-When a user interacts with Microsoft 365 Copilot (using apps such as Word, PowerPoint, Excel, OneNote, Loop, or Whiteboard), we store data about these interactions. The stored data includes the user's prompt and Copilot's response, including citations to any information used to ground Copilot's response. We refer to the userΓÇÖs prompt and CopilotΓÇÖs response to that prompt as the "content of interactions" and the record of those interactions is the userΓÇÖs Copilot interaction history. For example, this stored data provides users with Copilot interaction history in [Business Chat](https://support.microsoft.com/topic/5b00a52d-7296-48ee-b938-b95b7209f737) and [meetings in Microsoft Teams](https://support.microsoft.com/office/0bf9dd3c-96f7-44e2-8bb8-790bedf066b1). This data is processed and stored in alignment with contractual commitments with your organizationΓÇÖs other content in Microsoft 365. The data is encrypted while it's stored and isn't used to train foundation LLMs, including those used by Microsoft 365 Copilot.

-Your users can delete their Copilot interaction history, which includes their prompts and the responses Copilot returns, by going to the [My Account portal](https://myaccount.microsoft.com/). For more information, see [Delete your Microsoft 365 Copilot interaction history](https://support.microsoft.com/office/76de8afa-5eaf-43b0-bda8-0076d6e0390f).

-When plugins are enabled, Microsoft 365 Copilot determines whether it needs to use a specific plugin to help provide a relevant response to the user. If a plugin is needed, Microsoft 365 Copilot generates a search query to send to the plugin on the userΓÇÖs behalf. The query is based on the userΓÇÖs prompt, Copilot interaction history, and data the user has access to in Microsoft 365.

-If you turn off connected experiences that analyze your content on Windows or Mac devices in your organization, Microsoft 365 Copilot features wonΓÇÖt be available to your users in the following apps:

-There's also a privacy control that turns off all connected experiences, including connected experiences that analyze your content. If you use that privacy control, Microsoft 365 Copilot features wonΓÇÖt be available for certain apps on certain devices as described above.

-description: "Learn how to provide Microsoft 365 Copilot feedback to Microsoft on behalf of their users who encounter issues"

-# Provide user feedback for Microsoft 365 Copilot

-Microsoft 365 Copilot is a product that helps users boost their productivity with large-language models (LLM). While Copilot is designed to provide accurate and informative responses based on the knowledge and data available in the Microsoft Graph, it's important to note that answers may not always be completely accurate. This is because Copilot generates responses based on patterns and probabilities in language data. Providing feedback is essential to improve the product and make it more dependable for users.

-4. After a short wait, youΓÇÖll receive a JSON file containing the user's conversations with Copilot for the past X interactions (utterance/response pairs) that you select, along with their feedback logs. The file will be redacted to protect Microsoft IP, if any. You can use any JSON viewer tool to inspect the data and include additional comments for the feedback. The file will be available for download once it's generated.

-description: "Special considerations for Stream and Teams events in VPN environments"

-# Special considerations for Stream and Teams events in VPN environments

->This article is part of a set of articles that address Microsoft 365 optimization for remote users. The following endpoints are specific to Worldwide Commercial and Government Community Cloud (GCC) environments; the endpoints listed here are not applicable to U.S. Government GCC High or U.S. Government DoD environments.

-Microsoft 365 Live Events attendee traffic (this includes attendees to Teams-produced live events and those produced with an external encoder via Teams, Stream, or Viva Engage), Microsoft Teams Town hall attendee traffic and on-demand Stream attendee traffic is currently categorized as **Default** versus **Optimize** in the [URL/IP list for the service](urls-and-ip-address-ranges.md). These endpoints are categorized as **Default** because they're hosted on CDNs that might also be used by other services. Customers generally prefer to proxy this type of traffic and apply any security elements normally done on endpoints such as these.

-Many customers have asked for URL/IP data needed to connect their attendees to Stream or Teams events directly from their local internet connection, rather than route the high-volume and latency-sensitive traffic via the VPN infrastructure. Typically, this isn't possible without both dedicated namespaces and accurate IP information for the endpoints, which isn't provided for Microsoft 365 endpoints categorized as **Default**.

-Use the following steps to enable direct connectivity for the Stream or Teams events services from clients using a forced tunnel VPN. This solution is intended to provide customers with an option to avoid routing Events attendee traffic over VPN while there's high network traffic due to work-from-home scenarios. If possible, we recommend accessing the service through an inspecting proxy.

