Microsoft 365 Lighthouse Not Working? Complete Fix Guide
Why Microsoft 365 Lighthouse Stops Working
I've seen this situation play out dozens of times: an MSP technician sits down Monday morning, opens Microsoft 365 Lighthouse expecting a clean dashboard of their managed tenants, and instead gets a blank screen, a permissions error, or a deployment plan that's suddenly flagging half a dozen customer tenants as "Not compliant" , seemingly overnight, for no obvious reason.
Microsoft 365 Lighthouse is genuinely powerful for managed service providers. It lets you monitor security posture, manage deployment plans, track subscription renewals, and get a consolidated view across every customer tenant you manage. But it's also one of those products where a single misconfigured permission, an expired GDAP relationship, or a product update rolling out on Microsoft's end can quietly break things without giving you a useful error message.
The most common culprits behind Microsoft 365 Lighthouse setup problems and configuration errors fall into a few buckets:
- GDAP relationship gaps: Lighthouse depends on granular delegated administrative privileges to access customer data. If a GDAP relationship expires, gets revoked, or was never set up for the right roles, entire customer tenants will disappear from your view or show access errors.
- Lighthouse RBAC role mismatches: Your account's Lighthouse-specific roles control what data you can see and change within your partner tenant. These are separate from your Microsoft Entra roles. Getting them confused is extremely common and causes confusing "you don't have permission" moments.
- Deployment plan compliance drift: Microsoft periodically updates the default baseline tasks. When a sub-task gets new underlying settings, like the May 2025 update to the "Configure Microsoft Edge profile for Windows 10 and later" sub-task, tenants that were compliant yesterday can show as "Not compliant" today. This isn't a bug. It's the system working correctly, but it catches people off guard every single time.
- Custom baseline cloning issues: If you ever cloned a default deployment task to build a custom baseline, those clones don't automatically inherit updates. You have to re-clone manually after Microsoft updates the source task.
- Browser and session issues: Lighthouse is a web app, and it inherits all the quirks of browser-based Microsoft 365 tools, stale auth tokens, extension conflicts, cached policy data that doesn't match the live state.
I know how frustrating it is when the tool you use to manage client security is itself broken, especially when a customer is waiting on a compliance report or a renewal conversation. Let's fix it. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you go deep into GDAP settings and policy configurations, start here. About 40% of Microsoft 365 Lighthouse troubleshooting calls I've seen get resolved by this alone.
Step 1, Check What's New in your tenant. In Lighthouse, look at the top-right corner of the Home page. There's a "What's new" link. Select it. If Microsoft recently pushed an update, like the May 2025 Edge profile sub-task change, this is where it's documented. Nine times out of ten, your "Not compliant" alerts are caused by a feature rollout you weren't notified about directly.
Step 2, Hard refresh Lighthouse in your browser. Hit Ctrl + Shift + R in Chrome/Edge (or Cmd + Shift + R on Mac) to bypass the cache entirely. Then sign out of your Microsoft 365 session completely and sign back in fresh. Browser cache inconsistencies cause more phantom errors in Lighthouse than almost anything else.
Step 3, Verify your assigned roles immediately. In the left navigation pane in Lighthouse, go to Roles > Assigned roles. You'll see two distinct categories listed: your Lighthouse RBAC roles (which govern what you can do inside the partner tenant) and your Microsoft Entra roles (which govern access to customer data through your GDAP relationships). If either column is empty or missing expected roles, that's your problem right there, and skipping straight to fixing GDAP or baseline compliance won't help until this is resolved.
Step 4, Check the deployment plan for any flagged tenants. If you're seeing "Not compliant" badges, navigate to Tenants, select the affected tenant, open the Deployment plan tab, and expand the specific task that's flagged. Most of the time you'll see a clear action available, like "Deploy", that brings the sub-task back into compliance with one click.
GDAP, granular delegated administrative privileges, is the foundation everything else in Microsoft 365 Lighthouse sits on. If your GDAP relationships are broken, expired, or missing specific roles, customer tenants either won't appear at all or will show partial data with access errors.
