+> [!NOTE]

+> If you are removing a custom domain, see [remove a custom domain](#remove-a-custom-domain) before proceeding.

+### Remove a custom domain

+If you are canceling your subscription and you use a custom domain, there are a few extra steps that you must do before you can cancel your subscription.

+#### Change your domain nameserver records (if needed)

+If you set up a custom domain, you added DNS records so the domain would work with Microsoft 365 services. Before you remove your domain, be sure to update the DNS records, such as your domain MX record, at your DNS host.

+For example, change the MX record at your DNS host. Email sent to your domain stops coming to your Microsoft address and goes to your new email provider instead. (An MX record determines where email for your domain is sent.)

+- If your nameserver (NS) records [are pointing to Microsoft 365 nameservers](../../admin/setup/add-domain.md), changes to your MX record don't take effect until you change your NS records to point to your new DNS host (see Step 2).

+- Before you update the MX record, let your users know the date you plan to switch their email, and the new email provider you plan to use. Also, if your users want to move their existing Microsoft email to the new provider, they must take extra steps.

+- On the day you change the MX record, make sure to [save your data](/microsoft-365/commerce/subscriptions/cancel-your-subscription#save-your-data) and [uninstall Office if needed](/microsoft-365/commerce/subscriptions/cancel-your-subscription#uninstall-office-optional).

+#### Update your domain MX and other DNS records (if you're using a custom domain)

+If you switched your nameserver (NS) records to Microsoft 365 when you set up your domain, you must set up or update your MX record and other DNS records at the DNS host you plan to use, and then change your NS record to that DNS host.

+If you didn't switch NS records when you set up your domain, when you change the MX record, your mail starts going to the new address right away.

+To change your NS records, see [Change nameservers to set up Microsoft 365 with any domain registrar](../../admin/get-help-with-domains/change-nameservers-at-any-domain-registrar.md).

+- commerce_billing

+> Microsoft Bookings will have unlimited SMS notifications for customers with Bookings licenses until April 30, 2022. As we get closer to the end of the promotion period, we will provide additional details on licensing requirements.

+You can track key data on SMS notifications usage in your organization in the Teams admin center. Usage reports includes data such as time and date sent, origin number, message type, event type and delivery status. You can use SMS notification telemetry during the promotional period to help forecast and budget for SMS notifications after May 1, 2022.

+> - Currently, only Microsoft Word documents (.docx extension) are supported for creating a template. Before uploading the document, ensure that the Word document doesn't have **Track changes** enabled or comments. If your document contains text placeholders for images, ensure that they are not text-wrapped. We do not support **Content Controls** in Word at the moment. If you want to create a template from a Word document with content controls, please remove them before creating a modern template.

+The SharePoint Syntex Content Center site is a ready-to-deploy instructional SharePoint site template designed to help you better understand SharePoint Syntex capabilities.

+The Windows and Office 365 deployment lab kit is designed to help you plan, test, and validate your deployment and management of desktops running Windows 10 Enterprise or Windows 11 Enterprise and Microsoft 365 Apps for enterprise. The labs in the kit cover using Microsoft Endpoint Configuration Manager, OneDrive, Windows Autopilot, and more. This kit is highly recommended for organizations preparing for desktop upgrades. As an isolated environment, the lab is also ideal for exploring deployment tool updates and testing your deployment-related automation.

+> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows 10 lab expires May 16, 2022. The Windows 11 lab expires April 11, 2022. New versions will be published prior to expiration.

+Protecting access to customer data when a Managed Service Provider (MSP) has delegated access permissions to its tenants is a cybersecurity priority. Microsoft 365 Lighthouse comes with both required and optional capabilities to help you configure Lighthouse portal security. You must set up specific roles with multifactor authentication (MFA) enabled before you can access Lighthouse. You can optionally set up Azure AD Privileged Identity Management (PIM) and Conditional Access.

+## Set up role-based access control

+Role-based access control (RBAC) grants access to resources or information based on user roles. Access to customer tenant data and settings in Lighthouse is restricted to specific roles from the Cloud Solution Provider (CSP) program. To set up RBAC roles in Lighthouse, we recommend using Granular Delegated Admin Privileges (GDAP) to implement granular assignments for users.

+To get started with GDAP, see [Set up roles to manage customer tenants](m365-lighthouse-set-up-roles.md).

+MSP technicians may also access Lighthouse by using Admin Agent or Helpdesk Agent roles via Delegated Admin Privileges (DAP).

