Monitoring Health, Usage, and Security in Microsoft 365 Business Premium

Microsoft 365 25 Minutes

bp1

Microsoft 365 Business Premium provides built-in tools for IT professionals to monitor their environment’s health, usage, and security. This guide covers how to leverage the Microsoft 365 admin center reports and dashboards, the benefits of Microsoft 365 Lighthouse for managing multiple tenants, and how to configure alert policies for security events. We include step-by-step instructions, illustrative examples, best practices, pitfalls to avoid, and troubleshooting tips – with references to official Microsoft documentation for further reading.

1. Microsoft 365 Admin Center: Health, Usage, and Security Monitoring

The Microsoft 365 admin center is a one-stop portal for monitoring service health, usage analytics, and some security metrics of your tenant. Below we break down key features:

1.1 Service Health Dashboard

The Service Health dashboard in the admin center lets you check the status of Microsoft 365 services and any ongoing issues:

  • Accessing Service Health: In the admin center, go to Health > Service health (or select the Service health card on the Home dashboard)[1]. This opens a summary table of all cloud services (Exchange Online, Teams, SharePoint, etc.) and their current health state.

  • Status Indicators: Each service shows an icon/status for its health. The dashboard is organized into tabs:
    • Overview: Lists all services and indicates any active incidents or advisories (issues Microsoft is currently working to resolve)[1].

    • Issues for your organization to act on: Highlights any problems detected in your environment that require admin action (e.g. a configuration or network issue on your side)[1]. If no customer-side issues are detected, this section is hidden[1].

    • Active issues (Microsoft side): Shows service incidents or outages Microsoft is addressing (e.g. an Exchange Online outage in your region)[1]. Each incident can be clicked for detailed status updates and timeline of resolution steps[1].

    • Issue history: Shows a 7-day or 30-day log of past incidents/advisories once they are resolved[1].
  • Notifications: You can configure email notifications for new incidents or status changes. In Service health > Customize > Email, enable “Send me email notifications about service health” and specify up to two recipient addresses[1]. This ensures IT staff are alerted when Microsoft posts a new service incident or update.

  • Reporting Issues: If you’re experiencing a problem not listed on the Service health page, you can click “Report an issue” to alert Microsoft[1]. Microsoft will investigate and, if it’s a widespread service problem, it will appear as a new incident on the dashboard for everyone[1].

  • Admin Roles for Health: Note that viewing service health requires appropriate admin roles. Global Admins can see it, but you can also assign roles like Service Support Admin or Helpdesk Admin to allow others to view the Service health page[1].

Real-world use: The Service Health dashboard is crucial for proactive communication. For example, if Exchange Online is down, the admin can quickly see the advisory, inform users that Microsoft is working on it, and avoid unnecessary internal troubleshooting[1][1]. Conversely, if an issue is listed under “Issues in your environment”, the admin knows it’s on their side and can take immediate action.

1.2 Usage Reports and Dashboards

Microsoft 365 provides rich usage analytics in the admin center to monitor how your organization is utilizing various services. These reports help track user activity, adoption of tools, and identify under-utilized resources. Key aspects include:

  • Reports > Usage Dashboard: In the admin center, navigate to Reports > Usage to access the Microsoft 365 Reports dashboard[2]. This dashboard offers an at-a-glance overview of activity across multiple services (Exchange email, SharePoint, OneDrive, Teams, etc.) for various time spans (7, 30, 90, 180 days)[2][2].
    • From the dashboard, you can click “View more” on any service’s card (e.g. Email, OneDrive) to see detailed reports for that service[2]. Each service usually has multiple report tabs (for different aspects like activity, storage, users).
  • Available Reports: Depending on your subscription (Business Premium includes most standard reports), you’ll find reports such as: Active Users, Email activity, Email app usage, OneDrive files, SharePoint site usage, Teams user activity, and many more[2][2]. For example:
    • Active Users report – shows how many users are active in each service (Exchange, OneDrive, SharePoint, Teams, etc.) over time[2].

    • Email Activity report – shows number of emails sent, received, and read per user, helping gauge email usage patterns[2].

    • OneDrive or SharePoint Usage reports – track file storage used, files shared, active file counts, etc., indicating collaboration trends[2].

    • Microsoft Teams Activity report – shows how users engage in Teams (chat messages sent, meeting count, etc.), useful for monitoring remote work adoption[2].