GDAP relationships are configured in Microsoft Partner Center, not in Lighthouse itself. To check them, open the Partner Center admin portal, navigate to Customers, select a specific customer, then go to Admin relationships. You'll see a list of active GDAP relationships with their expiration dates and the Microsoft Entra roles attached to each relationship.
For Lighthouse to function correctly, the roles assigned through GDAP need to match what Lighthouse expects for the tasks you're trying to perform. Common roles required include Global Reader, Security Reader, Intune Administrator, and Cloud App Security Administrator, though the exact set depends on which Lighthouse features you're using.
If you find an expired relationship, you'll need to initiate a new GDAP request through Partner Center and have the customer's Global Admin approve it. There's no shortcut around this, the approval is required for security reasons, and that's the right call.
Once a GDAP relationship is renewed and active, give Lighthouse about 15–30 minutes to pick up the change before refreshing the tenant view. The sync isn't always instant, and hammering the refresh button won't speed it up.
After fixing GDAP, go back to Roles > Assigned roles in Lighthouse and confirm that the Microsoft Entra roles column now shows the expected roles for that customer relationship. If it still looks empty, the GDAP sync hasn't propagated yet, wait and check again.
This is the most common Microsoft 365 Lighthouse configuration error I see reported after major product updates, and the May 2025 update to the "Configure Microsoft Edge profile for Windows 10 and later" sub-task caused a wave of confusion across MSPs.
Here's what happened: Microsoft added two new underlying settings to that sub-task, AutoFill Credit Card and Enhance Security, that deploy an Intune device configuration profile specifically optimized for browser security. Any tenant where the previous version of that sub-task was deployed is now technically running an outdated configuration, so Lighthouse flags it as Not compliant. This is accurate and correct behavior, not a bug.
To fix it for each affected tenant:
- In Lighthouse, go to the left navigation pane and select Tenants
- Filter or scan for tenants showing a "Not compliant" status
- Select a Not compliant tenant to open its details page
- Select the Deployment plan tab
- Find and expand the Configure Microsoft Edge task
- Select the Configure Microsoft Edge profile for Windows 10 and later sub-task
- Select Deploy
Repeat this for every affected tenant. Yes, it's tedious if you manage 50 tenants. There's no bulk deploy option for this specific sub-task at the moment.
One critical thing to be aware of: after this update, the Detection history tab for this sub-task only shows data based on the new version of the task. Historical detection data from before the update is no longer accessible. If you need that historical record for compliance reporting or audit purposes, export it before you redeploy, though honestly, if you're reading this after the fact, that data is already gone.
After deploying, the Lighthouse compliance engine usually takes 1–4 hours to reflect the updated state. If it still shows Not compliant after 6 hours, move on to the advanced troubleshooting section.
This step catches a lot of experienced Lighthouse users off guard, and it's a particularly easy trap to fall into if you've been managing Microsoft 365 Lighthouse tenants for a year or more.
When Microsoft updates a default baseline task, like the Edge profile sub-task update in May 2025, any custom baselines you built by cloning that task do not automatically inherit the update. Your cloned version stays frozen at the old configuration. This means tenants covered by your custom baselines will remain non-compliant even after you fix the default baseline tenants, because they're deploying a different, outdated task definition.
Here's the correct process to bring custom baselines back in sync:
- Navigate to Deployment plans in the left navigation pane of Lighthouse
- Identify which custom baselines include a cloned version of the affected task (in this case, the "Configure Microsoft Edge" task)
- For each affected custom baseline, open it and remove the old cloned task
- Go back to the default baseline and re-clone the now-updated "Configure Microsoft Edge" task
- Add the freshly cloned task to your custom baseline
- Redeploy to the tenants using that baseline
There's no notification system that alerts you when a default task you've cloned gets updated. This is a known gap in the product. The practical workaround is to periodically check the "What's new" section in Lighthouse, it explicitly lists when default tasks have been updated, which tells you exactly when you need to go through this re-cloning process.
