In This Article
- What Microsoft 365 Lighthouse Is and Why Broker-Dealers Should Care
- The Broker-Dealer Regulatory Landscape: FINRA, SEC, and MSRB Expectations
- How Lighthouse Standardizes Compliance Across Branches and Affiliates
- A Practical Lighthouse Deployment Checklist for Broker-Dealers
- Audit Evidence and Purview Integration for SEA Rule 17a-4
- The ABT Tier-1 CSP Advantage for Regulated Securities Firms
- Frequently Asked Questions
A broker-dealer that operates through seven affiliated entities and forty-three branches cannot examine itself by hand. The chief compliance officer cannot keep up. The IT team cannot keep up. Examiners notice. The firms that pass clean exams have the same thing in common, one operational owner running the technical controls across every entity in their regulatory perimeter, with a single console view, fed back to the compliance team as ready-to-use evidence. That operational owner is a Tier-1 Direct-Bill Cloud Solution Provider using Microsoft 365 Lighthouse as the multi-tenant control plane. Access Business Technologies operates Microsoft 365 tenants for 750+ financial institutions, and broker-dealers are a core part of that footprint.
Why ABT Runs Lighthouse for Broker-Dealers
- Broker-dealer-specific DLP and retention policies tested against actual FINRA exam questions, not generic SMB templates. Customer NPI, order tickets, and supervisory correspondence each have their own retention and data-loss-prevention profile.
- Communication Compliance review templates aligned to actual FINRA findings under Rule 3110.09. The off-channel pattern recurs across cycle examinations, and the review templates are tuned to catch what examiners are catching.
- Microsoft Sentinel deployment with analytic rules tuned to broker-dealer attack patterns, including registered-representative impersonation, branch-targeted phishing, and customer-account takeover signals, rather than vendor-default SMB rules.
For a broker-dealer that operates through a network of offices of supervisory jurisdiction (OSJs), independent contractor branches, or affiliated registered investment advisers, Lighthouse turns what used to be a quarterly manual audit into a continuous monitoring function tied directly to the cybersecurity and books-and-records rules that FINRA and the SEC examine against. The firm itself never logs in to the Lighthouse portal. The firm experiences the outcomes, consistent security baselines, audit-ready reports, drift detection across affiliated entities, ready-to-hand evidence when an examiner calls.
This article explains what Lighthouse does for broker-dealers specifically, how it maps to the regulatory regime under FINRA Rule 4370, SEC Regulation S-P, and SEA Rules 17a-3 and 17a-4, what a clean deployment looks like, and how a Tier-1 Direct-Bill Cloud Solution Provider like ABT pulls the whole picture together for securities firms that need standardization without slowing the business down.
What Microsoft 365 Lighthouse Is and Why Broker-Dealers Should Care
Microsoft 365 Lighthouse is the multi-tenant control plane available exclusively to Microsoft Cloud Solution Provider partners with delegated administrative access. A broker-dealer cannot access Lighthouse directly. Only its CSP partner can. What the broker-dealer experiences are the operational outcomes: consistent security baselines applied across every tenant in the firm's regulatory perimeter, audit-ready reports produced on demand for FINRA examiners, and continuous drift detection across affiliated entities so a misconfigured branch tenant is surfaced before an examiner finds it.
The portal does not exist for the broker-dealer to use. It exists for the operational owner who runs the firm's Microsoft 365 footprint to keep that footprint consistent across the legal-entity structure. Only a CSP-with-delegated-access can produce those outcomes, because Lighthouse is a partner-side tool and the partner relationship under Granular Delegated Administrative Privileges (GDAP) is what authorizes the access in the first place. The portal is invisible to the firm's chief compliance officer in day-to-day operations, but it produces the artifacts a CCO can hand to an examiner without spending three weeks pulling screenshots.
