Merge pull request #27382 from MicrosoftDocs/main

Publish main to live, 01/20, 11:00 AM IST

microsoft-365/lighthouse/m365-lighthouse-change-cloud-pc-account-type.md

@@ -35,7 +35,7 @@ Managed Service Provider (MSP) technicians may set the account type for a Busine
 
 ## Before you begin 
 
-You must be either a Cloud PC Administrator (recommended) or a Windows 365 Administrator in the partner tenant.
+You must hold either the Cloud PC Administrator (recommended) or Windows 365 Administrator role in Microsoft Intune to set or change a Windows 365 Business Cloud PC account type in Lighthouse.
 
 > [!CAUTION]
 > To help keep your organization secure, Microsoft recommends that you use roles with the minimum level of permissions needed to perform a job.

microsoft-365/lighthouse/m365-lighthouse-create-a-baseline.md

@@ -28,9 +28,9 @@ Microsoft 365 Lighthouse empowers you to create your own baselines to deploy to
 
 ## Before you begin
 
-Make sure you and your customer tenants meet the requirements listed in [Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md).
+- Make sure you and your customer tenants meet the requirements listed in [Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md).
 
-Additionally, each partner tenant user must be a Microsoft 365 Lighthouse admin.
+- You must hold either the Administrator or Author role in Lighthouse.
 
 ## Create a baseline
 
@@ -97,9 +97,7 @@ To extract a configuration from a managed tenant:
 > [!IMPORTANT]
 > Extracted configurations may contain tenant-specific setting values that should be removed from a baseline to avoid applying them to other managed tenants.
 
-Lighthouse will, where possible, detect configurations and policies that contain sensitive information and remove the tenant-specific value from the baseline. There are some configuration types where sensitive setting values must be detected and removed manually to ensure they aren't included in the baseline.
-
-Lighthouse admins must review the extracted configuration and remove any tenant-specific setting values that shouldn't be applied to other managed tenants.
+Lighthouse, where possible, detects configurations and policies that contain sensitive information and removes the tenant-specific value from the baseline. However, there are some configuration types where sensitive setting values must be detected and removed manually to ensure they aren't included in the baseline.
 
 1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Deployment** > **Baselines**.
 2. Select a baseline from the list.

microsoft-365/lighthouse/m365-lighthouse-create-manage-alert-rules.md

@@ -34,7 +34,7 @@ For more information about the different types of alerts you can create, see [Ov
 
 ## Before you begin
 
-You must be an Administrator in Lighthouse to create and manage alert rules.
+You must hold the Administrator role in Lighthouse to create and manage alert rules.
 
 ## Create an alert rule
 

microsoft-365/lighthouse/m365-lighthouse-get-access-to-sales-advisor.md

@@ -32,13 +32,13 @@ Sales Advisor is built for sellers. Customer-facing roles in partner's organizat
 ## Before you begin
 
 - Your partner tenant must be onboarded to Microsoft 365 Lighthouse.
-- You must be an Account Manager in Lighthouse. If you aren't an Account Manager, reach out to someone in your partner tenant who has the appropriate permissions to assign the role to you.
+- You must hold the Account Manager role in Lighthouse. If you don't hold the Account Manager role, reach out to someone who holds the Administrator role in Lighthouse and ask them to assign the role to you.
 
 ### Appropriate roles in Partner Center
 
-- Executive report viewer gives access to all reporting data sets.
-- Report viewer gives access to most reporting data sets but not too sensitive data, such as revenue and customer or employee personal information.
-- You must be at least an Account admin to assign users these roles, which are assigned either for an entire company or for a specific Microsoft Cloud Partner Program location.
+- The Executive report viewer role gives access to all reporting data sets.
+- The Report viewer role gives access to most reporting data sets but not to sensitive data, such as revenue and customer or employee personal information.
+- You must hold at least the Account admin role to assign users the above-mentioned roles, which are assigned either for an entire company or for a specific Microsoft Cloud Partner Program location.
 
 For more information, see [CPP role-based access - Partner Center](/partner-center/insights-roles).
 

microsoft-365/lighthouse/m365-lighthouse-known-issues.md

@@ -62,7 +62,7 @@ Either granular delegated administrative privileges (GDAP) plus an indirect rese
 
 | Issue | Description | Solution |
 | ---------------- | ---------------- | ---------------- |
-| **Various GDAP permission issues across Lighthouse** | Certain GDAP roles by themselves don't grant the same level of access to customer data in Lighthouse as they would in a single-tenant experience. If any of the following roles are assigned individually (this is, not in combination with other GDAP roles) to MSP technicians, they may encounter errors, including:<ul><li>GDAP Security Administrators are unable to view risky users, dismiss risks, or confirm compromised users within Lighthouse.</li><li>GDAP Security Readers are unable to view risky users within Lighthouse.</li><li>GDAP Global Administrators see an error message when trying to view service health within Lighthouse.</li><li>GDAP Global Administrators experience issues deploying deployment plan steps within Lighthouse.</li></ul> | The workaround is to assign a combination of GDAP roles to MSP technicians based on the level of access to customer data that they need. For a list of recommended GDAP roles to use Lighthouse, see [Overview of permissions in Microsoft 365 Lighthouse](m365-lighthouse-overview-of-permissions.md).<br><br>For issues where even GDAP Global Administrator permissions won't allow usage of a feature in Lighthouse, the workaround is to access the appropriate admin center from the customer tenant to manage the customer (for example, access the Microsoft 365 admin center from the customer tenant to check service health). For instructions on how to modify a GDAP relationship, see [Obtain granular admin permissions to manage a customer's service - Partner Center](/partner-center/gdap-obtain-admin-permissions-to-manage-customer). |
+| **Various GDAP permission issues across Lighthouse** | Certain GDAP roles by themselves don't grant the same level of access to customer data in Lighthouse as they would in a single-tenant experience. If any of the following roles are assigned individually (that is, not in combination with other GDAP roles) to MSP technicians, they may encounter errors, including:<ul><li>GDAP Security Administrators are unable to view risky users, dismiss risks, or confirm compromised users within Lighthouse.</li><li>GDAP Security Readers are unable to view risky users within Lighthouse.</li><li>GDAP Global Administrators see an error message when trying to view service health within Lighthouse.</li><li>GDAP Global Administrators experience issues deploying deployment plan steps within Lighthouse.</li></ul> | The workaround is to assign a combination of GDAP roles to MSP technicians based on the level of access to customer data that they need. For a list of recommended GDAP roles to use Lighthouse, see [Overview of permissions in Microsoft 365 Lighthouse](m365-lighthouse-overview-of-permissions.md).<br><br>For issues where even GDAP Global Administrator permissions won't allow usage of a feature in Lighthouse, the workaround is to access the appropriate admin center from the customer tenant to manage the customer (for example, access the Microsoft 365 admin center from the customer tenant to check service health). For instructions on how to modify a GDAP relationship, see [Obtain granular admin permissions to manage a customer's service - Partner Center](/partner-center/gdap-obtain-admin-permissions-to-manage-customer). |
 
 ## Localization
 

microsoft-365/lighthouse/m365-lighthouse-manage-lighthouse-rbac-permissions.md

@@ -29,11 +29,11 @@ The **Lighthouse permissions** page allows Administrators in Microsoft 365 Light
 > [!NOTE]
 > Lighthouse RBAC roles don't provide access to customer data. Access to customer data is governed by a Lighthouse user's GDAP permissions. To learn more, see [Manage GDAP in the customer tenant](m365-lighthouse-overview-of-permissions.md#manage-gdap-in-the-customer-tenant).
 
-When administrators assign a Lighthouse RBAC role to a user in the partner tenant for the first time, a security group is automatically created. Lighthouse Administrators can view the associated security group for each Lighthouse RBAC role on the **Lighthouse permissions** page and in the Microsoft Entra admin center. All security group membership changes are reflected in both Lighthouse and the Microsoft Entra admin center.
+When Lighthouse administrators assign a Lighthouse RBAC role to a user in the partner tenant for the first time, a security group is automatically created. Lighthouse Administrators can view the associated security group for each Lighthouse RBAC role on the **Lighthouse permissions** page and in the Microsoft Entra admin center. All security group membership changes are reflected in both Lighthouse and the Microsoft Entra admin center.
 
 ## Before you begin
 
-To access the **Lighthouse permissions** page and manage permissions, you must be an Administrator in Lighthouse.
+To access the **Lighthouse permissions** page and manage permissions, you must hold the Administrator role in Lighthouse.
 
 ## View Lighthouse RBAC role membership and associated security group
 
@@ -86,7 +86,7 @@ To access the **Lighthouse permissions** page and manage permissions, you must b
     - Select **Create a new security group**, enter a name for the new group, optionally enter a description and add users, and then select **Save**.
 
 > [!NOTE]
-> You must assign the Lighthouse Administrator role to a role-assignable security group. In addition, to be able to assign roles to a role-assignable security group and/or create role-assignable security groups, you must have a Microsoft Entra ID P1 license. To enable Just-in-Time (JIT) roles, Microsoft Entra IDE Governance or a Microsoft Entra ID P2 license is required.
+> You must assign the Administrator role in Lighthouse to a role-assignable security group. In addition, to be able to assign roles to a role-assignable security group and/or create role-assignable security groups, you must have a Microsoft Entra ID P1 license. To enable Just-in-Time (JIT) roles, Microsoft Entra IDE Governance or a Microsoft Entra ID P2 license is required.
 > 
 > You can assign all other Lighthouse RBAC roles to any security group, whether it's role-assignable or not, but keep the P1 license requirement in mind for role-assignable security groups.
 >  

microsoft-365/lighthouse/m365-lighthouse-manage-tenant-list.md

@@ -28,7 +28,7 @@ To help you manage your tenant list in Microsoft 365 Lighthouse, you can apply c
 
 ## Before you begin
 
-You must be an Administrator in Lighthouse.
+You must hold the Administrator role in Lighthouse to manage your tenant list.
 
 ## Create a tag
 

microsoft-365/lighthouse/m365-lighthouse-mitigate-threats.md

@@ -32,7 +32,12 @@ Microsoft 365 Lighthouse lets you investigate and mitigate threats across all yo
 
 - Users must be running Microsoft Defender Antivirus (included with Windows). Lighthouse does not support non-Microsoft antivirus software. For more information, see [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows).
 
-- You must be a Global Administrator in the partner tenant that you're signing in to.
+- You must hold at least one of the following Microsoft Entra roles for the customer tenants whose data you want to read:
+    - Security Reader
+    - Security Operator
+    - Intune Administrator
+    - Global Reader
+    - Helpdesk Administrator
 
 ## Investigate active threats
 

microsoft-365/lighthouse/m365-lighthouse-reprovision-cloudpc.md

@@ -28,7 +28,7 @@ Microsoft 365 Lighthouse supports reprovisioning of Cloud PCs that have a provis
 
 ## Before you begin
 
-You must be a Cloud PC Administrator in the partner tenant.
+You must hold the Cloud PC Administrator role in Microsoft Intune to reprovision a Windows 365 Cloud PC in Lighthouse.
 
 ## Reprovision a Windows 365 Cloud PC
 

microsoft-365/lighthouse/m365-lighthouse-requirements.md

@@ -69,12 +69,9 @@ Microsoft Defender Antivirus is part of the Windows operating system and is enab
 
 ## Requirements for enabling Sales Advisor
 
-To use Sales Advisor to view customer opportunities, you must hold either the Executive report viewer or Report viewer role in Partner Center.
+To use Sales Advisor to view customer opportunities, you must hold the Account Manager role in Lighthouse. If you don't hold the Account Manager role, reach out to someone who holds the Administrator role in Lighthouse and ask them to assign the role to you.
 
-> [!NOTE]
-> Only a Global admin in Partner Center can assign the Executive report viewer or Report viewer roles.
-
-For more information, see [Get access to Sales advisor](m365-lighthouse-get-access-to-sales-advisor.md).
+For more information, see [Overview of permissions in Microsoft 365 Lighthouse](m365-lighthouse-overview-of-permissions.md).
 
 ## Related content
 

microsoft-365/lighthouse/m365-lighthouse-review-audit-logs.md

@@ -30,13 +30,9 @@ Microsoft 365 Lighthouse audit logs record actions that generate a change in Lig
 
 To view audit logs, you must hold one of the following roles:
 
-- Microsoft Entra Global Administrator in your partner tenant
-
-- Partner Center Admin agent
+- Administrator in Lighthouse
+- Admin agent in Partner Center
 
-> [!CAUTION]
-> To help keep your organization secure, Microsoft recommends that you use roles with the minimum level of permissions needed to perform a job. Global Administrator is a highly privileged role that should be limited to scenarios where you can't use a less-privileged role.
-
 ## Review audit logs
 
 1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Audit logs**.