After re-cloning and redeploying, allow up to 4 hours for the compliance status to update across all affected tenants. You can track progress by watching the Deployment plan tab on individual tenants.
The Assigned roles page in Microsoft 365 Lighthouse was updated in March 2025, and it now makes it much clearer what each role type actually does, but the distinction between the two role categories still confuses people regularly.
To get to the page: in the left navigation pane in Lighthouse, select Roles > Assigned roles.
You'll see two distinct categories:
Lighthouse RBAC roles control what data you can view and modify within your partner tenant. These roles do not grant any access to customer tenants or customer data. If you can't see certain sections of the Lighthouse interface, or you're getting "you don't have permission" errors inside the Lighthouse portal itself, missing Lighthouse RBAC roles are usually the cause.
Microsoft Entra roles in this context are the roles flowing from your GDAP relationships. These are what grant you actual access to customer tenant data. If customer data isn't loading, or entire customer tenants are invisible to you, check this column.
Common fixes when Lighthouse RBAC roles are missing or wrong: contact your organization's Lighthouse administrator to update your role assignment. You cannot self-assign Lighthouse roles, a user with the Lighthouse Account Manager or Administrator role must make that change for you.
If the Microsoft Entra roles column looks incomplete, go back to Step 1 of this guide and verify your GDAP relationships in Partner Center. That's almost always the root cause.
# Quick verification check, run this in Azure Cloud Shell
# to confirm GDAP relationship status for a specific customer tenant
Get-MgBetaTenantRelationshipDelegatedAdminRelationship |
Where-Object {$_.Status -eq "active"} |
Select-Object DisplayName, Status, EndDateTime |
Format-Table -AutoSizeIf EndDateTime shows a date in the past for any relationship, that GDAP has expired and needs to be renewed through Partner Center.
Microsoft 365 Lighthouse's Sales Advisor features, including the Subscription renewals page and Opportunities page, have received significant updates throughout late 2024 and early 2025. If you're not seeing expected data, or new columns and filters aren't appearing, there are a few things to check.
First, confirm you have the right Lighthouse RBAC roles to access Sales Advisor. Not all roles get visibility into this section, it's typically reserved for roles with billing and customer account management permissions.
For the Subscription renewals pinning feature (rolled out April 2025): navigate to Subscription renewals in the left nav. You should see a "Pin" column on each tab (High Priority, Upcoming, Expired). Click the pin icon next to any subscription to pin it, pinned subscriptions move to the top of the High Priority tab and show a pin indicator on the relevant date-based tabs. If the Pin column isn't visible, try a full browser cache clear and sign-out/sign-in cycle, since this was a rolled feature that didn't land simultaneously for all partner tenants.
For the Licenses tab in Subscription renewals (February 2025): go to Sales Advisor > Subscription renewals, select any tenant from the list to open the details pane, and then look for the Licenses tab. This shows per-subscription-plan license assignment counts. If the Licenses tab doesn't appear, you may be in a tenant context that doesn't yet have the Sales Advisor integration enabled, check with your Microsoft partner account manager.
For the Opportunities page Group and Product filters (February 2025): navigate to Sales Advisor > Opportunities. The Group filter (showing "New" and "High priority" options) and the Product filter should both appear above the opportunities list. If they don't, this is another case where a hard browser refresh usually resolves it. If filters still don't appear after 48 hours and a full re-login, this is worth a support ticket.
Advanced Troubleshooting for Microsoft 365 Lighthouse
If the step-by-step fixes above haven't resolved your Microsoft 365 Lighthouse configuration errors, you're dealing with something deeper. Here's where to look next.
Event Viewer and Intune Sync Logs for Deployment Failures
When a Lighthouse deployment task shows as deployed but the compliance status never updates, the issue is often on the endpoint side, the Intune policy was pushed but never applied correctly. On affected Windows devices, open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin. Look for Event IDs 404, 814, or 500, these indicate MDM enrollment errors or policy application failures that would explain why Lighthouse's compliance check keeps failing even after you've deployed.