    • Microsoft 365 Apps Usage report – shows usage of Office desktop apps like Word, Excel, Outlook across devices and platforms[3][3].
  • Interpreting Data: Reports typically provide both aggregate graphs and per-user (or per-site) details. For example, the Email activity report has a summary of total emails and a user-level table of each user’s send/receive counts[3]. You can often filter by date range at the top of the report and even export data to Excel for further analysis or long-term archiving.

  • Gaining Insights: Use these reports to identify trends and take action. For instance, the reports can help determine if users are fully utilizing licensed services or not. If you find some users have very low activity over 90 days, you might decide to reassign or remove their licenses to optimize costs[2]. The admin center documentation explicitly notes you can *“determine who is using a service to its max, and who is barely using it and hence might not need a license”[2] – a valuable insight for license management. Another example: a spike in SharePoint file deletions might prompt you to check for accidental data loss or security issues.

  • Extending Analytics: For even deeper analytics, Microsoft offers Microsoft 365 Usage Analytics via Power BI, which provides a pre-built Power BI dashboard of 12 months of data and more customization. This is an advanced option (requiring enabling the content pack and having a Power BI license) but can be useful for quarterly or annual trend analysis and executive reporting.

Real-world use: A company noticed through the Teams activity report that only half of their users scheduled Teams meetings regularly. This prompted a training initiative for departments lagging in Teams adoption. Another organization exported the Active Users report and discovered several employees barely used their Exchange and OneDrive – they reclaimed those licenses, saving costs[2].

Best Practice: Review usage reports monthly. Consistent monitoring of these dashboards helps catch adoption issues or abnormal usage early. Tie the insights to actions: for example, deploy user training if SharePoint usage is low, or upgrade bandwidth if you see heavy Teams call usage. Also ensure privacy settings for reports are appropriately configured – by default user-level details are hidden for privacy, but admins can choose to show identifiable user data if privacy laws and company policy allow[2]. This can be toggled in Settings > Org Settings > Reports in the admin center[2].

1.3 Security Monitoring and Secure Score

In addition to usage and health, the admin center integrates with security tools:

  • Secure Score: Microsoft Secure Score is a built-in measure of your organization’s security posture across Microsoft 365 services. It assigns a score (0-100%) based on security settings and behaviors – the higher the score, the more recommended security measures you’ve adopted. You can view your Secure Score and recommendations by going to the Microsoft 365 Defender portal (security.microsoft.com) and selecting Secure Score. The Secure Score dashboard provides a list of improvement actions (like enabling MFA, setting up email anti-phishing policies, etc.) and points you can gain by resolving each item. Monitoring this regularly helps ensure your tenant’s security keeps improving.

  • Security Dashboard: For Business Premium, the Microsoft 365 Defender portal and Purview Compliance portal are where most security monitoring occurs. From the admin center, if you click Security, it will redirect you to the Defender portal which shows active threats, incidents, and alerts (more on alerts in section 3). Keep an eye on the Identity (Azure AD) logs and Defender for Business dashboards if enabled – these show user sign-in risk, device status, malware detections, etc. Many SMB admins rely on these in addition to alert policies.

  • Admin Roles for Security Data: To view and manage security-related info, your account needs proper roles (Global Admin or roles like Security Administrator, Global Reader, etc.). Make sure at least two people in your org have the necessary privileges to monitor security, to avoid single points of failure.

Best Practice: Leverage Secure Score as a guide for security improvements. Treat it like a “credit score” for your tenant’s security – check it periodically (e.g. weekly or monthly) and act on high-impact recommendations (like turning on mailbox audit or disabling legacy authentication) to raise the score over time. Many managed service providers set a target secure score (e.g. 75% or above) for their clients and use it as a KPI for security posture.

2. Microsoft 365 Lighthouse: Multi-Tenant Management for Partners

If you are an IT service provider or MSP managing multiple Business Premium tenants, Microsoft 365 Lighthouse is an invaluable tool. Lighthouse is a dedicated portal that aggregates monitoring and management across multiple customer tenants into one pane of glass. Here’s why it’s useful:

  • Single Portal for Many Tenants: Lighthouse lets you oversee many customers’ Microsoft 365 environments from one place[4]. Instead of logging in to each tenant’s admin center separately, an MSP can use Lighthouse to view all at once. This multi-tenant view extends to user management, device compliance, threats, and alerts across customers[5][5]. For example, you can list all devices across all clients and see which ones are out of compliance or need attention on one screen.

