A secure, enterprise-grade multi-tenant security and compliance dashboard for Managed Service Providers
Built with modern web technologies and Microsoft 365 Lighthouse, Dashboardus provides MSPs with real-time visibility into customer tenant security posture, device compliance, and security incidentsβall from a single, beautiful dashboard optimized for SOC/NOC wall displays.
Dashboardus empowers MSPs to deliver world-class security monitoring and compliance management across their entire customer base. Our mission is to make multi-tenant security visibility simple, secure, and beautiful.
Traditional MSP tools are fragmented, complex, and often require excessive permissions. Dashboardus takes a different approach:
- Security-First: Built on the principle of least privilege with zero secrets in the frontend
- Lighthouse-Native: Leverages Microsoft 365 Lighthouse for true multi-tenant visibility
- Modern UX: Beautiful, responsive interface optimized for 4K wall displays
- GDPR-Ready: PII anonymization features for compliance-conscious organizations
- Zero-Trust: Delegated permissions only, with GDAP and Conditional Access support
Dashboardus sets a new standard for secure MSP dashboards. Here's how we achieve enterprise-grade security:
- Zero secrets in frontend code: Unlike traditional SPAs that might expose secrets, Dashboardus uses only public client authentication
- MSAL Browser with PKCE: Implements OAuth 2.0 Authorization Code Flow with Proof Key for Code Exchange (PKCE)
- No implicit flow: We explicitly avoid the deprecated implicit flow in favor of the more secure authorization code flow
- User-context authentication: All API calls are made with the signed-in user's permissions
- No app-only permissions: The dashboard cannot perform actions beyond what the MSP technician is authorized to do
- Comprehensive M365 E5 coverage: Supports full security monitoring across Microsoft's security stack:
- Core:
User.Read,ManagedTenants.Read.All,offline_access - Device Management:
DeviceManagementManagedDevices.Read.All - Security (M365 E5):
SecurityIncident.Read.All,SecurityAlert.Read.All,SecurityEvents.Read.All,ThreatIndicators.Read.All - Identity Protection (Entra P2):
IdentityRiskEvent.Read.All,IdentityRiskyUser.Read.All - Compliance:
Policy.Read.All,Directory.Read.All,AuditLog.Read.All,InformationProtectionPolicy.Read
- Core:
Note: The dashboard gracefully handles missing permissions. Not all permissions are required for basic functionality.
- Granular Delegated Admin Privileges (GDAP): Leverages Microsoft's modern GDAP model for customer tenant access
- Lighthouse-first design: Uses Microsoft 365 Lighthouse APIs for aggregated multi-tenant data
- Role-based access: Respects GDAP role assignments and Lighthouse RBAC
- No direct tenant switching: All data flows through Lighthouse, maintaining proper access boundaries
- SessionStorage for tokens: Tokens stored in sessionStorage (not localStorage) for better security on shared displays
- Automatic token refresh: Silent token renewal prevents unnecessary re-authentication
- Session timeout: Configurable auto-lock feature for unattended displays
- Sign-out on close: Session tokens cleared when browser closes
- Conditional Access ready: Fully compatible with Azure AD Conditional Access policies
- Device compliance enforcement: Can require compliant devices for dashboard access
- Phishing-resistant authentication: Supports Windows Hello, FIDO2, and Passkeys
- Location-based policies: Works with Conditional Access location restrictions
- PII anonymization toggle: Hide user names, emails, and device names for public displays
- No data persistence: Dashboard doesn't store customer data locally
- Audit-friendly: All actions logged to browser console for troubleshooting
- Data minimization: Only fetches data necessary for current view
- No write operations: Dashboard cannot modify devices, users, or policies
- Deep links for actions: Links to admin portals (Intune, Defender, Entra) for write operations
- Separation of concerns: Viewing and acting are separate, reducing risk
Dashboardus leverages the best of Microsoft's cloud platform and modern web technologies:
- React 18 with TypeScript for type-safe, maintainable code
- Vite for lightning-fast development and optimized production builds
- Tailwind CSS for beautiful, responsive UI
- Lucide React for consistent, modern iconography
- MSAL Browser 3.7 for secure OAuth 2.0 authentication
- Microsoft Graph JavaScript SDK for type-safe API calls