->We recommend you weigh the risk of sending more traffic that bypasses the VPN over the performance gain for Live Events.

-To implement the forced tunnel exception for Teams Events and Stream, the following steps should be applied:

-**\*.azureedge.net** is used for Stream events ([Configure encoders for live streaming in Microsoft Stream - Microsoft Stream | Microsoft Docs](/stream/live-encoder-setup)).

-Some of these endpoints are shared with other elements outside of Stream or Teams events. We don't recommend just using these FQDNs to configure VPN offload even if technically possible in your VPN solution (for example, if it works at the FQDN rather than IP).

-For organizations that utilize a PAC file to route traffic through a proxy while on VPN, this is normally achieved using FQDNs. However, with Stream/Live Events/Town hall, the host names provided contain wildcards such as **\*.azureedge.net**, which also encompasses other elements for which it isn't possible to provide full IP listings. Thus, if the request is sent direct based on DNS wildcard match alone, traffic to these endpoints will be blocked as there's no route via the direct path for it in [Step 3](#3-configure-routing-on-the-vpn-to-enable-direct-egress) later in this article.

-To solve this, we can provide the following IPs and use them in combination with the host names in an example PAC file as described in [Step 1](#1-configure-external-dns-resolution). The PAC file checks if the URL matches those used for Stream/Live Events/Town hall and then if it does, it then also checks to see if the IP returned from a DNS lookup matches those provided for the service. If _both_ match, then the traffic is routed direct. If either element (FQDN/IP) doesn't match, then the traffic is sent to the proxy. As a result, the configuration ensures that anything that resolves to an IP outside of the scope of both the IP and defined namespaces traverses the proxy via the VPN as normal.

-Teams events use multiple CDN providers to stream to customers, to provide the best coverage, quality, and resiliency. Currently, both Azure CDN from Microsoft and from Verizon are used. Over time this could be changed due to situations such as regional availability. This article is a source to enable you to keep up to date on IP ranges.

-For Azure CDN from Microsoft, you can download the list from [Download Azure IP Ranges and Service Tags ΓÇô Public Cloud from Official Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56519) - you'll need to look specifically for the service tag _AzureFrontdoor.Frontend_ in the JSON; _addressPrefixes_ will show the IPv4/IPv6 subnets. Over time the IPs can change, but the service tag list is always updated before they're put in use.

-For Azure CDN from Verizon (Edgecast) you can find an exhaustive list using [Edge Nodes - List](/rest/api/cdn/edge-nodes/list) (select **Try It** ) - you'll need to look specifically for the **Premium\_Verizon** section. Note that this API shows all Edgecast IPs (origin and Anycast). Currently there isn't a mechanism for the API to distinguish between origin and Anycast.

-To implement this in a PAC file, you can use the following example that sends the Microsoft 365 Optimize traffic direct (which is recommended best practice) via FQDN, and the critical Stream/Live Events traffic direct via a combination of the FQDN and the returned IP address. The placeholder name _Contoso_ would need to be edited to your specific tenant's name where _contoso_ is from contoso.onmicrosoft.com

-#### Example PAC file

-Here's an example of how to generate the PAC files:

-1. Save the script below to your local hard disk as _Get-TLEPacFile.ps1_.

-1. Go to the [Verizon URL](/rest/api/cdn/edge-nodes/list#code-try-0) and download the resulting JSON (copy paste it into a file like cdnedgenodes.json)

-1. In a PowerShell window, run the following command. Change out the tenant name for something else if you want the SPO URLs. This is Type 2, so **Optimize** and **Allow** (Type 1 is Optimize only).

- .\Get-TLEPacFile.ps1 -Instance Worldwide -Type 2 -TenantName <contoso> -CdnEdgeNodesFilePath .\cdnedgenodes.json -FilePath TLE.pac

-1. The TLE.pac file will contain all the namespaces and IPs (IPv4/IPv6).

-##### Get-TLEPacFile.ps1

-.VERSION 1.0.5

-Create a PAC file for Microsoft 365 prioritized connectivity

-The service instance inside Microsoft 365.

-The type of prioritization to give. Valid values are 1 and 2, which are 2 different modes of operation.