  • Security Baselines and Standardization: Lighthouse provides a default security baseline tailored for SMBs (covering things like MFA, device protection, Defender for Business setup, etc.)[5][4]. Partners can onboard a new customer tenant with recommended security configurations quickly thanks to these baselines[5]. By following a consistent baseline for all customers, you ensure every tenant meets a minimum security standard. Lighthouse even includes a deployment plan feature, guiding technicians through a checklist of steps for securing a tenant (e.g., “Enable MFA for all users” would be one step)[4].

  • Centralized Alerts and Threat Management: An MSP can see security alerts from multiple customers in one place. For instance, Lighthouse surfaces risky sign-in alerts, malware detections, or device threats across all managed tenants[5]. It integrates with Microsoft Defender, so you can investigate and remediate threats on customer devices (like a Windows malware incident) without switching contexts[5]. There’s also a multi-tenant Service Health view – you can quickly spot if any of your customers are affected by a Microsoft service outage or advisory[6].

  • Ease of Common Tasks: Routine tasks like user administration are streamlined. Lighthouse allows cross-tenant user search (find a user across any customer tenant), password resets, license assignment, and even bulk actions like blocking inactive accounts, all from the central portal[4][4]. This improves efficiency – e.g. you can find all global admin accounts across all tenants to ensure they have MFA enabled.

  • Proactive Management: Perhaps the biggest value is being proactive. Because you can see issues developing across customers, you can fix them before the customer notices. For example, Lighthouse can show an MSP that several customers have a low compliance with a certain policy or an upcoming license expiry. The MSP can address these in advance, improving service quality. As Microsoft describes, Lighthouse lets service engineers “focus on what’s most important, quickly find and investigate risks, and take action to get their customers to a healthy and secure state”[5]. It even provides AI-driven recommendations (e.g. identifying upsell opportunities or under-utilized features) to help partners optimize clients’ use of M365[7].

  • No Extra Cost: Microsoft 365 Lighthouse is provided free of charge for eligible partners. It’s available to Cloud Solution Provider (CSP) partners managing Business Premium (and certain other Microsoft 365 plans) for SMB customers[7]. There’s no additional license fee for using Lighthouse – you just need delegated admin access and meet the program requirements.

Real-world use: Consider an MSP managing 50 small business tenants. Using Lighthouse, their team gets a daily view of all alerts (e.g. malware or sign-in risks) across those tenants on one screen. One morning, an engineer sees that three different customers each have an alert for “Unusual external file sharing” in OneDrive[8]. Using Lighthouse, they quickly investigate – it turns out to be a single rogue IP address trying to access files, and they remediate it for all three clients at once. Meanwhile, the Service Health section in Lighthouse shows a Teams outage affecting five customers, enabling the MSP to proactively send notices to those clients. Such centralized oversight saves time and improves security.

Tip: If you are a partner, ensure you enroll in Microsoft 365 Lighthouse via the CSP program and get delegated admin access to each tenant. It may take up to 48 hours after onboarding a new tenant before their data appears in Lighthouse[7], so plan accordingly. If some tenants don’t show up, check that they have Microsoft 365 Business Premium (Lighthouse initially required Business Premium, though as of 2024 it expanded to other SMB plans[6]) and that you have the proper admin relationships. Microsoft’s Lighthouse FAQ is a great resource for troubleshooting onboarding issues (e.g. mixed-license environments or data delays)[7][7].

3. Alert Policies for Security Events

A critical aspect of monitoring security in Microsoft 365 is configuring Alert Policies. These policies automatically generate alerts (and optionally send email notifications) when specific activities or events that could indicate a security issue occur in your tenant. Microsoft 365 comes with some default alert policies, and you can create custom ones to fit your organization’s needs.

3.1 Understanding Alert Policies and Defaults
  • What Alert Policies Do: Alert policies define a set of conditions (usually based on user or admin activities, as recorded in audit logs) that, when met, trigger an alert. Alerts are shown in the Alerts dashboard (in the Microsoft 365 Defender portal or Purview compliance portal) where admins can review and manage them[8]. You can also have the system send out an email or Teams notification when an alert is triggered. This helps IT admins respond quickly to potential security incidents (for example, a suspicious file download or a privilege change).