+For non-customer tenant-related actions in Lighthouse (for example, onboarding, customer deactivating/reactivating, managing tags, reviewing logs), MSP technicians must have an assigned role in the partner tenant. The previous article link details such roles and their permissions in Lighthouse.

+MSPs can minimize the number of people who have high-privilege role access to secure information or resources by using PIM. PIM reduces the chance of a malicious person gaining access to resources or authorized users inadvertently impacting a sensitive resource. MSPs can also grant users just-in-time high privilege roles to access resources, make broad changes, and monitor what the designated users are doing with their privileged access.

+The following steps elevate partner tenant users to time-scoped higher privilege roles by using PIM:

+1. Create a role-assignable group as described in the article [Create a group for assigning roles in Azure Active Directory](/azure/active-directory/roles/groups-create-eligible).

+2. Go to [Azure AD – All Groups](https://portal.azure.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/AllGroups) and add the new group as a member of a security group for high-privilege roles (for example, Admin Agents security group for DAP or a similarly respective security group for GDAP roles).

+3. Set up privileged access to the new group as described in the article [Assign eligible owners and members for privileged access groups](/azure/active-directory/privileged-identity-management/groups-assign-member-owner).

+To learn more about PIM, see [What is Privileged Identity Management?](/azure/active-directory/privileged-identity-management/pim-configure)

+## Set up risk-based Azure AD Conditional Access

+MSPs may use risk-based Conditional Access to make sure their staff members prove their identity by using MFA and by changing their password when detected as a risky user (with leaked credentials or per Azure AD threat intelligence). Users must also sign in from a familiar location or registered device when detected as a risky sign-in. Other risky behaviors include signing in from a malicious or anonymous IP address or from an atypical or impossible travel location, using an anomalous token, using a password from a password spray, or exhibiting other unusual sign-in behavior. Depending on a user's risk level, MSPs may also choose to block access upon sign-in. To learn more about risks, see [What is risk?](/azure/active-directory/identity-protection/concept-identity-protection-risks)

+> [!NOTE]

+> Conditional Access requires an Azure AD Premium P2 license in the partner tenant. To set up Conditional Access, see [Configuring Azure Active Directory Conditional Access](/appcenter/general/configuring-aad-conditional-access).

+[Password reset permissions](/azure/active-directory/roles/permissions-reference) (article) \

+[Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md) (article)\

+[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)

+Microsoft 365 Lighthouse baselines let you deploy standard managed-tenant configurations to secure users, devices, and data within customer tenants. There are seven default baseline configurations that come standard with Lighthouse:

+- Configure Defender Antivirus policy for Windows 10 and later

+- Configure Microsoft Defender Firewall for Windows 10 and later

+- Configure Compliance Policy for Windows 10 and later

+Select **Baselines** from the left navigation pane in Lighthouse to open the Baselines page. You'll see that the default baseline has already been added to the Default tenant group (all tenants). To view the default baseline configurations, select **View baseline** to open the Default baseline page. The configurations are listed as deployment steps. Select any of the deployment steps to view deployment details and user impact.

+5. Select **Review and Apply** to apply the selected deployment step to the tenant. If the deployment step indicates "This action requires a manual step", make sure to complete the manual step so the deployment step is applied correctly.

+[Microsoft 365 lighthouse Tenants page overview](m365-lighthouse-tenants-page-overview.md) (article)\

+[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)\

+[Configure Microsoft 365 Lighthouse portal security](m365-lighthouse-configure-portal-security.md) (article)

+Microsoft 365 Lighthouse baselines provide a repeatable and scalable way for you to manage Microsoft 365 security settings across multiple customer tenants. Baselines also help monitor core security policies and tenant compliance standards with configurations that secure users, devices, and data.

+Designed to help Managed Service Providers (MSPs) enable customer adoption of security, Lighthouse provides a standard set of baseline parameters and pre-defined configurations for Microsoft 365 services. These security configurations help measure your tenants' Microsoft 365 security and compliance progress.

+You can view the default baseline and its deployment steps from within Lighthouse. To apply a baseline to a tenant, select **Tenants** in the left navigation pane, and then select a tenant. Next, go to the **Deployment plans** tab and implement the baseline.

+## Default baseline security templates

+Lighthouse default baseline configurations for security workloads are designed to make sure all managed tenants are secure and compliant.