-Type 1 will send Optimize traffic to the direct route. Type 2 will send Optimize and Allow traffic to

-the direct route.

-Get-TLEPacFile.ps1 -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 -DefaultProxySettings "PROXY 4.4.4.4:70" -FilePath type1.pac

-Get-TLEPacFile.ps1 -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 -Instance China -Type 2 -DefaultProxySettings "PROXY 4.4.4.4:70" -FilePath type2.pac

-.EXAMPLE

-Get-TLEPacFile.ps1 -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 -Instance WorldWide -Lowercase -TenantName tenantName -ServiceAreas Sharepoint

-[CmdletBinding(SupportsShouldProcess=$True)]

- [Parameter(Mandatory = $false)]

- [ValidateSet('Worldwide', 'Germany', 'China', 'USGovDoD', 'USGovGCCHigh')]

- [Parameter(Mandatory = $false)]

- [guid] $ClientRequestId = [Guid]::NewGuid().Guid,

- [Parameter(Mandatory = $false)]

- [Parameter(Mandatory = $false)]

- [Parameter(Mandatory = $false)]

- [ValidateRange(1, 2)]

- [int] $Type = 1,

- [Parameter(Mandatory = $false)]

- [switch] $Lowercase = $false,

- [Parameter(Mandatory = $false)]

- [Parameter(Mandatory = $false)]

- [Parameter(Mandatory = $false)]

- [Parameter(Mandatory = $false)]

-$baseServiceUrl = "https://endpoints.office.com/endpoints/$Instance/?ClientRequestId={$ClientRequestId}"

-$bl = "`r`n"

-function Get-PacClauses

-{

- [Parameter(Mandatory = $false)]

- [string[]] $Urls,

- [Parameter(Mandatory = $true)]

- [ValidateNotNullOrEmpty()]

- [String] $ReturnVarName

- )

- if (!$Urls)

- {

- return ""

- }

- $clauses = (($Urls | ForEach-Object { "shExpMatch(host, `"$_`")" }) -Join "$bl || ")

-@"

- if($clauses)

- {

- return $ReturnVarName;

- }

-"@

-}

-function Get-PacString

-{

- param(

- [Parameter(Mandatory = $true)]

- [ValidateNotNullOrEmpty()]

- [array[]] $MapVarUrls

-@"

-// This PAC file will provide proxy config to Microsoft 365 services

-// using data from the public web service for all endpoints

-function FindProxyForURL(url, host)

-{

- var $directProxyVarName = "$DirectProxySettings";

- var $defaultProxyVarName = "$DefaultProxySettings";

-$( if ($Lowercase) { " host = host.toLowerCase();" })

-$( ($MapVarUrls | ForEach-Object { Get-PACClauses -ReturnVarName $_.Item1 -Urls $_.Item2 }) -Join "$bl$bl" )

-$( if (!$ServiceAreas -or $ServiceAreas.Contains('Skype')) { Get-TLEPacConfiguration })

- return $defaultProxyVarName;

-}

-"@ -replace "($bl){3,}","$bl$bl" # Collapse more than one blank line in the PAC file so it looks better.

-function Get-TLEPacConfiguration {

- param ()

- $PreBlock = @"

- // Don't Proxy Teams Live Events traffic

- if(shExpMatch(host, "*.azureedge.net")

- || shExpMatch(host, "*.bmc.cdn.office.net")

- || shExpMatch(host, "*.ml.cdn.office.net")

- || shExpMatch(host, "*.media.azure.net"))

- {

- var resolved_ip = dnsResolveEx(host);

-"@

- $TLESb = New-Object 'System.Text.StringBuilder'

- $TLESb.Append($PreBlock) | Out-Null

- if (![string]::IsNullOrEmpty($CdnEdgeNodesFilePath) -and (Test-Path -Path $CdnEdgeNodesFilePath)) {

- $CdnData = Get-Content -Path $CdnEdgeNodesFilePath -Raw -ErrorAction SilentlyContinue | ConvertFrom-Json | Select-Object -ExpandProperty value |

- Where-Object { $_.name -eq 'Premium_Verizon'} | Select-Object -First 1 -ExpandProperty properties |

