 (enrollment success), 814 (policy applied), or error code 0x80180026 (Intune enrollment failure).

When to Call Microsoft Support
If you've confirmed valid GDAP relationships, Lighthouse RBAC roles are correct, and deployment tasks are successfully pushed but specific tenants still show persistent data gaps or error states after 24 hours, that's a signal for escalation. Also escalate if you see tenants that appear in Partner Center but cannot be onboarded to Lighthouse at all despite meeting the stated prerequisites, this sometimes indicates a backend provisioning issue on Microsoft's side. Open a support ticket via Microsoft Support and reference the specific tenant's domain, the symptom, and the fact that GDAP relationships have been verified.

Prevention & Best Practices

Running Microsoft 365 Lighthouse well at scale isn't about reacting to "Not compliant" notifications after they appear, it's about building the habits and processes that keep them from piling up in the first place. MSPs who get the most value from Lighthouse treat it as an active workflow tool rather than a dashboard they check when something breaks.

The single most impactful habit is a weekly Lighthouse review cadence. Block 30 minutes every Monday to open Lighthouse, go to Tenants, sort by compliance status, and triage anything that's newly non-compliant. Most issues are easy to resolve in under 5 minutes if you catch them early. Left alone for three weeks, they turn into customer conversations about why their devices have been out of compliance for a month.

For subscription renewals, work 90 days ahead, not 30. The pinning feature that arrived in April 2025 makes this much more manageable, pin everything renewing in the next 90 days, work the High Priority tab weekly, and you'll never be in a position of scrambling to renew a customer subscription that already lapsed. The Licenses tab in the subscription detail pane is your pre-call prep: always check it before any renewal discussion to understand the customer's actual usage versus licensed seats.

Keep your custom baselines in sync with Microsoft's default baseline. Schedule a monthly review where you open the default baseline and compare it against any cloned tasks you've customized. When Microsoft adds settings to a deployment sub-task (as they did with the Edge profile in May 2025), you need to re-clone and update your custom baselines or those tenants will silently drift out of compliance. This takes about 20 minutes per baseline, a small investment compared to the audit exposure of running outdated security profiles.

Quick Wins
  • Set up a recurring 30-minute Monday morning Lighthouse review for all "Not compliant" tenants, catches most issues before customers notice them.
  • Pin every subscription renewing in the next 90 days as your standard operating procedure, not just critical ones, Lighthouse's pinning is persistent and costs nothing to use liberally.
  • After any Microsoft announcement about updated deployment sub-tasks, immediately audit your custom baselines and re-clone affected tasks, don't wait for the "Not compliant" notifications to tell you.
  • Before any quarterly business review, generate the Executive Summary report for each customer you're meeting with and include the partner activities section, it documents your value in Microsoft's own data, which is far more credible than a self-reported slide.

Frequently Asked Questions

Why is my Microsoft 365 Lighthouse deployment plan showing "Not compliant" after I just fixed it?

The most likely explanation is that Microsoft updated the underlying sub-task after your last deployment, which resets the compliance status. This happened specifically with the "Configure Microsoft Edge profile for Windows 10 and later" sub-task in May 2025 when Microsoft added AutoFill Credit Card and Enhance Security settings. The fix is to go to Tenants, select the affected tenant, open the Deployment plan tab, find the non-compliant sub-task, and select Deploy again. Compliance status won't update instantly, give devices up to 15-30 minutes to check in with Intune after the profile is pushed.

What's the difference between Lighthouse RBAC roles and Microsoft Entra roles in the Assigned roles page?

Lighthouse RBAC roles control what you can see and do within your own partner tenant in Lighthouse, they do not grant any access to customer tenant data. Microsoft Entra roles are granted through your GDAP relationships with individual customers and are what actually allow Lighthouse to read and act on customer environment data. If your Lighthouse features work fine but customer tenant data is missing or read-only, check that your Microsoft Entra roles via GDAP include the right permissions (at minimum, Global Reader plus Intune Administrator for deployment plan management). You can review both role layers in Lighthouse under Roles > Assigned roles.

I cloned the Configure Microsoft Edge task into my custom baseline, do I need to do anything after the May 2025 update?

Yes, and this is important. Cloned deployment tasks do not inherit updates from the original default baseline task. The May 2025 update added new settings to the default baseline's Microsoft Edge sub-task, but your cloned copy is still running the old version. You need to go into each custom baseline that included a cloned version of this task, remove the old clone, re-clone the updated task from the current default baseline, and save the baseline. Tenants using those custom baselines will then pick up the updated sub-task on their next deployment plan sync. Until you do this, those tenants may appear compliant when they're actually missing the new AutoFill Credit Card and Enhance Security settings.

How do I find new opportunities in Sales Advisor without missing anything?

Use the Group filter set to "New" every time you open Sales Advisor's Opportunities page, this shows only opportunities that appeared since you last visited, so you're not re-reviewing things you've already seen. Combine this with the Product filter to slice opportunities by specific products like Microsoft Copilot or Microsoft 365 Business Premium. For the most efficient workflow, check the "New" filter first for immediate action items, then switch to "High priority" to see which opportunities have urgency signals like upcoming renewals, large seat counts, or high product relevance scores. The Opportunity column on the Subscription renewals page also flags opportunities directly within the renewal context, which is the best moment to have that conversation with customers.

How do I generate an Executive Summary report for a customer in Microsoft 365 Lighthouse?

Go to Tenants in the left navigation pane and select the customer tenant to open the tenant details page. On the Overview tab, look for "Summary" in the left-side panel within that page, select it, then select Create report. The report covers security posture, business status, and a summary of actions your partner organization performed in Lighthouse for that customer. Generate it close to your actual QBR date since it reflects current state rather than a historical snapshot. This feature was added in January 2025 and Microsoft has indicated that more detailed reporting capabilities are on the roadmap.

A tenant shows up in my Lighthouse portal but has almost no data, what do I check?

Start with your GDAP relationships. Go to Microsoft Partner Center, navigate to that customer, and check under Administration that an active GDAP relationship exists with the appropriate Microsoft Entra roles, at minimum Global Reader, ideally also Intune Administrator and Security Administrator. An expired or missing GDAP relationship is the single most common reason a tenant appears in Lighthouse but shows empty or stale data. Also confirm the tenant meets Lighthouse's eligibility requirements: the customer must be a CSP customer, they need active Microsoft 365 or Windows 365 subscriptions, and devices must have Intune enrollment for device-level data to appear. If GDAP is valid and prerequisites are met but data still isn't populating after 24 hours, contact Microsoft Support with the tenant domain and the specific data gaps you're seeing.

Related Microsoft Fix Guides

Microsoft Fix
How to Fix Windows Update Errors (Error 0x80070003 & More)
Microsoft Fix
Fix Microsoft 365 Sign-In Problems, Complete Guide
Microsoft Fix
Azure Active Directory Troubleshooting Guide
Browse All
5,000+ Microsoft Fix Guides →
H
Sai Kiran Pandrala
Our team includes certified Microsoft engineers, Azure architects, and system administrators with 10+ years of enterprise IT experience. Every guide is written from hands-on troubleshooting, not guesswork. We test every fix before publishing.