+| Require MFA for admins | A Conditional Access policy requiring multi-factor authentication for all admins. It's required for all cloud applications. For more information about this baseline, see [Conditional Access: Require MFA for all administrators](/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa).|

+| Require MFA for end users | A Conditional Access policy that requires multi-factor authentication for all users. It's required for all cloud applications. For more information about this baseline, see [Conditional Access: Require MFA for all users](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa). |

+| Block legacy authentication | A Conditional Access policy to block legacy client authentication. For more information about this baseline, see [Block legacy authentication to Azure AD with Conditional Access](/azure/active-directory/conditional-access/block-legacy-authentication).|

+| Set up device enrollment | Device enrollment to allow your tenant devices to enroll in Microsoft Endpoint Manager. This is done by setting up Auto Enrollment between Azure Active Directory and Microsoft Endpoint Manager. For more information about this baseline, see [Set up enrollment for Windows devices](/mem/intune/enrollment/windows-enroll). |

+| Configure Microsoft Defender Antivirus for Windows 10 and later | A device configuration profile for Windows devices with pre-configured Microsoft Defender Antivirus settings. For more information about this baseline, see [Configure Microsoft Defender for Endpoint in Intune](/mem/intune/protect/advanced-threat-protection-configure).|

+| Configure Microsoft Defender Firewall for Windows 10 and later | A firewall policy to help secure devices by preventing unwanted and unauthorized network traffic. For more information about this baseline, see [Best practices for configuring Windows Defender Firewall](/windows/security/threat-protection/windows-firewall/best-practices-configuring). |

+| Configure a device compliance policy for Windows 10 and later | A Windows device policy with pre-configured settings to meet basic compliance requirements. For more information about this baseline, see [Conditional Access: Require compliant or hybrid Azure AD joined device](/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device). |

+[Common Conditional Access policies](/azure/active-directory/conditional-access/concept-conditional-access-policy-common) (article)\

+f1.keywords: CSH

+- Delegated Admin PrivilegesΓÇ»(DAP) or Granular Delegated Admin Privileges (GDAP) for the MSP

+- Fewer than 1000 licensed users 

+## Requirements for enabling device management

+To view customer tenant devices on the device management pages, a MSP must:

+## Related content

+| **apply** or **deploy** | Tenants | Apply a deployment plan | Azure AD, Microsoft Endpoint Manager (MEM) |

+| **changeDeploymentStatus** or **assign** | Tenants | Update action plan status for deployment plan | Lighthouse |

+| **managedTenantOperations** | Tenants | View information on a deployment plan | Azure AD |

+| **validate** | Tenants | Test a deployment plan | Azure AD |

+| **getConditionalAccessPolicies** | Users | View CA policies requiring MFA | Azure AD |

+| **getTenantIDToTenantNameMap** | Users | Search for IDs | Azure AD |

+| **getUsers** | Users | Search for users | Azure AD |

+| **getUsersWithoutMfa** | Users | View users not registered for MFA | Azure AD |

+| **getSsprEnabledButNotRegisteredUsers** | Users | View users not registered for SSPR | Azure AD |

+|**getCompliancePolicyInfo** | Devices | View a policy | MEM

+|**getDeviceCompliancePolicyStates** | Devices | View policy states | MEM

+|**getDeviceCompliancePolicySettingStates** | Devices | View non-compliant settings | MEM

+|**getDeviceCompliancePolicySettingStateSummaries** | Devices | View non-compliant devices | MEM

+|**getTenantsDeviceCompliancePolicies** | Devices | Compare policies | MEM

+| **getDeviceUserInfo** | Threat management | View managed device user information | MEM |

+| **getManagedDevice**, **remoteActionAudits**, or **deviceActionResults** | Threat management | View managed device information | MEM |

+ Title: "Set up roles to manage customer tenants"

+f1.keywords: CSH

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+- AdminSurgePortfolio

+- M365-Lighthouse

+search.appverid: MET150

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to set up roles to manage customer tenants."

+# Set up roles to manage customer tenants

+> [!NOTE]

+> The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).

+Managed Service Providers (MSPs) may enable granular and time-bound access to their customer tenants in Microsoft 365 Lighthouse by configuring Granular Delegated Admin Privileges (GDAP) in Partner Center. GDAP offers MSPs a high level of control and flexibility by providing customer access through [Azure Active Directory (Azure AD) built-in roles](/azure/active-directory/roles/permissions-reference). Assigning [the least privileged roles by task](/azure/active-directory/roles/delegate-by-task) through GDAP to MSP technicians reduces security risk for both MSPs and customers. Enable GDAP to assign more granular roles to your technicians who use Lighthouse and adopt a least-privileged approach to security across customer tenants.