- Select-Object -ExpandProperty ipAddressGroups

- $CdnData | Select-Object -ExpandProperty ipv4Addresses | ForEach-Object {

- if ($TLESb.Length -eq $PreBlock.Length) {

- $TLESb.Append(" if(") | Out-Null

- }

- else {

- $TLESb.AppendLine() | Out-Null

- $TLESb.Append(" || ") | Out-Null

- }

- $TLESb.Append("isInNetEx(resolved_ip, `"$($_.BaseIpAddress)/$($_.prefixLength)`")") | Out-Null

- $CdnData | Select-Object -ExpandProperty ipv6Addresses | ForEach-Object {

- if ($TLESb.Length -eq $PreBlock.Length) {

- $TLESb.Append(" if(") | Out-Null

- }

- else {

- $TLESb.AppendLine() | Out-Null

- $TLESb.Append(" || ") | Out-Null

- }

- $TLESb.Append("isInNetEx(resolved_ip, `"$($_.BaseIpAddress)/$($_.prefixLength)`")") | Out-Null

- $AzureIPsUrl = Invoke-WebRequest -Uri "https://www.microsoft.com/en-us/download/confirmation.aspx?id=56519" -UseBasicParsing -ErrorAction SilentlyContinue |

- Select-Object -ExpandProperty Links | Select-Object -ExpandProperty href |

- if ($AzureIPsUrl) {

- Invoke-RestMethod -Uri $AzureIPsUrl -ErrorAction SilentlyContinue | Select-Object -ExpandProperty values |

- Where-Object { $_.name -eq 'AzureFrontDoor.Frontend' } | Select-Object -First 1 -ExpandProperty properties |

- Select-Object -ExpandProperty addressPrefixes | ForEach-Object {

- if ($TLESb.Length -eq $PreBlock.Length) {

- $TLESb.Append(" if(") | Out-Null

- }

- else {

- $TLESb.AppendLine() | Out-Null

- $TLESb.Append(" || ") | Out-Null

- }

- $TLESb.Append("isInNetEx(resolved_ip, `"$_`")") | Out-Null

- }

- }

- if ($TLESb.Length -gt $PreBlock.Length) {

- $TLESb.AppendLine(")") | Out-Null

- $TLESb.AppendLine(" {") | Out-Null

- $TLESb.AppendLine(" return $directProxyVarName;") | Out-Null

- $TLESb.AppendLine(" }") | Out-Null

- else {

- $TLESb.AppendLine(" // no addresses found for service via script") | Out-Null

- $TLESb.AppendLine(" }") | Out-Null

- return $TLESb.ToString()

-function Get-Regex

-{

- param(

- [Parameter(Mandatory = $true)]

- [ValidateNotNullOrEmpty()]

- [string] $Fqdn

- )

- return "^" + $Fqdn.Replace(".", "\.").Replace("*", ".*").Replace("?", ".?") + "$"

-}

-function Match-RegexList

-{

- param(

- [Parameter(Mandatory = $true)]

- [ValidateNotNullOrEmpty()]

- [string] $ToMatch,

- [Parameter(Mandatory = $false)]

- [string[]] $MatchList

- if (!$MatchList)

- {

- return $false

- foreach ($regex in $MatchList)

- {

- if ($regex -ne $ToMatch -and $ToMatch -match (Get-Regex $regex))

- {

- return $true

- return $false

-function Get-Endpoints

-{

- if ($TenantName)

- {

- if ($ServiceAreas)

- {

-function Get-Urls

-{

- param(

- [Parameter(Mandatory = $false)]

- [psobject[]] $Endpoints

- )

- if ($Endpoints)

- {

- return $Endpoints | Where-Object { $_.urls } | ForEach-Object { $_.urls } | Sort-Object -Unique

- }

- return @()

-}

-function Get-UrlVarTuple

-{

- param(

- [Parameter(Mandatory = $true)]

- [ValidateNotNullOrEmpty()]

- [string] $VarName,

- [Parameter(Mandatory = $false)]

- [string[]] $Urls

- )

- return New-Object 'Tuple[string,string[]]'($VarName, $Urls)

-}

-function Get-MapVarUrls

-{

- if ($Type -eq 1)

- {

- $directUrls = Get-Urls ($Endpoints | Where-Object { $_.category -eq "Optimize" })

- $nonDirectPriorityUrls = Get-Urls ($Endpoints | Where-Object { $_.category -ne "Optimize" }) | Where-Object { Match-RegexList $_ $directUrls }