Group Policy Conflicts with Intune Policies
In domain-joined environments, Group Policy Objects can conflict with Intune device configuration profiles deployed through Lighthouse. The Edge AutoFill Credit Card and Enhance Security settings added in May 2025 are particularly prone to this. If you're seeing the Edge profile sub-task stuck in "Not compliant" after deploying, run the following on an affected device to check for policy conflicts:
gpresult /H C:\GPReport.html /F
# Open C:\GPReport.html in a browser
# Look for any Edge browser policies under Computer Configuration
# Cross-reference with the Intune policy deployed via Lighthouse
# Also run this to see the current MDM policy state:
mdmdiagnosticstool.exe -area DeviceEnrollment;DeviceProvisioning -cab C:\MDMReport.cabIf GPO settings are overriding the Intune profile, you'll need to either modify the GPOs to remove conflicting entries or configure the Intune policies to use "Require" enforcement, which takes precedence over GPO in co-managed scenarios.
Tenant Visibility Problems in Enterprise Multi-Tenant Environments
In large partner organizations where multiple technicians manage overlapping customer sets, RBAC role assignments sometimes get inconsistent. A technician with the right GDAP relationship but the wrong Lighthouse RBAC role will see a tenant listed but won't be able to drill into deployment plan details or compliance data. The fix is always at the Lighthouse RBAC role assignment level, use the Assigned roles page to audit this rather than assuming the problem is GDAP.
Executive Summary Report Generation Failures
The Executive Summary report feature (released January 2025) generates a report covering security posture and business status for individual customer tenants. To generate one: go to Tenants, select a tenant, go to the Overview tab, select Summary in the left pane, and then select Create report. If this button is greyed out or missing, your account either lacks the required Lighthouse role or the specific tenant doesn't have enough data populated for the report engine to generate output. Tenants with very limited Lighthouse monitoring coverage often hit this issue.
Checking API-Level Connectivity
In enterprise environments with strict proxy or firewall rules, Lighthouse can have partial connectivity, loading the UI but failing to pull tenant data. The required endpoints include *.microsoft.com, *.microsoftonline.com, login.microsoftonline.com, and the Graph API endpoints at graph.microsoft.com. Check your proxy logs for blocked requests to any of these domains during a Lighthouse session.
Prevention & Best Practices for Microsoft 365 Lighthouse
The best Microsoft 365 Lighthouse troubleshooting is the kind you never have to do. Once you've fixed the immediate problem, put these practices in place to avoid repeating it.
Check "What's New" every month. Seriously, put it on your calendar. Microsoft 365 Lighthouse gets meaningful updates monthly, new sub-task settings, new compliance requirements, new filters in Sales Advisor. The "What's new" link in the top-right corner of the Lighthouse Home page is your early warning system for changes that will affect your deployment plan compliance status. Reading it before the alert fires saves you the reactive scramble.
Set calendar reminders for GDAP expiration dates. GDAP relationships have defined end dates. When one expires, your customer access in Lighthouse breaks silently, there's no proactive alert pushed to your inbox. Export your GDAP relationship list from Partner Center quarterly and build expiration reminders into your ticketing system or calendar 30 and 7 days in advance.
Audit your custom baselines after every Microsoft update. Any time Microsoft's "What's New" page mentions an update to a default baseline task you've previously cloned, immediately schedule a re-cloning session. Don't let it sit. The longer you wait, the more tenants drift out of compliance without visible warning.
Document which accounts hold which Lighthouse RBAC roles. Role assignment issues are almost always discovered in the middle of a client-facing emergency. Keeping a simple spreadsheet of who has what Lighthouse role in your partner tenant takes 20 minutes to set up and saves hours of debugging during incidents.
Use the pinning feature in Subscription renewals strategically. The April 2025 pinning feature for subscriptions isn't just a cosmetic convenience, pinned renewals stay visible across sessions until you manually remove them. Pin any customer subscriptions expiring within 60 days at the start of each month so they never fall off your radar during busy periods.