  • Default Policies: Microsoft provides built-in default alert policies (policy type “System”) that cover common risks[8][8]. These are enabled by default for many subscriptions. For Business Premium (which is similar to Enterprise E3 in features), you should see default policies such as:
    • Elevation of Exchange admin privilege – triggers when someone is granted Exchange Admin roles (e.g., added to Organisation Management role group)[8]. This helps catch unauthorized privilege escalation.

    • Creation of forwarding/redirect rule – triggers when a user mailbox has an auto-forward or inbox rule created to forward emails externally (a common sign of a compromised mailbox). (This was noted in older documentation as a default for E3/Business; if not default, you can create a custom policy for it.)[9]
    • eDiscovery search started or exported – triggers when someone runs or exports an eDiscovery content search (since that could be abused to exfiltrate data)[9].

    • Unusual volume of file deletion or sharing – triggers when an unusually high number of files are deleted or shared externally in SharePoint/OneDrive (could indicate ransomware or data leak)[8][8].

    • Malware campaign detected – triggers when multiple users receive malware (or phish) emails as part of a campaign[8].

    • Messages have been delayed – triggers if a large number of emails are queued/delayed (e.g. 2000+ emails stuck for over an hour) indicating mail flow issues[8].

    • (There are many others; Microsoft categorizes them by Permissions, Threat Management, Data Governance, Mail Flow, etc. For example, there are alerts for things like unusual password admin activity, or Safe Links detecting a user clicking a malicious URL[8]. Refer to Microsoft’s documentation for the full list and license requirements[8][8].)
  • Managing Default Alerts: For these built-in policies, you cannot change the core conditions, but you can toggle them on/off and set who gets notifications[8]. It’s recommended to review the defaults and ensure the notification recipients are correct. By default, global admins are often set to get these emails – if your Global Admin mailbox is not monitored frequently, consider adding a security distribution list or another admin’s email to each important alert policy’s notification list[9][9].

Real-world scenario: One of the default alerts “Elevation of Exchange admin privilege” can catch illicit activity. In a real case, a malicious insider tried to secretly add themselves to a high-privilege role; the alert fired and emailed the security team immediately, who were then able to revoke that change[8]. Another default alert “Creation of forwarding rule” has saved organizations by notifying them when a hacked account set up forwarding of mail to an external address – a classic sign of Business Email Compromise. The IT team, upon receiving the alert, quickly disabled the rule and reset the user’s password, stopping data loss in its tracks.[9]

3.2 Creating and Configuring Custom Alert Policies

In addition to defaults, you should create custom alert policies for other activities that are important to your organization’s security. Here is a step-by-step guide to creating a new alert policy:

Steps to Create an Alert Policy:

  1. Open the Alert Policies page: Go to the Microsoft 365 Defender portal (https://security.microsoft.com) or Microsoft Purview compliance portal (https://compliance.microsoft.com) – both have an Alerts section. In the left navigation, expand Alerts and click “Alert policies.”[10]. (In older interfaces, this was under the Security & Compliance Center > Alerts > Alert Policies.)

  2. Start a new policy: Click the “+ New alert policy” button to launch the creation wizard[10].

  3. Name and Category: Provide a Name and optional description for the alert. Choose a Category that fits (such as Threat Management, Data Loss Prevention, Mail Flow, etc.) – this is mainly for organizing alerts. For example, “Unauthorized Role Change Alert” with category Threat Management.

  4. Define the Activity to monitor: This is the heart of the policy. In the wizard, you’ll have to select the activity or event that triggers the alert. Microsoft offers a wide range of activities sourced from audit logs (user and admin actions). Click in the Activity dropdown or search field to find activities. Examples of activities you can choose:
    • File and folder activities: e.g. Deleted file, Downloaded file, Shared file externally.

    • User/account activities: e.g. User added to Role (Azure AD role changes)[10], Reset user password, User created.

    • Mailbox activities: e.g. Created forwarding rule, Mail items accessed (Mailbox export).

    • Administration actions: e.g. Added user to admin role group, Modified mailbox permissions, Changed group owner.

    • Threat detections: e.g. Malware detected in file, Phishing email detected, User clicked malicious URL.