- return @(

- Get-UrlVarTuple -VarName $defaultProxyVarName -Urls $nonDirectPriorityUrls

- Get-UrlVarTuple -VarName $directProxyVarName -Urls $directUrls

- )

- }

- elseif ($Type -eq 2)

- {

- $directUrls = Get-Urls ($Endpoints | Where-Object { $_.category -in @("Optimize", "Allow")})

- $nonDirectPriorityUrls = Get-Urls ($Endpoints | Where-Object { $_.category -notin @("Optimize", "Allow") }) | Where-Object { Match-RegexList $_ $directUrls }

- return @(

- Get-UrlVarTuple -VarName $defaultProxyVarName -Urls $nonDirectPriorityUrls

- Get-UrlVarTuple -VarName $directProxyVarName -Urls $directUrls

- )

-$content = Get-PacString (Get-MapVarUrls)

-if ($FilePath)

-{

-else

-{

-The script will automatically parse the Azure list based on the [download URL](https://www.microsoft.com/download/details.aspx?id=56519) and keys off of **AzureFrontDoor.Frontend**, so there's no need to get that manually.

-Again, we don't recommend performing VPN offload using just the FQDNs; utilizing **both** the FQDNs and the IP addresses in the function helps scope the use of this offload to a limited set of endpoints including Live Events/Stream. The way the function is structured will result in a DNS lookup being done for the FQDN that matches those listed by the client directly, i.e. DNS resolution of the remaining namespaces remains unchanged.

-If you wish to limit the risk of offloading endpoints not related to Teams events and Stream, you can remove the **\*.azureedge.net** domain from the configuration which is where most of this risk lies as this is a shared domain used for all Azure CDN customers. The downside of this is that any event using an external encoder powered by Stream won't be optimized, but events produced/organized within Teams will be.

-The final step is to add a direct route for the Teams event IPs described in **Gathering the current lists of CDN Endpoints** into the VPN configuration to ensure the traffic isn't sent via the forced tunnel into the VPN. Detailed information on how to do this for Microsoft 365 Optimize endpoints can be found in the [Implement VPN split tunneling](microsoft-365-vpn-implement-split-tunnel.md#implement-vpn-split-tunneling) section of [Implementing VPN split tunneling for Microsoft 365](microsoft-365-vpn-implement-split-tunnel.md). The process is exactly the same for the Stream or Teams events IPs listed in this document.

-Note that only the IPs (not FQDNs) from [Gathering the current lists of CDN Endpoints](#gathering-the-current-lists-of-cdn-endpoints) should be used for VPN configuration.

-No, this will send the latency-sensitive streaming traffic for a Teams Event or Stream video direct, any other traffic will continue to use the VPN tunnel if they don't resolve to the IPs published.

-In this case, the above endpoints are CDNs that might be used by non-Microsoft controlled elements other than Live Events or Stream, and thus sending the traffic direct will also mean anything else which resolves to these IPs will also be sent direct from the client. Due to the unique nature of the current global crisis and to meet the short-term needs of our customers, Microsoft has provided the information above for customers to use as they see fit.

-No, access to all of the **Required** marked endpoints in [the URL/IP service](urls-and-ip-address-ranges.md) is essential for the service to operate. In addition, any Optional endpoint marked for Stream (ID 41-45) is required.

-2. Viewing Stream hosted content

-3. External device (encoder) produced events

-4. Teams Town hall

-It doesn't; the advice above is purely for those consuming the service. Presenting from within Teams will see the presenter's traffic flowing to the Optimize marked UDP endpoints listed in URL/IP service row 11 with detailed VPN offload advice outlined in the [Implement VPN split tunneling](microsoft-365-vpn-implement-split-tunnel.md#implement-vpn-split-tunneling) section of [Implementing VPN split tunneling for Microsoft 365](microsoft-365-vpn-implement-split-tunnel.md).

-### Does this configuration risk traffic other than Town hall, Live Events &amp; Stream being sent direct?

-Yes, due to shared FQDNs used for some elements of the service, this is unavoidable. This traffic is normally sent via a corporate proxy which can apply inspection. In a VPN split tunnel scenario, using both the FQDNs and IPs will scope this risk down to a minimum, but it will still exist. Customers can remove the **\*.azureedge.net** domain from the offload configuration and reduce this risk to a bare minimum but this will remove the offload of Stream-supported Live Events (Teams-scheduled, Stream encoder events, Viva Engage events produced in Teams, Viva Engage-scheduled Stream encoder events, and Stream scheduled events or on-demand viewing from Stream). Events scheduled and produced in Teams (including Town hall) are unaffected.

