Microsoft 365 Lighthouse: Fix Setup & Config Errors
Why This Is Happening
I've seen this exact scenario play out dozens of times , a managed service provider sets up Microsoft 365 Lighthouse for the first time, or wakes up one morning to find that a customer tenant suddenly shows "Not compliant" on the deployment plan, and the entire team grinds to a halt trying to figure out what changed. Microsoft 365 Lighthouse is an incredibly powerful portal for MSPs and CSP partners managing multiple customer tenants from a single pane of glass, but the sheer number of moving parts, GDAP relationships, RBAC roles, deployment baselines, Intune device configuration profiles, and Sales Advisor, means there are plenty of places for things to go sideways.
The most common reason things break in Microsoft 365 Lighthouse isn't a catastrophic system failure. It's usually one of a few quiet, easily-missed triggers: a recent platform update that changed the underlying settings of an existing deployment sub-task, a GDAP relationship that expired or was configured incorrectly, a custom baseline that's now out of sync with the default baseline, or a tenant onboarding flow that didn't complete all the prerequisite steps.
Take the "Configure Microsoft Edge profile for Windows 10 and later" deployment sub-task as a real example. In May 2025, Microsoft added two brand-new underlying settings to that sub-task, AutoFill Credit Card protection and Enhance Security mode, that push an Intune device configuration profile to tenant devices. If you already had this sub-task deployed and compliant before that update, your customer tenants may have flipped to "Not compliant" overnight without you touching a single setting. That's confusing and alarming if you don't know why it happened. The compliance status changed because the definition of the sub-task itself changed, not because anything broke on the tenant's end.
Another common pain point is around role visibility and permissions. Partners sometimes report they can see certain data in their own tenant but get access errors when trying to view or act on customer tenant data. This almost always traces back to the distinction between Lighthouse RBAC roles, which control what you can do within your partner tenant, and Microsoft Entra roles, which control access to actual customer data through your GDAP relationships. If those GDAP relationships aren't set up correctly for a given customer, you're going to hit walls.
And if you've cloned deployment tasks into custom baselines, a platform update to the original task in the default baseline does not automatically flow through to your clones. You'd need to re-clone manually. I know that's not obvious from the UI, and Microsoft's error messages in this case are frustratingly vague about what the root cause actually is.
The good news: every single one of these issues has a clear fix. Browse all Microsoft fix guides →
The Quick Fix, Try This First
If your Microsoft 365 Lighthouse customer tenant is showing "Not compliant" on a deployment sub-task and you haven't changed anything recently, the fastest path to resolution is to redeploy the affected sub-task directly from the Tenants page. This takes about three minutes and resolves the majority of compliance-drift cases, especially if the root cause is a platform-side update to a deployment sub-task definition, like the May 2025 Edge profile update that added AutoFill Credit Card and Enhance Security settings.
Here's exactly what you do. In the left navigation pane inside Microsoft 365 Lighthouse, select Tenants. Find the customer tenant showing "Not compliant" and click on it to open the tenant details page. Select the Deployment plan tab. Scroll through the task list until you find the task that's flagged, in many recent cases this will be "Configure Microsoft Edge." Expand it by clicking the arrow or the task name, then find the specific sub-task that shows the non-compliant status. Click on that sub-task, and you'll see a Deploy button in the sub-task detail pane. Select it and confirm.
Within a few minutes, sometimes up to 15 depending on Intune sync cycles, the status should update to compliant. If it doesn't shift after about 20 minutes, don't keep hitting Deploy. That's a signal something deeper is going on with the GDAP relationship or the Intune profile assignment, and you'll want to move on to the step-by-step section below.
One important note before you deploy: if the sub-task in question was previously cloned from a default baseline into a custom baseline you created, redeploying from the tenant's deployment plan will apply the old clone definition, not the updated one. You'll need to re-clone the updated sub-task from the default baseline into your custom baseline first, then deploy. More on that in Step 3.
Before you can fix anything in Microsoft 365 Lighthouse, you need to confirm you actually have the right permissions in place, both at the partner level and at the customer tenant level. These are two completely separate permission layers and mixing them up is one of the most common causes of unexplained access errors.
In the left navigation pane, go to Roles > Assigned roles. The updated Assigned Roles page (refreshed in March 2025) shows you two distinct categories side by side. The first is your Lighthouse RBAC roles, these determine what data you can see and what actions you can take inside your own partner tenant within Lighthouse. The second is your Microsoft Entra roles, which are tied to your GDAP relationships with each customer and determine whether you can actually read or write customer tenant data.
If you can see tenant-level information in the dashboard but get an error when trying to deploy a configuration or run a report, that's almost certainly a Microsoft Entra/GDAP issue, not a Lighthouse RBAC issue. Check that your GDAP relationship with the specific customer tenant is active and that it includes the roles required for Intune device management (typically Intune Administrator or Cloud Device Administrator at minimum for deployment tasks).