    • Use the search or filters to find the exact activity. In our example scenario (monitoring admin role changes), we would select activities like “Role Group Member Added” and “Role Group Member Removed” (these track changes in admin role membership)[10]. For another scenario, say you want an alert for mass download from SharePoint, you might choose “Downloaded multiple files”.
  5. Conditions (optional): Some activities allow additional filters. For instance, if tracking file deletions, you could specify a particular site or folder path. Or limit an alert to actions by a specific user or group of users (e.g., high-value accounts). You may also be able to set an IP address range condition (to alert only if action is from outside corporate IP). These conditions help narrow down when an alert triggers so you get fewer false alarms[8][8]. Set these if needed, or leave as broad (any user, any location) for comprehensive coverage.

  6. Alert Threshold: Decide when to trigger the alert. You have a few options[8][8]:
    • Every time the activity occurs – simplest option (the alert fires on each event match). Use this for critical events that should always alert (e.g. admin role changes). Note: For Business Premium (which is not E5), you might be limited to this option for many alert types[8], since the more advanced threshold features often require E5 licenses.

    • Based on a daily threshold – you can say “if activity X occurs more than N times within Y hours, trigger alert.” For example, alert if more than 5 file deletion events by the same user in 10 minutes (potential mass deletion). This helps reduce noise by ignoring single occurrences but catching patterns. (Threshold-based alerts may require higher licensing; if unavailable, you’ll only see the every-time option.)[8]
    • Unusual activity (anomaly detection) – this uses machine learning to establish a baseline of normal activity and trigger only if an activity spikes above normal for your org (e.g. a user normally downloads 10 files a day, suddenly downloads 500). This is very useful but typically an E5-level feature[8]. Business Premium admins might not have this option unless they have added certain add-ons.

    • Choose the appropriate threshold option that’s offered. If in doubt, “every time” is safest for critical security events.
  7. Severity and Alerts Settings: Assign a severity level (Low, Medium, High) to indicate how urgent/important this alert is[10]. This is mainly for filtering and your internal triage – for example, a “High” severity could be for things like multiple failed login attacks or data exfiltration, whereas “Low” might be for less urgent like a single file deletion. Also choose an Alert category (if not already set by your earlier category selection) – categories help group alerts on the dashboard (e.g., all policies related to access could be under “Permissions”).

  8. Notifications: Add the recipients who should get an email notification when this alert triggers[10][10]. You can enter one or more email addresses – these could be individual admins or a distribution list (e.g., “SecurityAlerts@company.com”). For critical alerts, include a monitored address (perhaps an on-call mailbox or a ticketing system if it can ingest emails). Microsoft will send an email with details each time the alert conditions are met.

  9. Review and Finish: Review all the settings in the wizard, then create/submit the new alert policy. It may take up to 24 hours for a new alert policy to become active and start detecting events[8] (the backend needs to sync the policy across the system). Once active, any matching events will generate alerts visible in the Alerts dashboard.

After creation, your new policy will appear in the list on the Alert Policies page. You can always edit it later to tweak conditions or change recipients, etc.

Screenshot – Creating a custom alert policy: Below is an illustration of configuring a new alert policy in the compliance portal, selecting roles changes as the monitored activity and setting a low threshold so that any such change triggers an alert (threshold = 1).

[10] Screenshot: Creating a new Alert Policy in Microsoft Purview compliance portal (selecting activities “Added member to role” and “Removed member from role”, severity High, alert on every occurrence, with an admin email as recipient).

(The image above demonstrates the alert creation form: giving the policy a name “Role Change Alert,” category “Threat Management,” choosing the two role change activities, threshold of 1, and specifying notification recipients.)

3.3 Managing and Responding to Alerts

Once your alert policies are up and running, make sure to regularly monitor the Alerts queue in the portal:

  • Alerts Dashboard: In the Defender or Compliance portal, the Alerts section will list all alerts that have been triggered. Each alert entry shows information like the policy that triggered it, the time, the user involved, and the severity. You can click an alert to see details (which specific activity was logged, and often a link to the related audit log record).

  • Alert Status and Triage: As you investigate an alert, you can set its status (e.g., Active, Investigating, Resolved, Dismissed) to track progress[8]. This helps if multiple admins handle security – everyone can see which alerts are being worked on. After addressing the underlying issue, mark the alert as resolved or dismissed appropriately[8].