+If MSP technicians still access customer environments with the Helpdesk Agent or Admin Agent roles granted through Delegated Admin Privileges (DAP), see [DAP in Lighthouse](#dap-in-lighthouse) in this article. If both GDAP and DAP coexist, roles granted to users through GDAP take precedence for customers where a GDAP relationship has been established.

+## Set up GDAP in Lighthouse

+The high-level steps below are required to create a GDAP relationship with a customer. For more information on GDAP, see [Introduction to granular delegated admin privileges (GDAP).](/partner-center/gdap-introduction)

+1. [Categorize users into security groups](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal#create-a-basic-group-and-add-members) within the partner tenant's Azure AD.

+2. [Create and send a GDAP relationship request](/partner-center/gdap-obtain-admin-permissions-to-manage-customer) to the customer.

+3. Make sure the [customer approves the GDAP relationship request](/partner-center/gdap-customer-approval).

+4. [Assign the relevant security groups](/partner-center/gdap-assign-azure-ad-roles#grant-permissions-to-security-groups) to the GDAP relationship.

+5. Assign the appropriate [Azure Active Directory built-in roles](/azure/active-directory/roles/permissions-reference) to the Lighthouse security groups aligned for customer management.

+We recommend naming security groups based on the tasks MSP technicians handle in Lighthouse. For example, you could create security groups for helpdesk technicians, system administrators, and escalation engineers. We recommend using the roles outlined in the following table to manage Lighthouse.

+### Example security groups

+||Helpdesk technicians |System administrators |Escalation engineers|

+|--|-|-||

+|**Recommended GDAP roles** |<ul><li>Helpdesk Administrator</li><li>Security Reader</li></ul> |<ul><li>User Administrator</li><li>Authentication Administrator</li><li>Global Reader</li><li>Intune Administrator</li><li>Security Administrator</li></ul> |Global Administrator |

+|**Tasks** |Read customer information in Lighthouse and take limited actions (for example, resetting user passwords or updating contact information) |Maintain customer security by taking corrective actions in Lighthouse (for example, rebooting devices). |Take privileged actions when needed to protect the customer tenant (for example, blocking sign-in of a compromised administrator). |

+For descriptions of specific permissions, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). For partner-specific roles and tasks, see [Least-privileged roles](/partner-center/gdap-least-privileged-roles-by-task).

+## DAP in Lighthouse

+DAP restricts access to customers in Lighthouse with two roles: Admin Agent and Helpdesk Agent. You can check which users in the partner tenant have the Admin Agent or Helpdesk Agent roles by reviewing security group memberships on the [Azure AD ΓÇô All Groups](https://portal.azure.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/AllGroups) page. To review which customers still have DAP in place, see [Monitoring administrative relationships and self-service DAP removal](/partner-center/dap-monitor-self-serve-removal).

+For customers with DAP and no GDAP, the Admin Agent role grants permissions to view all tenant information and take any action in Lighthouse (see below for other actions that also require a role in the partner tenant).

+The Helpdesk Agent role grants permissions to view all tenant information and take limited action in Lighthouse (such as resetting user passwords, blocking user sign-ins, and updating customer contact information and websites).

+Given the broad permissions granted to partner users with DAP, we recommend adopting GDAP as soon as possible. Both models coexist, but GDAP will eventually replace DAP, and GDAP permissions take precedence over DAP permissions during the transition period. For more information, see [GDAP frequently asked questions](/partner-center/gdap-faq).

+## Other roles and permissions

+For certain actions in Lighthouse, role assignments in the partner tenant are required. The following table lists partner tenant roles and their associated permissions.<br><br>

+| Partner tenant roles | Permissions |

+|--|--|

+| Global Administrator of partner tenant | <ul><li>Sign up for Lighthouse in the Microsoft 365 admin center.</li><li>Accept partner contract amendments during the first-run experience.</li><li>Activate and inactivate a tenant.</li><li>Create, update, and delete tags.</li><li>Assign and remove tags from a customer tenant.</li></ul> |

+| Partner tenant member with at least one Azure AD role assigned with the following property set: **microsoft.office365.supportTickets/allEntities/allTasks**<br>(For a complete list of Azure AD roles, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). | Create Lighthouse service requests. |

+| Partner tenant member who meets *both* of the following requirements: <ul><li>Has at least one Azure AD role assigned with the following property set: **microsoft.office365.serviceHealth/allEntities/allTasks**<br>(For a complete list of Azure AD roles, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference)</li><li>Has at least one DAP delegated role assigned (Admin Agent or Helpdesk Agent)</li></ul> | View service health information. |

+## Next steps

+After creating roles, you must set up additional Lighthouse portal security, specifically multifactor authentication (MFA) and optionally Azure AD Identity Management (PIM). For more information, see [Configure Microsoft 365 Lighthouse portal security](m365-lighthouse-configure-portal-security.md).

+## Related content

+[Least privileged roles by task](/partner-center/gdap-least-privileged-roles-by-task?branch=pr-en-us-2577) (article)

+[Delegated administration privileges (DAP) FAQ](/partner-center/dap-faq) (article)

+[Assign roles and permissions to users](/partner-center/permissions-overview) (article)

+[Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md) (article)

+[Overview of Microsoft 365 Lighthouse](m365-lighthouse-overview.md) (article)

+[Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md) (article)

+[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)

+- Export the tenant list.

+- Assign and manage tags.

+- Search for tenants by name.

+To inactivate the tenant or view and manage tags, select the three dots (more actions) next to the tenant name. You can view individual tenants by either selecting the tenant name or by selecting one of the tags assigned to the tenant.

+The following table shows the different statuses and their meaning.<br><br>

+| Status | Description |

+|||

+| Active | Tenant onboarding and data flow have started. |

+| Inactive | Tenant was offboarded at the request of the MSP and is no longer being managed in Lighthouse. |

+| In process | Tenant discovered but not fully onboarded. |

+| Ineligible - DAP or GDAP isn't set up | Partner must have delegated (DAP) or granular delegated (GDAP) admin privileges set up with the tenant. |

+| Ineligible - Required license is missing | Tenant doesn't have the required license. |

+| Ineligible - User count exceeded | Tenant has more users than allowed. |

+| Ineligible - Geo check failed | Partner and customer must reside in the same geographic location. |

+The Tenant overview card provides information about the tenant from its Microsoft 365 account.<br><br>

+| Industry |The organization's industry.|

+| Website |The organization's website. You may edit this field if no data is provided.|

+| Customer domain |The organization's domain.|

+- **Microsoft 365 Lighthouse-enabled

+- **Additional Microsoft 365

+The Deployment Plans tab provides status on a tenant's deployment plan. The deployment steps in the list are based on the baseline applied to the tenant. To see deployment step details, select a deployment step from the list.

+ Title: "Troubleshoot and resolve problems and error messages in Microsoft 365 Lighthouse"

+f1.keywords: NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+- AdminSurgePortfolio

+- M365-Lighthouse

+search.appverid: MET150

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, get help troubleshooting and resolving error messages and problems."

+# Troubleshoot and resolve problems and error messages in Microsoft 365 Lighthouse

+> [!NOTE]

+> The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).

+This article describes error messages and problems that you might encounter while using Microsoft 365 Lighthouse and provides troubleshooting steps you can take to resolve them.

+## Partner onboarding

+### Message when trying to access Lighthouse: "Microsoft 365 Lighthouse doesn't support indirect providers at this time, you must be an indirect reseller or direct bill partner to use this service"

+**Cause:** You attempted to access Lighthouse as an indirect-bill partner. At this time, Lighthouse supports only indirect resellers and direct-bill partners.

+**Resolution:** For a complete list of qualifications and requirements, see [Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md). If you're not an indirect provider and believe you received this message in error, contact Support. For more information, see [Get help and support for Microsoft 365 Lighthouse](m365-lighthouse-get-help-and-support.md).

+### Message when trying to access Lighthouse: "You must be an indirect reseller or direct-bill partner to use this service"

+**Cause:** You attempted to access Lighthouse and aren't a Microsoft partner. You must be enrolled in the Cloud Solution Provider (CSP) program as an indirect reseller or direct-bill partner to use Lighthouse.

+**Resolution:** For a complete list of qualifications and requirements, see [Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md). If you qualify to access Lighthouse and believe you received this message in error, contact Support. For more information, see [Get help and support for Microsoft 365 Lighthouse](m365-lighthouse-get-help-and-support.md).

+### Message when signing in to Lighthouse: "Accept the Partner Amendment"

+**Cause:** You attempted to access Lighthouse before a Global admin in the partner tenant has signed the partner amendment.

+**Resolution:** A Global admin must sign in to Lighthouse and accept the partner amendment before you can access and work in Lighthouse. If the error persists after a Global admin has signed the amendment, contact Support. For more information, see [Get help and support for Microsoft 365 Lighthouse](m365-lighthouse-get-help-and-support.md).

+## Customer tenant onboarding

+### Customer tenants show a status other than "Active" in the tenant list

+**Cause:** Your customer tenants don't meet the following criteria:

+ - Must have delegated (DAP) or granular delegated (GDAP) admin privileges set up for the Managed Service Provider (MSP)

+ - Must have at least one Microsoft 365 Business Premium or Microsoft 365 E3 license

+ - Must have no more than 1000 licensed users 

+**Resolution:** The following table describes the different tenant statuses that require action and explains how to resolve them.<br><br>

+| Status | Description | Resolution |

+|--|--|--|

+| Inactive | The tenant was offboarded at the request of the MSP and is no longer being managed in Lighthouse. | You need to reactivate the tenant. On the **Tenants** page, select the three dots (more actions) next to the tenant that you want to reactivate, and then select **Activate tenant**. It can take 24ΓÇô48 hours for initial customer data to appear in Lighthouse. |

+| Ineligible - DAP or GDAP is not set up | You don't have DAP or GDAP admin privileges set up with the tenant, which is required by Lighthouse. | Set up DAP or GDAP admin privileges in the Microsoft Partner Center. |

+| Ineligible - Required license is missing | The tenant is missing a required license. They need at least one Microsoft 365 Business Premium or Microsoft 365 E3 license. | Make sure the tenant has at least one Microsoft 365 Business Premium or Microsoft 365 E3 license assigned. |

+| Ineligible - User count exceeded | The tenant has more than the maximum of 1000 licensed users allowed by Lighthouse. | Verify that the tenant doesn't have more than 1000 licensed users. |

+| Ineligible - Geo check failed | You and your customer don't reside in the same geographic region, which is required by Lighthouse. | Verify that the tenant resides in your geographic region. If not, then you can't manage the tenant in Lighthouse. |

+| In process | Lighthouse discovered the tenant but is still in the process of onboarding them. | Allow Lighthouse 48 hours to complete onboarding of the tenant. |

+If you confirmed that your customer tenant meets the onboarding criteria and they're still not showing as **Active** in Lighthouse, contact Support. For more information, see [Get help and support for Microsoft 365 Lighthouse](m365-lighthouse-get-help-and-support.md).

+## Access and permissions

+### Message when trying to access Lighthouse: "Not Authorized" or "Insufficient privileges" or "Access Restriction: Insufficient or lack of permissions is causing access restriction"

+**Cause:** You don't belong to the correct security group in Azure AD, or you haven't been assigned the correct role in Partner Center to be able to access Lighthouse.

+**Resolution:** Make sure that an admin from your partner tenant with the appropriate permissions has assigned you to the correct GDAP security group in Azure AD and assigned you the correct role in Partner Center. Also, keep in mind that some actions in Lighthouse require you to be a Global admin. To learn more about the GDAP roles and what each role can do, see [Configure Microsoft 365 Lighthouse portal security](m365-lighthouse-configure-portal-security.md). For a detailed description of all Azure AD built-in roles and permissions for GDAP, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).

+For customers with DAP relationships, the partner admin will need to assign you to either the Admin agent or Helpdesk agent role in Partner Center. For a detailed description of all Partner Center roles and permissions, see [Assign roles and permissions to users](/partner-center/permissions-overview).

+### I don't see complete data in certain areas of Lighthouse, or I can't perform certain tasks, or I can't access certain tenants

+**Cause:** You have limited GDAP access based on the roles assigned to the Azure AD security group that you're in.

+**Resolution:** Make sure that an admin from your partner tenant with the appropriate permissions has assigned you to the correct GDAP security group in Azure AD. Also, keep in mind that some actions in Lighthouse require you to be a Global admin. To learn more about the GDAP roles and what each role can do, see [Configure Microsoft 365 Lighthouse portal security](m365-lighthouse-configure-portal-security.md). For a detailed description of all Azure AD built-in roles and permissions for GDAP, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).

+## Customer tenant management

+### Customer tenant has no data showing in Lighthouse

+**Cause:** You're attempting to view data in Lighthouse before tenant onboarding is complete.

+**Resolution:** It can take 24ΓÇô48 hours for initial customer data to appear in Lighthouse. If it's been more than 48 hours since you onboarded the tenant and you're still not able to view or load tenant data, or you're unable to view or load data that you had previously been able to, contact Support. For more information, see [Get help and support for Microsoft 365 Lighthouse](m365-lighthouse-get-help-and-support.md). Be prepared to provide relevant network logs and a list of any options that may have been modified.

+### Customer tenant data isn't updating after making changes in the customer tenant

+**Cause:** Changes that you make inside the customer tenant may take up to 4 hours to synchronize with the customer tenant data in Lighthouse.

+**Resolution:** If it's been more than 4 hours and the customer tenant data is still not updated in Lighthouse, contact Support. For more information, see [Get help and support for Microsoft 365 Lighthouse](m365-lighthouse-get-help-and-support.md). Be prepared to provide customer tenant information.

+### Message when applying a baseline to a customer tenant: "Process error occurred"

+**Cause:** You didn't successfully complete the configuration of Microsoft Intune within the customer tenant.

+**Resolution:** Verify that you completed the basic configuration steps for Intune within the customer tenant. If the issue persists after verifying that Intune configuration is complete for the customer tenant, contact Support. For more information, see [Get help and support for Microsoft 365 Lighthouse](m365-lighthouse-get-help-and-support.md).

+### Can't access partner tenant data in Lighthouse

+**Cause**: Lighthouse supports viewing and managing of *customer* tenants only. It doesn't currently support viewing and managing of *partner* tenants.

+**Resolution:** Continue using whatever method you've been using to view and manage your partner tenant.

+## Device and threat management

+### I don't see any customer tenant data on the Device compliance and Threat management pages of Lighthouse

+**Cause 1:** The customer tenant hasn't completed onboarding to Intune. Customer tenant data won't be available on the Device compliance or Threat management pages of Lighthouse until the customer tenant has completed onboarding to Intune.

+**Resolution:** Verify that the customer tenant you're trying to view data for has completed onboarding to Intune. Once onboarding is complete in Intune, allow 4 hours for device data to appear in Lighthouse.

+**Cause 2:** The customer tenant was recently onboarded to Lighthouse and data is still loading in Lighthouse.

+**Resolution:** Once a customer tenant is onboarded to Lighthouse, allow 24ΓÇô48 hours for initial customer data to appear.

+**Cause 3:** The customer tenant device is new and device data is still loading in Lighthouse.

+**Resolution:** When a tenant device is added, allow 4 hours for the device data to appear in Lighthouse.

+If data is still not appearing on the Device compliance and Threat management pages after following the resolution instructions, contact Support. For more information, see [Get help and support for Microsoft 365 Lighthouse](m365-lighthouse-get-help-and-support.md).

+### There are no Windows 365 Business Cloud PCs in Lighthouse

+**Cause**: Lighthouse doesn't currently support viewing and managing of Windows 365 Business Cloud PCs.

+**Resolution:** You can view and manage your Windows 365 Business Cloud PCs in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339) or at [https://windows365.microsoft.com](https://windows365.microsoft.com).

+## Related content

+[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)

+1. Prepare devices (this article).

+> Because Microsoft Managed Desktop runs on Azure, relevant documents usually have file names such as "Microsoft Azure, Dynamics 365, and other Online Services". In those documents, you can usually find Microsoft Managed Desktop under the category "Microsoft Online Services" or "Monitoring + Management".

+Compliance for cloud services is a shared responsibility between cloud service providers and their customers. For more information, see [Shared responsibility in the cloud](/azure/security/fundamentals/shared-responsibility).

+- [Software requirements](device-requirements.md#installed-software)

+| **Microsoft Defender for Business security configuration** <br/>(*uses the Microsoft 365 Defender portal*) | To use this option, you configure certain settings to facilitate communication between Defender for Business and Endpoint Manager. Then, you onboard devices in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) by using a package that you download and run on each device. A trust is established between devices and Azure Active Directory (Azure AD), and Defender for Business security policies are pushed to devices.<br/><br/>To learn more, see [Microsoft Defender for Business security configuration](#microsoft-defender-for-business-security-configuration). | Windows <br/>macOS |

+| **Microsoft Intune** or **Microsoft Endpoint Manager**<br/>(*available to customers who are using Microsoft Intune or Endpoint Manager*) | [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Mobile Device Management](/mem/intune/enrollment/device-enrollment) are part of Endpoint Manager. If you were already using Endpoint Manager before you got Defender for Business (preview), you can opt to continue using Endpoint Manager to onboard and manage devices<br/><br/>To use this method, see [Microsoft Endpoint Manager](#microsoft-endpoint-manager). | Windows <br/>macOS<br/>iOS<br/>Android OS |

+| **Local script** <br/>(*for evaluating Defender for Business*) | This option enables you to onboard individual devices to Defender for Business manually. It's not recommended for a production deployment, but is useful for evaluating how Defender for Business will work in your environment on up to 10 devices per script.<br/><br/>To learn more, see [Local script in Defender for Business](#local-script-in-defender-for-business). | Windows <br/>macOS |

+You can use a local script to onboard Windows and Mac devices to evaluate how Defender for Business will work for you. When you run the onboarding script on a device, it creates a trust with Azure Active Directory, enrolls the device in Microsoft Endpoint Manager, and onboards the device to Defender for Business. This method is useful for onboarding devices in Defender for Business and for onboarding a few devices at a time. Each script can be used on up to 10 devices.

+- [Get started using Microsoft Defender for Business (preview)](mdb-get-started.md)

+| Your non-Microsoft device management solution | If you're using a non-Microsoft productivity and device management solution, you can continue to use that solution with Defender for Business (preview). <br/><br/>When devices are onboarded to Defender for Business (preview), you'll see their status and alerts in the Microsoft 365 Defender portal. To learn more, see [Onboarding and configuration tool options for Defender for Endpoint](../defender-endpoint/onboard-configure.md).<br/><br/>If you're already using a non-Microsoft device management solution, you can continue using that solution. |

+- [Get started using Microsoft Defender for Business (preview)](mdb-get-started.md)

+[Configure remediation for Microsoft Defender Antivirus detections.](configure-remediation-microsoft-defender-antivirus.md)

+## 101.59.10 (20.122012.15910.0)

+- The command-line tool now supports restoring quarantined files to a location other than the one where the file was originally detected. This can be done through `mdatp threat quarantine restore --id [threat-id] --path [destination-folder]`.

+- Extended device control to handle devices connected over Thunderbolt 3

+- Improved the handling of device control policies containing invalid vendor IDs and product IDs. Prior to this version, if the policy contained one or more invalid IDs, the entire policy was ignored. Starting from this version, only the invalid portions of the policy are ignored. Issues with the policy are surfaced through `mdatp device-control removable-media policy list`.

+- Bug fixes

+> - Messages that are identified as malware or high confidence phishing are always quarantined, regardless of the safe sender list option that you use. For more information, see [Secure by default in Office 365](secure-by-default.md).

+> - Be careful to closely monitor _any_ exceptions that you make to spam filtering using safe sender lists.

+> - To allow a domain to send unauthenticated email (bypass anti-spoofing protection) but not bypass anti-spam and other protections, you can use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list.md).

+ > - Never configure mail flow rules with _only_ the sender domain as the condition to skip spam filtering. Doing so will _significantly_ increase the likelihood that attackers can spoof the sending domain (or impersonate the full email address), skip all spam filtering, and skip sender authentication checks so the message will arrive in the recipient's Inbox.

+The least desirable option is to use the allowed sender list or allowed domain list in anti-spam policies. You should avoid this option _if at all possible_ because senders bypass all spam, spoof, and phishing protection, and sender authentication (SPF, DKIM, DMARC). This method is best used for temporary testing only. The detailed steps can be found in [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md) topic.

+A standard SMTP email message consists of a _message envelope_ and message content. The message envelope contains information that's required for transmitting and delivering the message between SMTP servers. The message content contains message header fields (collectively called the _message header_) and the message body. The message envelope is described in RFC 5321, and the message header is described in RFC 5322. Recipients never see the actual message envelope because it's generated by the message transmission process, and it isn't actually part of the message.

+ Title: Remove yourself from the blocked senders list and address 5.7.511 Access denied errors

+description: In this article, you'll learn how to use the delist portal to remove yourself from the Microsoft 365 blocked senders list. This is the best response to address 5.7.511 Access denied errors.

+# Use the delist portal to remove yourself from the blocked senders list and address 5.7.511 Access denied errors

+Are you getting an error message when you try to send an email to a recipient whose email address is in Microsoft 365 (for example and address 5.7.511 Access denied)? If you think you should not be receiving the error message, you can use the delist portal to remove yourself from the blocked senders list.

+> 550 5.7.606-649 Access denied, banned sending IP [_IP address_] (ex. 5.7.511 Access denied): To request removal from this list please visit <https://sender.office.com/> and follow the directions. For more information see [Email non-delivery reports in Exchange Online](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/non-delivery-reports-in-exchange-online).

+## To use delist portal to remove yourself from the blocked senders list (after errors like 5.7.511 Access denied)

+### How do fix error code 5.7.511