If you can't see certain sections of Lighthouse at all, that points to a Lighthouse RBAC gap, you may need your partner tenant admin to assign you a higher Lighthouse role. The Assigned Roles page will tell you exactly which role you currently hold and what it grants. Write this down before proceeding to the next steps, knowing your current role set speeds up every subsequent diagnosis.
When you've confirmed your roles look correct and the GDAP relationship for the affected tenant is active and appropriately scoped, you're ready to proceed.
Not all "Not compliant" flags in Microsoft 365 Lighthouse are equal, and diving straight into fixes without isolating the specific sub-task first will waste your time. Go to Tenants in the left nav, select the affected customer tenant, and open the Deployment plan tab. You'll see a list of tasks, each of which can be expanded to show individual sub-tasks and their current status.
Look for any sub-task showing a red "Not compliant" badge. Click on it to open the detail pane. Two things you want to check here immediately: the Detection history tab and the Settings tab. The Detection history tab tells you the last time the sub-task's compliance was evaluated and what changed. The Settings tab shows the individual settings that make up the sub-task and which specific ones are out of compliance.
For the "Configure Microsoft Edge profile for Windows 10 and later" sub-task in particular, the one updated in May 2025, the Settings tab will now show the two new entries: AutoFill Credit Card and Enhance Security. If these appear with a "Not configured" or "Not compliant" status and your Detection history shows a recent evaluation date, you're looking at the platform update scenario. The fix is a redeploy, not a tenant-side investigation.
If instead your Detection history tab appears empty or shows no data, that's actually a documented side effect of the May 2025 sub-task update: detection history based on the pre-updated version of the sub-task is no longer available. Don't read that as a sign of corruption, it's expected behavior after a sub-task definition change. Proceed with deploying the updated sub-task.
Once you've positively identified the non-compliant sub-task and confirmed what's causing it, move to the next step.
This step only applies to you if you've built custom baselines in Microsoft 365 Lighthouse, but if you have, it's the step most partners skip and then spend hours wondering why the same sub-task keeps failing. When Microsoft updates a sub-task in the default baseline, those changes do not automatically propagate to cloned copies of that task that live inside custom baselines you've created. Your custom baseline is frozen at the moment you originally cloned it.
To fix this, you need to manually re-clone the updated sub-task from the default baseline. Here's how: in the left nav, go to your Baseline management section and open the custom baseline that contains the cloned task. Find the outdated cloned sub-task, it will likely be the one associated with the compliance failures you're seeing, and remove it from the custom baseline. Then, return to the default baseline, locate the updated version of the sub-task (for example, the updated "Configure Microsoft Edge profile for Windows 10 and later"), and clone it fresh into your custom baseline.
After re-cloning, you'll need to re-apply the updated baseline to any affected customer tenants. Navigate to each affected tenant's Deployment plan tab, and if the sub-task now appears in the re-cloned form, deploy it using the Deploy button in the sub-task detail pane.
This is a manual process for each custom baseline that contained the original clone. If you manage many customers through multiple custom baselines, budget some time for this. The Microsoft 365 Lighthouse team hasn't yet shipped automatic propagation of default baseline updates to clones, so staying on top of release notes, like the monthly "What's new" page accessible from the Lighthouse Home page, is how you catch these changes early before they create widespread compliance alerts across your managed tenants.
If the issue you're hitting in Microsoft 365 Lighthouse isn't about deployment compliance but about missing data in Sales Advisor, subscriptions not showing up, renewal dates appearing wrong, or the Licenses tab not displaying assignment counts, there are a few targeted checks to run.
First, confirm you're looking at the right tab. The Subscription renewals section inside Sales Advisor now has three tabs: High Priority, Upcoming, and Expired. Pinned subscriptions (a feature added in April 2025) always appear at the top of the High Priority tab regardless of sort order, and a pin icon will also appear next to them on the Upcoming or Expired tabs. If subscriptions appear to be "missing," check whether they've been pinned and are sitting at the top of High Priority without you realizing it. To pin or unpin, click in the Pin column next to the subscription row on any tab.
For missing license assignment data: the Licenses tab inside the subscription details pane (added in February 2025) shows the total number of licenses assigned per subscription plan for a specific tenant. To access it, go to Sales Advisor > Subscription renewals, click a tenant name from the list to open its details pane, and then select the Licenses tab. If this tab doesn't appear, check whether the tenant's subscription data has fully synchronized, this can take up to 24 hours for newly onboarded tenants.
If the Opportunity column on the Subscription renewals page is blank for all tenants, that's also not necessarily a bug. Opportunities are surfaced based on factors like upcoming renewals, total seat size, and product relevance, a tenant with no near-term renewals and a small seat count may legitimately show no opportunity. The new Group and Product filters on the Opportunities page (added in February 2025) can help you narrow down which tenants have actionable signals. Use the "New" group filter to see opportunities added since you last opened Sales Advisor, which is the fastest way to spot what's changed since your last session.