  • Investigation Tips: The alert detail usually provides a starting point (e.g., “User X performed activity Y at time Z”). From there, you might need to:
    • Check the Audit Log for surrounding events (Microsoft 365 audit log can be searched for that user or timeframe to gather more context).

    • If the alert is about a user account (like a suspicious login), review that user’s sign-in logs in Azure AD for IP addresses and sign-in risk.

    • If it’s about malware or phishing, go to the Security portal’s Incidents or Threat Explorer to see if it’s part of a larger campaign, and ensure the malicious content is quarantined or removed.

    • Document what happened and what you did – useful for post-incident review.
  • Alert Notifications: Ensure that the email notifications are arriving. Sometimes, notification emails might go to spam if sent to external addresses; make sure to allowlist Microsoft’s alert sender or use a corporate mailbox. Also, if using a shared inbox, ensure someone actually checks it or has an forwarding rule to on-call personnel. A good practice is to integrate these emails with a ticketing system or SIEM for centralized tracking.

  • Fine-tuning: Over time, you might get too many alerts (noise) or find gaps. Adjust your alert policies accordingly:
    • If an alert is firing too often on benign events, consider raising the threshold or adding a condition (for example, alert on file downloads only if more than 100 files are downloaded in an hour).

    • If you discover a new threat vector not covered by existing alerts, create a new custom policy. Microsoft is continually adding more default alerts (especially for those with higher licenses) – keep an eye on the “Default alert policies” documentation for new ones, but don’t hesitate to create your own for your specific needs.

Important: Audit Logging must be enabled for alert policies to work, since alerts are triggered by events recorded in the audit log. Microsoft now enables audit logging by default for M365 (since 2019)[9], but if you have an older tenant or turned it off, be sure to enable it. Without audit data, alerts won’t trigger. You can verify in the Compliance portal under Audit; if it’s off, there will be a prompt to enable it.

4. Best Practices and Real-World Scenarios

Bringing it all together, here are some best practices and scenario-based tips for effectively monitoring a Microsoft 365 Business Premium environment:

  • Regular Review Cadence: Treat monitoring as a routine. Establish a schedule to review different aspects: e.g., daily check of the Security/Alerts dashboard, weekly scan of service health (or subscribe to health alerts), and monthly review of usage reports and Secure Score. This ensures nothing slips through the cracks. For instance, a weekly Secure Score review might reveal new recommendations after Microsoft releases a feature – acting on these keeps your tenant secure and up-to-date.

  • Use Dashboards Proactively: Don’t just react to problems – use the data to anticipate needs. For example, if the usage dashboard shows a steady increase in Teams video call usage, you might need to upgrade network bandwidth or encourage users to schedule “video-free” meeting times to reduce load. If service health advisories indicate your Exchange Online is nearing a storage quota, you can plan to purchase more storage or clean up mailboxes.

  • Leverage Lighthouse for Multiple Tenants: If you manage multiple orgs, standardize your management via Lighthouse. Ensure all customers have the Baseline security configuration applied (MFA for all users, Defender for Business on all devices, etc.) through Lighthouse’s deployment tasks[4]. Use Lighthouse’s multi-tenant reports to spot anomalies – for example, if one client’s Secure Score is significantly lower than others, investigate why (maybe they haven’t enabled MFA – which you can fix).

  • Alert Tuning and Incident Response: Customize alert policies so that you’re getting alerts that matter without too many false alarms. It’s better to start with a slightly broader net (report more and then adjust) than to miss critical events. Importantly, have an incident response plan for when an alert comes in. For example, if you get an alert “Mass deletion of files” – your plan might be: Check if the user account is compromised, restore files from OneDrive backup (if ransomware suspected), then retrain the user or further secure their account. Having pre-defined steps for common alerts will save time.

  • Document and Educate: Keep a runbook of what each alert means and how to handle it, and document any issues and fixes found via health or usage monitoring. If you’re part of a team, ensure knowledge is shared. Also educate leadership with periodic summaries: e.g., a monthly “IT health report” highlighting key stats (uptime, any notable alerts, usage growth). This showcases the value of proactive monitoring to stakeholders.