Tier-1 Direct-Bill CSP is Microsoft's top program tier for partners. Only a small fraction of the Microsoft CSP ecosystem qualifies. A Direct-Bill partner transacts directly with Microsoft, holds dedicated support engineers, and is operationally accountable to Microsoft for how customer tenants are configured and run. It is the difference between a partner who resells Microsoft licenses and a partner Microsoft trusts to operate enterprise-grade tenants at scale. For a broker-dealer choosing a CSP, Tier-1 Direct-Bill is a fast first-pass filter. See Microsoft CSP Direct-Bill Requirements for the canonical program criteria.
Lighthouse access runs through the partner's CSP relationship with each customer tenant. Microsoft recommends Granular Delegated Administrative Privileges (GDAP) over the legacy DAP model so the partner's access is scoped per client and per role rather than granted as a single sweeping admin account. That scoping aligns directly with least-privilege expectations that examiners look for under FINRA Rule 3110 supervision. The partner is responsible for keeping the deployment inside Microsoft's operational parameters for Lighthouse, so the firm experiences a Microsoft-supported control plane without having to manage the partner-program mechanics.
Why This Matters for Broker-Dealers
Examiners are increasingly explicit that they expect to see consistent, documented technical controls across every entity in the firm's regulatory perimeter, not a patchwork of branch-by-branch decisions. The FINRA 2026 Annual Regulatory Oversight Report lists "inadequate supervision" of electronic communications, off-channel platforms, and third-party vendors as recurring findings. A multi-tenant management plane like Lighthouse is one of the cleanest ways to demonstrate that the firm applies a single security baseline across its M365 footprint and continuously monitors for drift.
The Broker-Dealer Regulatory Landscape: FINRA, SEC, and MSRB Expectations
Broker-dealer compliance does not sit under a single rule. It is a stack. The firm must meet FINRA membership rules, SEC books-and-records rules under Section 17 of the Exchange Act, MSRB rules where it deals in municipal securities, and state-level securities and privacy rules where it has registered representatives. The Microsoft 365 controls that Lighthouse standardizes map cleanly to the technology-focused subset of that stack.
The most relevant rules for a Lighthouse deployment are the ones that govern identity, device, communication, and recordkeeping security across the firm.
| Regulation | What It Requires | Microsoft 365 Control Surface |
|---|---|---|
| SEC Regulation S-P (amended 2024) | Written incident response program, customer notification within 30 days of unauthorized access to sensitive customer information, third-party service provider oversight, safeguards covering administrative, technical, and physical controls. | Microsoft Purview Data Loss Prevention, Microsoft Defender for Office 365 incident workflows, Microsoft Sentinel for SIEM and incident timeline evidence, Conditional Access policies in Microsoft Entra ID. |
| SEC Regulation S-ID (Identity Theft Red Flags) | Written program to detect, prevent, and mitigate identity theft on covered accounts. | Microsoft Entra ID sign-in risk policies, Identity Protection alerts, Defender for Identity user behavior analytics. |
| SEA Rule 17a-3 | Minimum records that broker-dealers must make and maintain (blotters, ledgers, customer account records, trade tickets, correspondence). | Exchange Online + SharePoint Online with Microsoft Purview retention policies; Purview Audit logs as the time-stamped trail. |
| SEA Rule 17a-4 | Electronic records must preserve a complete time-stamped audit trail of all modifications and deletions, retention not less than 6 years (first 2 in easily accessible place), prompt production on examiner request. | Microsoft Purview retention policies and litigation hold; Purview Audit Premium for one-year (extendable to ten) audit log retention; Compliance Manager templates. |
| FINRA Rule 4370 (Business Continuity) | Written business continuity plan covering data backup and recovery, mission-critical systems, alternate communications with customers and employees. | Microsoft 365 backup posture, Defender for Endpoint device recovery, Teams as alternate communication channel, Microsoft Sentinel incident timeline. |
| FINRA Rule 3110 (Supervision) and 3110.09 (Retention of Correspondence) | Written supervisory procedures covering business communications on every approved channel; controls to prevent off-channel communications. | Microsoft Purview Communication Compliance, Defender for Office 365 phishing and impersonation policies, Intune mobile application management blocking unmanaged messaging apps. |
| FINRA Rule 4511 (General Books and Records) | Make and preserve books and records as required under FINRA Rules, the Exchange Act, and applicable SEA Rules. | Same Microsoft Purview retention and audit infrastructure as 17a-3 and 17a-4, applied uniformly across every M365 tenant in the firm's footprint. |
The pattern in that table is the point. Most modern broker-dealer compliance obligations resolve to controls inside Microsoft 365. The question is not whether the controls exist. Microsoft Entra ID, Microsoft Purview, Microsoft Intune, Microsoft Defender, and Microsoft Sentinel are already there in any reasonably licensed tenant. The question is whether those controls are configured consistently across every branch, every affiliate, and every device, and whether the firm can produce evidence of that configuration in the form an examiner will accept. Lighthouse is the operational answer to the second question.