The Executive Summary report feature, rolled out in January 2025, is one of the most useful additions to Microsoft 365 Lighthouse for MSPs that do regular customer business reviews. But I've seen a few partners hit errors or blank reports when trying to generate it for the first time, usually because of incomplete tenant onboarding or GDAP scope issues.
To generate an Executive Summary, go to Tenants in the left nav, select the specific customer tenant you want to report on, open the Overview tab, select Summary in the left sub-navigation pane, and then hit Create report. The report pulls together security posture highlights and business status for that tenant, and it summarizes key activities your partner organization performed in Lighthouse to keep the customer safe and productive.
If the Create report button is grayed out or the generated report comes back with large blank sections, here are the two most common causes. First, the customer tenant may not have been fully onboarded into Lighthouse, partial onboarding can mean that security posture data hasn't been collected yet. Check the tenant's onboarding status on the Tenants page. Second, the Lighthouse RBAC role you hold may not include reporting permissions. Check your Assigned Roles page and confirm your role includes reporting access.
If the report generates but looks sparse on the security posture side, that's often because the customer tenant doesn't yet have Defender for Business or Intune data feeding into Lighthouse. The report can only summarize data that's actually been collected. Ensuring that the relevant Microsoft 365 or Defender subscription is active for the tenant, and that the device management policies have been deployed (which is why Steps 2 and 3 matter so much), will fill out the report over time. Expect a 24-48 hour data propagation window after first deploying policies before the report reflects those activities accurately.
Advanced Troubleshooting
When the standard redeploy-and-wait approach doesn't resolve your Microsoft 365 Lighthouse issues, you need to go deeper. Here's what I check in enterprise and domain-joined scenarios when basic fixes haven't moved the needle.
Intune device configuration profile conflicts: The "Configure Microsoft Edge profile for Windows 10 and later" sub-task deploys an Intune device configuration profile. If a customer tenant already has a conflicting Intune profile assigned to the same user group or device group, particularly one that configures Edge settings, the Lighthouse-deployed profile may not apply cleanly. In the Microsoft Intune admin center (intune.microsoft.com), navigate to Devices > Configuration profiles and filter by "Microsoft Edge" to find any existing profiles. Check for duplicate or conflicting settings, especially around security and autofill categories. You may need to remove or consolidate conflicting profiles before the Lighthouse-deployed baseline can take effect.
GDAP relationship expiry and scope gaps: GDAP relationships have expiry dates. If a relationship expired and was auto-renewed with a reduced role scope, you may be able to see a tenant in Lighthouse but fail silently when trying to deploy configurations. Use the Partner Center at partner.microsoft.com to audit GDAP relationships for each affected customer. Filter by the customer name and confirm the relationship is Active, not Expired, and that the assigned roles include what Lighthouse needs. For deployment tasks, Intune Administrator is typically required. For security posture tasks, Security Administrator or Security Reader may also be needed depending on the scope of what Lighthouse is trying to read.
Tenant onboarding prerequisites not met: Microsoft 365 Lighthouse has specific prerequisites before a customer tenant can be fully managed. The tenant must have at least one user with a qualifying Microsoft 365 license (Business Premium, E3, E5, or similar), must have fewer than 2,500 licensed users (this limit applies to Lighthouse's managed tenant scope), and must have the GDAP relationship in place. If a tenant appears in Lighthouse but shows "Inactive" or has a persistent warning banner, run through the prerequisites checklist carefully. One missed item, often the user count threshold or a missing qualifying license, blocks everything downstream.
Checking Lighthouse's own What's new log: This is underused but genuinely helpful for diagnosing sudden unexplained changes. On the Lighthouse Home page, select the What's new link in the upper-right corner, or look for the What's new link on the "What's new & learning resources" card. This shows you exactly what features and changes were rolled out recently. Cross-reference the dates of changes in this log against when your compliance alerts first appeared, the two will often line up perfectly and give you an immediate explanation.
Prevention & Best Practices
After helping dozens of MSP partners get their Microsoft 365 Lighthouse environments running cleanly, the partners who have the fewest ongoing headaches share a handful of habits that make a real difference.
The single biggest one is reading the monthly "What's new" page in Lighthouse before the beginning of each new month, not after something breaks. You can access it directly from the Lighthouse Home page, it's right there in the upper-right corner. Platform updates that change sub-task definitions, like the May 2025 Edge profile update, are always documented there. If you catch that note before your compliance alerts fire, you can proactively redeploy the updated sub-task for all affected tenants during a scheduled maintenance window rather than scrambling reactively.
The second habit is being deliberate about custom baselines. Cloning default baseline tasks into custom baselines is a powerful feature, but it creates a maintenance debt that compounds over time. Every time Microsoft updates a default baseline sub-task, your clones don't update with it. Consider whether you genuinely need custom baselines for each scenario, or whether tenant-level deployment plan adjustments can accomplish the same goal without the clone management overhead.
For GDAP relationships, set a recurring calendar reminder 30 days before any GDAP agreement expires. The window for renewal is easy to miss, there's no aggressive notification in the Lighthouse UI, and an expired GDAP relationship can take compliance and deployment capabilities offline for an entire customer tenant while you're sorting it out.
Finally, on the Sales Advisor side: use the new pinning feature on the Subscription renewals page proactively. Pin every subscription that's coming up for renewal in the next 90 days. This keeps them visible on the High Priority tab regardless of sort order, and pairing that with the Group filter set to "High priority" on the Opportunities page gives you a tightly focused view of what actually needs attention each week rather than a wall of data to scroll through.
- Check the Lighthouse "What's new" page at the start of each month to catch sub-task definition changes before they create compliance alerts across your tenants.
- Audit all GDAP relationships in Partner Center quarterly and set calendar reminders 30 days before any expiry date.
- After any Microsoft platform update that affects a sub-task you've cloned into a custom baseline, re-clone it from the default baseline immediately, don't wait for a compliance failure to prompt you.
- Use the Assigned Roles page under Roles > Assigned Roles in Lighthouse regularly to confirm your team members have the correct Lighthouse RBAC and Microsoft Entra roles for each customer they manage.
Frequently Asked Questions
Why did my Microsoft 365 Lighthouse tenant suddenly show "Not compliant" when I didn't change anything?
This almost always happens after Microsoft updates the definition of a deployment sub-task in the default baseline. The most recent example was in May 2025, when two new settings, AutoFill Credit Card and Enhance Security, were added to the "Configure Microsoft Edge profile for Windows 10 and later" sub-task. Even if your tenant was fully compliant before that update, the definition of "compliant" changed, so the status flipped. The fix is straightforward: go to Tenants, select the affected tenant, open the Deployment plan tab, find the flagged sub-task, and hit Deploy. The new settings will be pushed out via an Intune device configuration profile.
The Detection history tab on my sub-task is completely empty, is that a bug?
Not a bug, it's expected behavior after a sub-task definition is updated. When Microsoft releases an update to a deployment sub-task, detection history based on the previous version of that sub-task is no longer available in the updated Detection history tab. The tab will start accumulating new history entries from the point of the update onward. You haven't lost anything actionable; the old data simply doesn't carry over to the new sub-task definition.
I cloned the Configure Microsoft Edge task into a custom baseline months ago. Do I need to redo that?
Yes, for any custom baselines that include a cloned version of the "Configure Microsoft Edge" task, you'll need to re-clone the updated task from the default baseline and replace the old clone. The existing clone will not automatically pick up the new AutoFill Credit Card and Enhance Security settings. Go to each affected custom baseline, remove the old clone, and then clone the current version of the task from the default baseline. After that, redeploy to the affected tenants through their individual Deployment plan tabs.
How do I pin a subscription in Microsoft 365 Lighthouse so it stays at the top of my renewal list?
Pinning subscriptions is a feature that arrived in April 2025. In the left navigation pane, select Subscription renewals (under Sales Advisor or the main nav depending on your Lighthouse version). On any of the tabs, High Priority, Upcoming, or Expired, you'll see a Pin column. Click in that column next to the subscription you want to prioritize. Pinned subscriptions move to the top of the High Priority tab automatically and show a pin icon on the relevant Upcoming or Expired tab as well. The pin stays in place until you manually click it again to remove it, so it persists across sessions.
Why can I see a customer tenant in Lighthouse but can't deploy configurations to them?
This is almost always a GDAP relationship issue. Being able to see a tenant in Lighthouse doesn't require the same level of access as deploying Intune configuration profiles to it. Go to Partner Center and check the GDAP relationship for that specific customer, confirm it's active, not expired, and that it includes the Intune Administrator role at a minimum. If the relationship looks correct there but Lighthouse still blocks deployment, check your Assigned Roles page in Lighthouse under Roles > Assigned Roles to verify your Microsoft Entra roles for that customer are showing up as expected.
Where do I generate an Executive Summary report for a customer tenant review?
The Executive Summary feature was added in January 2025 and lives inside the tenant details page. Go to Tenants in the left navigation pane, click on the specific customer tenant you want to report on, select the Overview tab, then look for Summary in the left sub-navigation pane within that tenant view. From there, hit Create report. The report will compile security posture highlights and a summary of your partner organization's Lighthouse activities for that tenant. If the button is grayed out, confirm that the tenant is fully onboarded and that your Lighthouse role includes reporting permissions via the Assigned Roles page.