  • Stay Informed on Updates: Microsoft 365 is a constantly evolving platform. New reports, new alert types, and new portal capabilities appear frequently. Subscribe to Microsoft 365 Message Center posts (in admin center) to know about upcoming changes. Microsoft often announces enhancements, like the introduction of a new Health dashboard feature or changes to alert policies. For example, a recent update introduced the Health dashboard preview that gives more granular telemetry (though aimed at large tenants)[11]. Being aware of new tools means you can incorporate them into your monitoring strategy. Microsoft’s official docs and tech community blogs (which we’ve linked throughout) are great ongoing references.

Real-World Scenario 1 – Stopping a Breach: An IT admin gets an alert email late at night: “Impossible travel activity detected: User John Doe logged in from New York and 10 minutes later from Russia.” This wasn’t one of the default alerts, but a custom alert they set up via Azure AD sign-in risk. Because of this early warning, they quickly checked John’s account and saw suspicious activity, then triggered a password reset and investigated the token theft that led to the breach. Early detection prevented the attacker from doing damage. (This underscores the value of tailored alert policies.)

Real-World Scenario 2 – License Optimization: A small business found they were over-paying for licenses. By looking at the Active Users and Teams usage reports over 90 days, the IT lead noticed about 15 accounts (out of 100) showed almost no activity in Exchange, OneDrive, or Teams[2]. After checking with HR, some of these were former employees or service accounts that didn’t need full licenses. They downgraded or removed these licenses, saving ~$1500/year, and used the Reports again later to ensure all active staff are actually using the services they have.

Real-World Scenario 3 – Using Lighthouse to Improve Security Across Clients: An MSP managing 20 customers uses Microsoft 365 Lighthouse. They observed in Lighthouse that 5 of those customers had Secure Score below 50%, whereas the others were above 70%. Using Lighthouse’s multi-tenant view, they identified common gaps – for example, those 5 had not enabled Conditional Access or had many users without MFA. The MSP rolled out Conditional Access policies to all 5 tenants in one standardized way (via Lighthouse baselines) and raised their Secure Scores, reducing overall risk. Additionally, when a global ransomware outbreak occurred, the MSP watched the Lighthouse threat alerts and device compliance – within hours they saw which endpoints had blocked the threat via Defender and confirmed all other tenants were safe, all from the single portal.

5. Potential Pitfalls and Troubleshooting Tips

Even with these great tools, admins can run into challenges. Here are some potential pitfalls to be aware of, and tips to troubleshoot issues:

5.1 Common Pitfalls to Avoid
  • Alert Fatigue: If you turn on too many alerts (or leave defaults unchecked), you might get bombarded with emails and start ignoring them. Avoid alert fatigue by tuning policies carefully – focus on high-severity events first. It’s better to get a few meaningful alerts than dozens that are noise. Review alert efficacy periodically: if an alert hasn’t triggered in 6 months, is it because nothing happened (good) or because it was misconfigured? If an alert triggers too often with false positives, refine it. Remember, some built-in alerts (like certain information governance alerts) were even deprecated by Microsoft due to false positives[8], so tailor things to your environment.

  • Over-reliance on Defaults: The default security alerts and reports are helpful but don’t assume they cover everything. For instance, default usage reports won’t tell you if a user is misusing data internally, and default alerts might not catch a specific business policy violation. Always assess your unique requirements (maybe you need an alert for when someone accesses a finance mailbox, or a custom report on SharePoint activity in a specific site) and use the available tools (audit logs, PowerBI, etc.) to build those insights.

  • Not Assigning Permissions Properly: A less obvious pitfall is failing to grant the right admin roles to team members who need to monitor things. If only the Global Admin can see usage reports or secure score, you create a bottleneck. Use roles like Reports Reader (to allow an analyst to view usage data without full admin rights)[2], or Security Reader (to let a security team member review alerts without making changes). This principle of least privilege with appropriate access ensures you can distribute monitoring tasks without compromising security.

  • Ignoring Adoption and Training: Monitoring usage is only useful if you act on it. If reports show low usage of a service, the pitfall is to just note it and do nothing. Best practice is to follow up with adoption campaigns or user surveys to understand why and take action. Microsoft 365’s value comes from users actually using the tools – IT’s job is not just to monitor but also to enable and encourage optimal use.
5.2 Troubleshooting Tips
  • “My reports are empty or not updating”: If you find that usage reports are not showing data (or show zeros), consider: (1) It might be a timing issue – reports can take 24-48 hours to update with recent activity[2], and some new features might not populate older data. (2) Ensure that the services are actually in use and that you’re looking at the correct date range. (3) Check the privacy settings – if user-level info is hidden, the aggregate should still show, but if nothing is showing, there could be a permissions issue. Only certain roles can access reports; verify your account has one of the allowed roles (Global admin, Exchange admin, Reports reader, etc.)[2]. (4) If using Power BI usage analytics, make sure the content pack is connected and the data refresh is scheduled.