How Lighthouse Standardizes Compliance Across Branches and Affiliates
The structural problem at a multi-entity broker-dealer is that compliance drift happens slowly. An OSJ in one region adds a new branch and the local IT contact sets up Microsoft 365 with the default tenant settings. Six months later that branch is still on default 90-day audit retention while the home office has been on 365-day retention since 2024. The branch enforces MFA on most users but not the office manager who shares a workstation with two registered representatives. Devices arrive at the branch from a regional supplier and are never enrolled in Intune. None of this is malicious. It is the natural drift of a federated organization without a multi-tenant control plane.
Lighthouse closes that drift in three ways that matter for examination readiness.
Standard security baselines applied across every tenant. Lighthouse ships with a Microsoft-defined SMB security baseline that includes MFA enforcement, legacy authentication blocking, Microsoft Defender Antivirus configuration, BitLocker device encryption, and device compliance rules. The Tier-1 CSP partner applies that baseline across every tenant the firm operates, then layers firm-specific policies on top (extended retention, broker-dealer-specific DLP for customer NPI, branch-specific Conditional Access location filters). When examiners ask whether MFA is enforced firm-wide, the answer is a single dashboard view, not a spreadsheet that took two weeks to assemble.
Continuous drift detection. If a new branch comes online with a misconfigured tenant, Lighthouse surfaces the drift inside the partner's dashboard within the next refresh cycle. The same is true when a device falls out of compliance, when an admin account is created outside the firm's standard process, or when a Conditional Access policy is modified locally. The partner sees the change, alerts the firm's compliance leadership, and either remediates or documents the exception. The pattern produces an auditable trail of the firm's response, which is the form FINRA Rule 3110 supervision expects.
Productivity uplift for the IT and compliance teams. The single biggest cost in a multi-branch broker-dealer's compliance posture is not the technology. It is the staff time spent reconciling configurations across portals. A Tier-1 CSP managing the firm's tenants through Lighthouse replaces that reconciliation work with a single console view, freeing the firm's IT and compliance staff to focus on the higher-judgment work that examiners actually want them doing: reviewing flagged communications, investigating sign-in risk alerts, validating exceptions, and preparing case files. That productivity gain is the lead reason firms move to a managed Lighthouse deployment. The audit-readiness improvement is the byproduct.
Standardization is the productivity unlock. Audit readiness is the byproduct. Both show up on the same dashboard.
Microsoft 365 Lighthouse is the multi-tenant control plane that ties the other security and compliance products together for a federated broker-dealer. Microsoft Entra ID supplies the identity layer (MFA, Conditional Access, sign-in risk, GDAP scoping). Microsoft Intune enrolls and posture-checks every device that touches firm data. Microsoft Defender for Office 365 and Microsoft Defender for Endpoint handle the active threat side. Microsoft Purview Audit, DLP, retention, and Communication Compliance hold up the books-and-records side. Microsoft Sentinel aggregates the signals into a SIEM that satisfies FINRA Rule 4370 incident detection and Regulation S-P incident response evidence requirements. Lighthouse is the portal where a Tier-1 CSP applies, monitors, and documents all of it across every tenant in the firm's footprint. ABT layers M365 Guardian, the firm's broker-dealer-tuned operating model for these Microsoft tools, on top of the Lighthouse deployment.
A Partner-Evaluation Checklist: What a CSP's Lighthouse Proposal Should Cover
The broker-dealer does not deploy Lighthouse. The CSP partner does. When you evaluate a CSP partner for a Lighthouse-managed deployment, the partner's proposal should cover the seven items below. Each item is a question to ASK the partner, not a step to do yourself. The order matters because identity has to settle before device posture is meaningful, device posture has to settle before threat detection becomes signal rather than noise, and the audit layer has to be in place before the firm produces evidence to examiners.
Ask the partner whether they hold Tier-1 Direct-Bill CSP status, since that designation governs how Microsoft holds them accountable for the deployment. Ask how the partner will map every operating entity (broker-dealer, affiliated RIA, holding company) to its own tenant or sub-tenant so the Lighthouse view reflects the firm's actual legal structure. Ask how the partner will keep the tenant footprint inside Microsoft's operational parameters as the firm adds branches and affiliated entities over time.
Ask the partner how Granular Delegated Administrative Privileges will scope access per tenant and per role. The partner's proposal should name which Microsoft Entra ID roles the partner requires for ongoing management and why blanket Global Administrator is not on the list. Ask the partner to document the GDAP grants and the renewal cadence in a form the firm can attach to its vendor oversight program under amended Regulation S-P.
Ask the partner whether Conditional Access policies will be set in Grant mode (not Report-Only) to enforce MFA on all registered representatives, supervisory principals, and operations staff. Ask for location-aware filters for branch offices, device-compliance requirements for unmanaged devices, a step-up policy for high-risk sign-ins, and an explicit block on legacy authentication. Legacy authentication is a recurring vector in cybersecurity findings.
Ask the partner to describe firm-wide compliance policies covering OS version, BitLocker encryption, Defender Antivirus status, password complexity, and patch level. Intune device enrollment is the prerequisite for Lighthouse's device compliance view. Ask the partner about app protection policies for mobile devices that handle business communications, since unmanaged personal devices are the recurring source of off-channel violations under FINRA Rule 3110.09.
Ask the partner whether Premium audit log retention will extend the default window to one year, with the option to extend to ten years using the extended retention add-on, which matches the practical retention floor for SEA Rule 17a-4 business records. Ask how retention policies will bind to Exchange Online mailboxes, SharePoint sites, OneDrive accounts, and Teams chat to hold communications and order tickets in a tamper-evident form.
Ask the partner about anti-phishing, anti-impersonation, Safe Attachments, and Safe Links policies in Microsoft Defender for Office 365 that protect the email channel handling most customer correspondence. Ask about Microsoft Defender for Endpoint as the device-side detection and response surface. Ask how both feed into Microsoft Sentinel for unified incident timelines and integrate with the firm's Regulation S-P incident response program.
Ask the partner how Microsoft Sentinel will aggregate signals from Microsoft Entra ID, Defender, Purview, and Intune into a single incident view. For broker-dealers, that incident timeline doubles as the evidence trail for Regulation S-P 30-day customer notification, FINRA Rule 4370 business continuity testing, and FINRA Rule 4530 reporting obligations. Ask the partner whether the analytic rules will be tuned to the firm's actual risk profile or left at vendor defaults.
Audit Evidence and Purview Integration for SEA Rule 17a-4
The audit-evidence layer is where most broker-dealer deployments either pass or stumble. SEA Rule 17a-4 sets an unambiguous bar for electronic records. The records system must preserve a complete time-stamped audit trail covering all modifications and deletions, the identity of the individual who made each change, the date and time of every create-modify-delete action, and any other information needed to authenticate the record and re-create the original if it is modified. The system must be capable of immediate production of records on examiner request. Third-party recordkeeping services are allowed, but only with an executed undertaking that allows examiners and SIPC trustees to access records directly.
Microsoft Purview is the layer inside Microsoft 365 that meets that bar. Purview Audit provides the time-stamped audit log across Exchange Online, SharePoint Online, OneDrive, Teams, and Entra ID. Audit Premium extends retention to one year and (with the add-on) up to ten. Retention policies bind tamper-evident retention to mailboxes, sites, and Teams channels. Litigation hold preserves records that fall under regulatory inquiry or pending litigation. Communication Compliance lets the firm sample, classify, and review business communications for off-channel behavior, harassment, or other policy-flagged content.
Lighthouse is how the firm's CSP partner makes sure those Purview controls are configured the same way across every tenant in the firm's footprint, and how the partner produces the cross-tenant audit reports that a CCO can hand to an examiner.
A FINRA cycle examination opens at the firm. The examiner asks for retention configurations and audit logs across all seven affiliated entities for a 24-month lookback. The CCO emails seven different IT contacts. Two contacts have left the firm. Three of the remaining five send screenshots that show different retention windows. The CCO assembles a spreadsheet by hand. The exam stretches into a second sweep. The firm receives a finding for inconsistent retention.
The same exam opens. The CSP partner pulls a cross-tenant configuration report from Lighthouse that shows the applied baseline, the active retention policies, the Conditional Access state, and the Defender posture for all seven tenants in one view. The CCO produces the audit log extracts from Purview Audit on demand. The exam closes on time. The firm has no finding on this surface.
A broker-dealer's CCO does not need to know what Lighthouse looks like. The CCO needs to know that when an examiner asks for the 24-month retention history across all seven affiliated entities, the partner running the firm's Microsoft 365 tenants produces it in two hours, not three weeks. That is the operating-model difference. The portal is the partner's tool. The outcome is the firm's evidence.
Get a Broker-Dealer Lighthouse Readiness Review
ABT runs the Lighthouse-managed deployment pattern described in this article for broker-dealers operating across multiple OSJs, affiliated RIAs, and independent contractor branches. A 30-minute conversation maps your current tenant footprint, surfaces the gaps your next FINRA examiner is most likely to find, and outlines what an ABT-managed deployment would cover. No commitment, no quote, no obligation.
The ABT Tier-1 CSP Advantage for Regulated Securities Firms
Access Business Technologies is a Tier-1 Microsoft Cloud Solution Provider that manages Microsoft 365 tenants for more than 750 financial institutions. The firm's footprint covers banks, credit unions, mortgage companies, and securities firms operating under federal and state regulatory oversight. For broker-dealers specifically, ABT applies the Lighthouse-managed deployment pattern described in this article and layers it with the firm-specific compliance work that examiners actually grade.
That layered model has a name: M365 Guardian. Lighthouse is the Microsoft baseline. Guardian is ABT's operating model on top of it for regulated financial services firms. For a broker-dealer, the Guardian layer includes firm-specific Conditional Access policies tuned to branch geography and registered representative behavior, broker-dealer-specific DLP policies for customer NPI and order ticket data, retention policies aligned to SEA Rule 17a-4 with documented testing of restore and production workflows, Communication Compliance review templates calibrated to actual FINRA findings under Rule 3110.09 rather than vendor SMB defaults, a Microsoft Sentinel deployment tuned to broker-dealer attack patterns, and the 24/7 security operations center that watches the Sentinel and Defender signals every minute of the day. The broker-dealer keeps its Microsoft 365 licensing and retains its tenant ownership. The Guardian layer is added through the partner relationship.
ABT manages the Microsoft 365 tenants that broker-dealers operate. The firm continues to own the regulatory relationships, the registered representatives, and the customer accounts. The partner relationship is set up under GDAP with least-privilege role grants, an executed vendor oversight agreement that satisfies amended Regulation S-P third-party expectations, and an annual independent verification cycle that produces the evidence the firm's CCO needs for the firm's own examination prep.
Key Takeaway
Microsoft 365 Lighthouse turns multi-tenant security and compliance from a federated project that drifts between branches into a single managed control plane. For broker-dealers operating across multiple OSJs, affiliated RIAs, or independent contractor branches, that control plane is the cleanest available route to consistent application of the Microsoft Entra ID, Intune, Defender, Purview, and Sentinel controls that map directly to FINRA, SEC, and MSRB examination expectations. A Tier-1 CSP applies, monitors, and documents the deployment so the firm's CCO walks into an examination with the evidence already in hand.
Frequently Asked Questions
No. Microsoft 365 Lighthouse is the partner-side portal. Only partners enrolled in the Cloud Solution Provider program can sign in, and only against customer tenants where they have delegated access established under GDAP. The broker-dealer firm sees the operational outcome of the Lighthouse deployment, including consistent security baselines, device compliance posture, cross-tenant audit evidence, and incident timelines, but does not log in to the Lighthouse portal itself. The firm's chief compliance officer works inside the firm's own Microsoft 365 admin centers, with Purview and Defender producing the records and evidence that Lighthouse helped configure consistently.
Lighthouse does not preserve records itself. Microsoft Purview is the layer that meets the SEA Rule 17a-4 bar inside Microsoft 365. Purview Audit produces the time-stamped audit trail of every create, modify, and delete action across Exchange Online, SharePoint Online, OneDrive, Teams, and Microsoft Entra ID. Purview Audit Premium extends retention to one year with the option to extend to ten. Retention policies bind tamper-evident retention to the mailboxes, sites, and channels where records live. Lighthouse is the multi-tenant management plane that lets a Cloud Solution Provider apply those Purview configurations the same way across every customer tenant in a federated broker-dealer's footprint, so the firm's records system is consistent and the audit evidence is ready when an examiner asks for it.
GDAP replaced the legacy Delegated Administrative Privileges model as Microsoft's recommended way for a Cloud Solution Provider to access a customer tenant. With GDAP, the partner's access is scoped per tenant, per role, and for a defined time window, rather than granted as a single Global Administrator account. For broker-dealers, that scoping is important for two regulatory reasons. First, it aligns with least-privilege expectations that examiners look for under FINRA Rule 3110 supervision. Second, it satisfies the third-party service provider oversight requirements added to SEC Regulation S-P in 2024, which require firms to document and oversee the access vendors hold to systems that contain sensitive customer information.
Yes, through Microsoft Intune. Lighthouse surfaces the device compliance status that Intune reports for every device enrolled across every managed tenant. Firm-owned laptops and workstations are enrolled into Intune with a corporate compliance baseline covering OS version, BitLocker encryption, Defender Antivirus status, and patch level. Personal devices used for business communications can be brought under Intune mobile application management, which protects firm data inside Outlook, Teams, and OneDrive without taking control of the personal device. Conditional Access policies in Microsoft Entra ID then block firm data from devices that fall out of compliance, which closes the off-channel device gap that recurs in FINRA Rule 3110.09 findings.
The amended Regulation S-P, with smaller-entity compliance due June 3, 2026, requires a written incident response program, customer notification within 30 days of unauthorized access to sensitive customer information, and oversight of third-party service providers. A Lighthouse-managed deployment supports the technical side of that program in three ways. Microsoft Defender for Office 365 and Defender for Endpoint produce the detection signals. Microsoft Sentinel aggregates the signals into a single incident timeline that supports the 30-day notification analysis. Microsoft Purview Audit produces the time-stamped evidence of who accessed what and when. The Tier-1 Cloud Solution Provider applies and monitors those configurations across every tenant in the firm's footprint, and the partner relationship under GDAP itself satisfies a portion of the third-party oversight expectation when paired with the firm's executed vendor oversight agreement.
A broker-dealer that operates through a holding company, an affiliated registered investment adviser, multiple OSJs, and a network of independent contractor branches usually has multiple Microsoft 365 tenants already, one per operating entity. Lighthouse is built for that shape. The CSP partner enrolls each operating entity's tenant under the same partner relationship, applies the firm-wide security baseline and retention policies through a single multi-tenant console, and surfaces drift across the whole legal-entity perimeter. A Tier-1 Direct-Bill Cloud Solution Provider advises on the tenant architecture during deployment planning so the Lighthouse view reflects the firm's actual regulatory structure rather than a flat list of unrelated tenants. ABT layers M365 Guardian on top of that architecture so the broker-dealer gets a unified operating model across every entity in the firm's footprint, not just unified visibility.