-To enable discovery, rich people search, and full fidelity collaboration experiences, the Microsoft 365 profile of users in the tenant is replicated across geos when a Multi-Geo tenant is first set up (for instance, to provide the Global Address List) and in response to user actions. Examples of user actions include direct and indirect interactions with one or more users in the tenant via activities like joining the Organization, creating and\or joining Teams meetings, sharing and\or co-editing files, profile card lookup, and adding of contacts as described in [Add, find, edit, or delete a contact in Outlook](https://support.microsoft.com/office/add-find-edit-or-delete-a-contact-in-outlook-e1dc4548-3bd6-4644-aecd-47b5728f7b0d#:~:text=information%20any%20time.-,Select%20the%20contact%20from%20the%20list%2C%20then%20select%20Edit%20contact,and%20begin%20adding%20more%20information.&text=someone's%20profile%20card-,In%20Mail%2C%20open%20an%20email%20message%20in%20the%20reading%20pane,card%2C%20select%20Add%20to%20contacts.). The replicated Microsoft 365 profiles of other users from an interaction\collaboration are stored in the Microsoft 365 People dataset of the target user shard.

-<!--China endpoints version 2024093000-->

-<!--File generated 2024-09-30 06:04:21.0424-->

-## SharePoint Online and OneDrive for Business

-25 | Default<BR>Required | No | `purview.microsoftonline.cn` | **TCP:** 443

-<!--Worldwide endpoints version 2024093000-->

-<!--File generated 2024-09-30 06:04:22.0404-->

-## SharePoint Online and OneDrive for Business

-31 | Optimize<BR>Required | Yes | `*.sharepoint.com`<BR>`13.107.136.0/22, 40.108.128.0/17, 52.104.0.0/14, 104.146.128.0/17, 150.171.40.0/22, 2603:1061:1300::/40, 2620:1ec:8f8::/46, 2620:1ec:908::/46, 2a01:111:f402::/48` | **TCP:** 443, 80

- | | | -- | -

-47 | Default<BR>Required | No | `*.office.net` | **TCP:** 443, 80

-184 | Default<BR>Required | No | `*.cloud.microsoft, *.static.microsoft, *.usercontent.microsoft` | **TCP:** 443, 80

-# Manage Lighthouse RBAC permissions in Microsoft 365 Lighthouse

-The Lighthouse permissions page allows administrators in Microsoft 365 Lighthouse to manage user role-based access control (RBAC) permissions in the partner tenant. Administrators can view and manage membership for each Lighthouse RBAC role to ensure that users in the partner tenant have right-sized permissions. Each Lighthouse RBAC role is associated with a security group instead of an Entra ID role, so when users are assigned a Lighthouse RBAC role, they're automatically associated with a specific Lighthouse RBAC security group.

-When administrators assign a Lighthouse RBAC role to a user in the partner tenant for the first time, a security group is automatically created. Administrators can view the associated security group for each Lighthouse RBAC role on the Lighthouse permissions page and in the Microsoft Entra admin center. All security group membership changes are reflected in both Lighthouse and the Microsoft Entra admin center.

-To access the Lighthouse permissions page and manage permissions, you must be a Global Administrator in Microsoft Entra ID.

-> The Lighthouse Operator role is viewable but not assignable from the Lighthouse permissions page. The Lighthouse Operator role is automatically assigned to users with GDAP permissions.

-> You must assign the Lighthouse RBAC Administrator role to a role-assignable security group. In addition, to be able to assign roles to a role-assignable security group and/or create role-assignable security groups, you must have a Microsoft Entra ID P1 license. To enable Just-in-Time (JIT) roles, Microsoft Entra IDE Governance or a Microsoft Entra ID P2 license is required.

-After you've added users to, or removed users from, the available Lighthouse RBAC roles, go to the Lighthouse permissions page to view the latest group membership for each role.

-> Once you've added a user to, or removed a user from, a Lighthouse RBAC role, it may take up to an hour for group membership changes to appear in Lighthouse.