  • “Not receiving alert emails”: If an alert should have fired but you got no email, first check the Alerts dashboard manually – did the alert trigger at all? If it did and email didn’t arrive, verify the notification settings on that policy (correct recipient address, and that the toggle to send email is enabled). Check spam/junk folder. Also, emails come from Microsoft (often with subject like “Security alert: [Policy Name]”); ensure your mail flow rules don’t block these. If the alert never triggered, confirm that the activity actually happened and meets the policy conditions. Remember newly created policies take up to 24h to activate[8]. If after 24h it still doesn’t trigger on known events, there might be a licensing limitation – e.g., you set a threshold-based alert but only have E3; try re-creating it to trigger “every time” as a test. Also double-check that Audit logging is on – without audit events, alerts won’t fire.

  • “Alert policy creation failed or is grayed out”: This could be a permission issue – you need the “Manage Alerts” role to create/edit alert policies[8]. Global admins have it, but if you’re a Security Administrator in Purview, ensure that role includes Manage Alerts (Microsoft recently unified roles in Defender portal). If using built-in roles, assign the Compliance Manager or Security Administrator roles to manage alerts. If it’s still grayed out, it might be a glitch; try a different browser or clear cache – occasionally the portal UI has hiccups. Alternatively, you can create alert policies via PowerShell (using the New-ProtectionAlert cmdlet) as a workaround.

  • Lighthouse Troubleshooting: If you’re not seeing a tenant or data in Lighthouse: (1) Confirm the tenant is Business Premium (or supported SKU) and you have a Delegated Admin relationship. (2) Give it 48 hours after adding a new tenant[7]. (3) If some features like device compliance or user info are missing for a tenant, that tenant might not have Intune or Entra ID P1 licenses for those users[7] – features vary by license. (4) If Lighthouse itself is having an outage or doesn’t load data, check the Partner Center or Lighthouse support pages – there could be a service issue (Lighthouse is still relatively new). Microsoft’s Lighthouse FAQ and support channels can assist with persistent issues[7].

  • Service Health and Message Center issues: If the Service health page isn’t showing anything (which would be rare), ensure you have appropriate permissions. If you suspect a service issue but nothing is on Service Health, use the “Report an Issue” feature[1] – it might actually be a brand new problem. For Message Center (which gives change announcements), consider using the Office 365 Admin mobile app or email digest options if you’re not seeing those in the portal.

Conclusion: By effectively utilizing the Microsoft 365 admin center’s health and usage dashboards, setting up targeted alert policies, and (for partners) leveraging Microsoft 365 Lighthouse, IT professionals can stay on top of their Microsoft 365 Business Premium environments. This proactive monitoring approach ensures that you catch issues early – whether it’s a service outage, a security threat, or simply a dip in usage that warrants a training session. Remember to continuously refine your monitoring based on experience, follow best practices, and reference Microsoft’s documentation for the latest capabilities. With the right setup, you’ll keep your Microsoft 365 environment running healthy, efficiently, and securely. [11][5]

References

[1] How to check Microsoft 365 service health

[2] Microsoft 365 admin center activity reports – Microsoft 365 admin

[3] Understand usage wherever people are working with new and updated usage …

[4] Enabling partners to scale across their SMB customers with Microsoft …

[5] Overview of Microsoft 365 Lighthouse – Microsoft 365 Lighthouse

[6] Enabling security and management across all your SMB customers with …

[7] Microsoft 365 Lighthouse frequently asked questions (FAQs)

[8] Alert policies in the Microsoft Defender portal

[9] Configure alerts for your 365 Tenant from the Security … – ITProMentor

[10] Email alert when roles are adjusted | Microsoft Community Hub

[11] Microsoft 365 monitoring – Microsoft 365 Enterprise

Unknown's avatar

Published by directorcia

Published

Leave a comment