- Add a monthly calendar event to review "What's New" in Lighthouse and audit custom baseline task clones
- Export GDAP relationship expiration dates from Partner Center quarterly and build 30-day reminders
- Use Lighthouse's Assigned roles page after any team member role changes, verify both RBAC and Entra roles look correct
- Pin high-priority subscription renewals at the start of each month rather than relying on the filter to surface them reactively
Frequently Asked Questions
Why did my Microsoft 365 Lighthouse deployment plan suddenly show "Not compliant" without me changing anything?
Microsoft periodically updates the default baseline tasks and sub-tasks in Lighthouse, sometimes adding new underlying settings. When this happens, like the May 2025 update to the "Configure Microsoft Edge profile for Windows 10 and later" sub-task that added AutoFill Credit Card and Enhance Security settings, any previously compliant tenants are re-evaluated against the new, stricter definition and may flip to "Not compliant." This isn't a bug. Fix it by going to Tenants, selecting the affected tenant, opening the Deployment plan tab, finding the flagged sub-task, and selecting Deploy.
Why can't I see some of my customer tenants in Microsoft 365 Lighthouse?
The most common cause is an expired or incomplete GDAP relationship. Lighthouse uses GDAP to access customer data, and if the relationship for a specific customer has expired or doesn't include the required Microsoft Entra roles, that tenant won't appear or will show partial data. Go to Microsoft Partner Center, check the Admin relationships for the missing customer, and verify the GDAP relationship is active and hasn't passed its end date. If it's expired, initiate a new request and have the customer's Global Admin approve it.
What's the difference between Lighthouse RBAC roles and Microsoft Entra roles in Lighthouse?
These two role types are completely separate and control different things. Lighthouse RBAC roles determine what you can see and do within your own partner tenant inside the Lighthouse portal, they don't give you any access to customer data at all. Microsoft Entra roles in Lighthouse flow from your GDAP relationships with customers and are what actually grant you access to customer tenant data. You can review both types on the Assigned roles page under Roles in the Lighthouse left navigation pane. If you're getting "no permission" errors inside the Lighthouse UI, check your RBAC roles. If customer data isn't loading, check the Entra roles and GDAP relationships.
I cloned a Microsoft Lighthouse default task for my custom baseline, do I need to update the clone when Microsoft updates the original?
Yes, absolutely, and this catches a lot of MSPs off guard. Cloned tasks in custom baselines are frozen snapshots. When Microsoft updates the source task in the default baseline, your clone does not automatically pick up the changes. You'll need to manually remove the outdated cloned task from your custom baseline and re-clone the updated version from the default baseline. This applies every time Microsoft updates a task you've previously cloned. Check the "What's New" section in Lighthouse monthly to know when this is needed.
How do I generate an Executive Summary report for a customer in Microsoft 365 Lighthouse?
Navigate to Tenants in the left navigation pane and select the customer tenant you want to report on. On the tenant details page, select the Overview tab, then look for Summary in the left pane within that tab. Select Create report to generate the Executive Summary. The report covers key security posture highlights and business status, plus a summary of activities your partner organization performed in Lighthouse on behalf of that customer. If the Create report button is greyed out, it usually means the tenant doesn't have enough monitored data for the report engine to work with, ensure Lighthouse has been actively monitoring that tenant for at least a few weeks.
The Detection history tab for a Lighthouse deployment sub-task is missing old data, where did it go?
When Microsoft updates an existing sub-task (rather than replacing it with a new one), the Detection history tab resets to show data based on the updated version of the sub-task. Historical detection data from the pre-update version of the sub-task is no longer available in the interface. This was confirmed with the May 2025 update to the Configure Microsoft Edge profile sub-task. If you need historical compliance data for audit or reporting purposes, the lesson here is to export Detection history data from actively managed sub-tasks on a regular schedule, monthly is a reasonable cadence. Once an update happens, that pre-update history is gone from the UI permanently.