-[Set up GDAP for your customers](m365-lighthouse-setup-gdap.md) (article)\

-[Overview of Delegated Access in Microsoft 365 Lighthouse](m365-lighthouse-delegated-access-overview.md) (article)\

-[Use Microsoft Entra groups to manage role assignments](/entra/identity/role-based-access-control/groups-concept)

-description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn more about Lighthouse permission requirements."

-## Global Administrator permissions in the partner tenant

-Partner tenant users assigned the Global Administrator role in Microsoft Entra ID can do the following:

-## Managing Lighthouse RBAC permissions in the partner tenant

-Lighthouse permissions in the partner tenant are managed by assigning RBAC roles. Each role has a set of permissions that determines which data users can access and change within the partner tenant.

-RBAC roles are managed from the Lighthouse permissions page in Lighthouse. To access the Lighthouse permissions page and manage permissions, you must be a Global Administrator in Microsoft Entra ID. To learn more, see [Manage Lighthouse RBAC permissions in Microsoft 365 Lighthouse](m365-lighthouse-manage-lighthouse-rbac-permissions.md).

-There's currently only one Lighthouse RBAC role: Lighthouse Account Manager. The following table describes the Lighthouse Account Manager role.

-| Lighthouse&nbsp;RBAC&nbsp;role | Description |

-| Lighthouse Account Manager | Provides full access to Sales Advisor pages and data across the entire partner tenant. Lighthouse Account Managers can export Sales Advisor data. |

-The following table describes the actions that Lighthouse Account Managers can perform in Lighthouse.

-| Area | Actions | Lighthouse&nbsp;Account&nbsp;Manager |

-|||::|

-| **Tenants** | View the Tenants page | &check; |

-| | Manage tags | |

-| | Activate and inactivate a tenant | |

-| | View delegated status | &check; |

-| | View baseline assignment | |

-| | View deployment status | &check; |

-| | View and edit customer contact information and website | &check; |

-| **Baselines** | View baselines (default, custom) | |

-| | Create, edit, and assign baselines | |

-| **Alerts** | View alerts | &check; |

-| | Manage alerts (change severity, status, or assignment) | |

-| | Create, edit, and delete alert rules | |

-| **Permissions** | Set up and manage Lighthouse permissions | |

-| | Set up and manage GDAP | |

-| | View GDAP status detail | |

-| **Audit logs** | View audit logs | |

-| **Sales Advisor** | View Sales Advisor reports and manage data | &check; |

-| **Support** | Open and manage service requests | |

-| **Service&nbsp;health** | Monitor service health | |

-## Managing GDAP in the customer tenant

-GDAP gives you a high level of control and flexibility by providing access to customer tenants throughΓÇ»[Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference). Assigning the least-privileged roles by task through GDAP to MSP technicians reduces security risk for both MSPs and customers.

-For more information about setting up a GDAP relationship with a customer tenant in Lighthouse, see [Obtain granular admin permissions to manage a customer's service - Partner Center](/partner-center/gdap-obtain-admin-permissions-to-manage-customer).ΓÇ»

-For more information about least-privileged roles by task, seeΓÇ»[Least-privileged roles - Partner Center](/partner-center/gdap-least-privileged-roles-by-task) and [Least privileged roles by task in Microsoft Entra ID](/azure/active-directory/roles/delegate-by-task).

-For more information about GDAP or delegated administrative privileges (DAP) deprecation, see [GDAP frequently asked questions - Partner Center](/partner-center/gdap-faq), or search the [Partner Center announcements](/partner-center/announcements/) for dates and timelines.

-The following tasks in Lighthouse have specific Microsoft Entra role requirements:

-For a complete list of Microsoft Entra roles, see [Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference). For information on how to assign roles, see [Assign Microsoft Entra roles to users](/azure/active-directory/roles/manage-roles-portal).

-[Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md) (article)

-[Overview of Microsoft 365 Lighthouse](m365-lighthouse-overview.md) (article)

-[Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md) (article)

-[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)

-You can access the information in Lighthouse by selecting **Home** in the left navigation pane, or by selecting **Data protection** in the left navigation pane to open the Quarantined messages page.

-To view service health, you need a Microsoft Entra role in the partner tenant with the following property set: **microsoft.office365.serviceHealth/allEntities/allTasks**. For a list of Microsoft Entra roles, see [Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference).