GDAP & Lighthouse Setup

Secure Microsoft partner administration with GDAP and Microsoft 365 Lighthouse - least-privilege delegated access, role mapping, and operational setup for managed tenants.

Managing customer tenants at scale requires delegated administrative access - but that access must be controlled. Granular Delegated Admin Privileges (GDAP) enables partners to request specific roles with defined durations, reducing the risk associated with broad, persistent delegated access. At the same time, Microsoft 365 Lighthouse provides a multi-tenant management experience designed for managed service providers and partners, helping standardise configuration, monitoring, and security recommendations across multiple tenants. Where organisations struggle is not understanding the tools, but implementing a least-privilege model that is practical: mapping roles to real operational tasks, defining approval and break-glass processes, and ensuring admin workflows remain efficient.

LW IT Solutions delivers GDAP & Lighthouse Setup as a structured service to implement secure delegated administration and a repeatable operational model for managing customer tenants. We help you design your partner admin approach (roles, durations, approvals), implement GDAP relationships and security controls, and configure Microsoft 365 Lighthouse for cross-tenant visibility and standardisation. You receive documented role mappings, onboarding steps for new customers, and operational runbooks - so delegated admin access is controlled, auditable, and aligned to the services you deliver.

Talk through your requirements and leave with a clear next-step plan.

Book a discovery call

Service Overview

Highlights

Least-privilege delegated admin access using GDAP
Role mappings grounded in real partner operational tasks
Time-bound access and documented approval processes
Microsoft 365 Lighthouse configured for managed tenant oversight
Operational runbooks that support secure, repeatable delivery

Business Benefits

Reduced security risk by replacing broad delegated admin access with time-bound, role-specific permissions
Clear alignment between partner roles and real operational tasks across customer tenants
Improved auditability of partner admin actions through defined access duration and role mapping
More efficient multi-tenant operations using a consistent management and visibility model
Repeatable onboarding for new customers without reworking access and governance each time

Typical use cases

Partners replacing legacy DAP with GDAP
Managed service providers onboarding new customer tenants
Security reviews highlighting excessive delegated admin access
Scaling partner operations across multiple Microsoft 365 tenants
Preparing for audits or customer assurance reviews of partner access

Objectives & deliverables

What Success Looks Like

Implement least-privilege delegated admin access using GDAP
Reduce security risk by limiting roles and using time-bounded access where appropriate
Standardise multi-tenant management workflows with Microsoft 365 Lighthouse
Create repeatable customer onboarding for delegated access and baseline configuration
Improve auditability and operational control over partner admin activities

What You Get

GDAP role model: mapped roles, access durations, and operational justifications
Implemented GDAP relationships for agreed customer tenants (within scope)
Microsoft 365 Lighthouse configuration within scope (tenants added, baseline management approach documented)
Operational runbooks: onboarding, role assignment process, and periodic review approach
Backlog of improvements: additional tenants, security enhancements, and automation opportunities

How It Works

Discovery - confirm partner services, customer tenant scope, and current delegated access model
Design - define GDAP role mappings, access durations, approval flows, and break-glass approach
Implement - configure GDAP relationships and assign roles for in-scope customer tenants
Lighthouse setup - onboard tenants and document baseline management and monitoring approach
Validate - confirm access works as intended and supports day-to-day admin workflows
Handover - deliver runbooks and guidance for onboarding, review, and ongoing operations

Engagement Options

GDAP Foundation - design and implement a core GDAP role model for partner administration
GDAP Migration - transition existing DAP relationships to GDAP safely
Lighthouse Enablement - configure Microsoft 365 Lighthouse for multi-tenant visibility
Operational Hardening - refine roles, reviews, and governance as the customer base grows

Common Bundles

Customers who use this service often bundle with these services

2nd–4th Line Support (On‑Demand or Retainer)
Senior escalation support for complex Microsoft cloud incidents, providing rapid diagnosis, safe remediation, and clear handover through on-demand or retainer models.

Monthly Health Checks & Optimisation
Monthly health checks reviewing configuration, performance and security indicators, providing prioritised reporting, tuning actions and roadmap updates for reliable operations.

Secure Score Assessment & Remediation
Baseline Microsoft Secure Score, prioritise improvement actions, and deliver a staged remediation backlog that drives measurable security posture uplift.

Entra ID Governance Enablement
Enable Microsoft Entra ID Governance with access reviews, entitlement management, and privileged access workflows, backed by adoption and operational handover.

Microsoft Entra ID Architecture & Health Check
Assess Microsoft Entra ID architecture and tenant health to identify risk areas, configuration drift and prioritised identity improvements.

CIS Microsoft 365 Foundations Benchmark Assessment
Assess Microsoft 365 configuration against CIS Benchmark guidance, identifying posture gaps and producing a prioritised, evidence-ready remediation backlog.

CIS Microsoft Azure Foundations Benchmark Assessment
Assess Azure tenant and subscription configuration against CIS Benchmark guidance, identifying gaps and producing a prioritised remediation backlog.