What Lighthouse Costs
Microsoft 365 Lighthouse — the multi-tenant management portal for partners — carries no additional cost. It requires one licence in the partner tenant only; there are no per-user licences for the partner and no Lighthouse licences in any customer tenant. For a managed service provider weighing tooling across the advanced Microsoft estate, that is genuinely free at-scale management — but the absence of a licence fee is precisely what hides the real entry requirements, which are operational rather than commercial.
The Real Requirements
Lighthouse is gated by programme membership and delegated access, not by money.
| Requirement | Detail |
|---|---|
| CSP enrolment | Partner must be in the Cloud Solution Provider programme (indirect reseller or direct-bill) |
| Delegated access | GDAP plus an indirect reseller relationship, or a DAP relationship, to onboard each customer |
| Customer subscription | Each tenant needs at least one Enterprise, Business, Frontline or Education subscription |
| Tenant size | No more than 2,500 licensed users per customer tenant |
Only the partner enrols in CSP — the managed customers do not. Granular Delegated Admin Privileges (GDAP) is the access model Microsoft now expects, replacing the broader legacy DAP, and getting GDAP scoping right is the practical work of onboarding a customer into Lighthouse.
The 2,500-User Ceiling
Lighthouse only manages customer tenants with no more than 2,500 licensed users. That ceiling defines Lighthouse as an SMB-management tool, not an enterprise one — a provider whose customers cross 2,500 users needs a different management approach for those tenants, regardless of the free licence.
This ceiling is the single most important planning fact for an MSP. It means Lighthouse is built for the volume small-and-mid-market book of business, where managing dozens or hundreds of sub-2,500-user tenants from one console is exactly the problem it solves. For larger customers, the same identity and security work is done through native admin tooling and the customer's own Entra ID estate rather than Lighthouse.
Where MSP Economics Bite
Lighthouse is free, but its most valuable features depend on licences that are not. For customer data to appear in the user-management reports — risky users, multifactor authentication status, self-service password reset — those customer tenants need Entra ID P1 or higher. For device management and threat monitoring, the MSP must enrol customer devices in Microsoft Intune. So the real Lighthouse economics are an attach motion: the portal is free, but the security and identity value that justifies it to customers rides on P1 and Intune, which carry per-user cost in each customer tenant. That attach economics is where an MSP's margin actually lives, and it should be priced into managed-service agreements deliberately, the same way a room estate is sized in our Teams Rooms licensing guide.
Lighthouse vs the Alternatives
Lighthouse is not the only way to manage multiple tenants, and understanding where it sits clarifies whether the free tool is the right one. Against the per-tenant Microsoft 365 admin centre, Lighthouse wins clearly: it aggregates many tenants into one console with cross-tenant baselines, recommended actions and at-a-glance status, removing the tab-switching that makes managing dozens of tenants individually unworkable. For an MSP whose alternative is logging into each customer separately, Lighthouse is straightforwardly better and free.
Against a dedicated RMM or PSA platform — the remote-monitoring and professional-services-automation tools many MSPs already run — the comparison is different. Those platforms span the whole IT estate, including non-Microsoft assets, ticketing and billing, where Lighthouse is deliberately scoped to Microsoft 365 security and identity. Lighthouse is therefore usually a complement, not a replacement: it deepens the Microsoft 365 management that a general RMM handles only shallowly, while the RMM continues to own the broader operational picture. The mistake is treating them as either-or.
The feature that anchors Lighthouse's value is its baselines and deployment tasks — standardised security configurations (multifactor authentication, Conditional Access, compliance policies) that can be assessed and rolled out consistently across every managed tenant. That is the capability that turns Lighthouse from a dashboard into a security-standardisation engine, and it is what makes the Entra P1 and Intune attach worthwhile, because the baselines depend on those licences to function fully.
So the honest positioning is narrow but valuable: Lighthouse is the best free tool for standardising Microsoft 365 security across a book of sub-2,500-user tenants, it complements rather than replaces a broader RMM or PSA, and its worth is realised only when the prerequisite licences are in place. An MSP that understands that boundary deploys it well; one that expects it to be a whole-estate management platform will be disappointed.
Lighthouse in Partner Strategy
For an MSP, Lighthouse is best understood as the free hub of a paid spoke model: it costs nothing to run, but it makes the case for selling customers the Entra P1 and Intune licences that unlock its value, and it scales the management of a sub-2,500-user customer base efficiently. The strategic levers are the CSP relationship and its pricing, the GDAP scoping that controls risk, and the P1-and-Intune attach that drives both security outcomes and margin — the same partner-economics thinking that governs government and regulated managed services. Benchmark your CSP economics against the Microsoft vendor intelligence hub and the Microsoft Enterprise Agreement Guide. To model a Lighthouse-anchored managed-service offer, request a confidential briefing.