- Microsoft 365 Lighthouse APIs for multi-tenant data aggregation
- Microsoft Entra ID (Azure AD) for identity and access management
- Microsoft Intune for device management and compliance
- Microsoft Defender for security incident management
- Microsoft 365 Lighthouse for MSP multi-tenant visibility
- Multi-tenant dashboard via Microsoft 365 Lighthouse
- Device compliance monitoring across all customer tenants
- Real-time data refresh with manual refresh button
- Tenant filtering to focus on specific customers
- Compliance status filtering (all devices vs. non-compliant only)
- Deep links to Intune, Defender, and Entra admin portals
- Responsive design optimized for 4K displays
- Dark theme for SOC/NOC environments
- MSAL authentication with Authorization Code + PKCE flow
- Session-based token storage for enhanced security
- Error handling with user-friendly messages
- Summary cards: Tenant count, device compliance %, security incidents
- Device table: Sortable, filterable list of managed devices
- Compliance badges: Visual indicators for device status
- Last sync times: Relative timestamps for data freshness
- Security incidents per-tenant (Lighthouse doesn't support multi-tenant incidents API)
- Security alerts aggregation across all tenants
- Auto-refresh with configurable intervals
- Live mode for real-time SOC monitoring
- PII anonymization toggle for GDPR compliance
- Auto-lock after inactivity for shared displays
- Compliance trends over time
- Per-tenant health scores
- Predictive analytics for compliance drift
- Custom dashboards per MSP technician role
- Export to CSV/Excel for reporting
- Real-time alerts for critical incidents
- Webhook integrations (Teams, Slack, email)
- Automated remediation suggestions
- Compliance policy recommendations
- Integration with ticketing systems
- AI-powered anomaly detection
- Natural language queries ("Show me all non-compliant Windows devices")
- Predictive maintenance recommendations
- Automated compliance reports with AI summaries
- Microsoft 365 Lighthouse enabled for your MSP tenant
- GDAP relationships configured with customer tenants
- Azure AD app registration (see setup guide below)
- Lighthouse RBAC role in the partner tenant
- GDAP roles in customer tenants (via GDAP templates):
- Security Reader or Security Operator (for incidents)
- Intune Read-Only Operator or Help Desk Operator (for devices)
- Node.js 18+ and npm
- Modern web browser (Chrome, Edge, Firefox)
- Code editor (VS Code recommended)
git clone https://github.com/cyrusirandoust/dashboardus.git
cd dashboardusnpm install-
Navigate to Microsoft Entra Portal β Entra β App registrations
-
Create new registration:
- Name:
MSP Dashboardus - Supported account types:
Accounts in this organizational directory only - Redirect URI:
Single-page application (SPA)βhttp://localhost:5173
- Name:
-
Configure API permissions (Delegated only):
- Microsoft Graph:
User.Read- Basic user profileManagedTenants.Read.All- Lighthouse multi-tenant dataDeviceManagementManagedDevices.Read.All- Device complianceSecurityIncident.Read.All- Security incidents (M365 E5)SecurityAlert.Read.All- Security alerts (M365 E5)SecurityEvents.Read.All- Security events (M365 E5)ThreatIndicators.Read.All- Threat intelligence (M365 E5)IdentityRiskEvent.Read.All- Identity risk events (Entra P2)IdentityRiskyUser.Read.All- Risky users (Entra P2)Policy.Read.All- Conditional Access policiesDirectory.Read.All- Directory dataAuditLog.Read.All- Audit logsInformationProtectionPolicy.Read- Purview policiesoffline_access- Refresh tokens
Note: Some permissions require Microsoft 365 E5 or Entra ID P2 licenses. The dashboard will gracefully handle missing permissions.
- Microsoft Graph:
-
Grant admin consent for your organization
-
Note your Application (client) ID and Directory (tenant) ID
Create a .env file in the root directory:
VITE_AAD_CLIENT_ID=your-client-id-here
VITE_AAD_TENANT_ID=your-tenant-id-herenpm run devOpen http://localhost:5173 in your browser.
npm run build
npm run preview- Click "Sign In with Microsoft"
- Authenticate with your MSP technician account
- Consent to the requested permissions (one-time)
- Dashboard loads with your managed tenants
- All Devices: Shows all managed devices across tenants
- Non-Compliant Only: Filters to show only non-compliant devices
- Tenant Filter: Select a specific customer tenant
- Click the Refresh button in the header
- Data is fetched from Microsoft Graph Lighthouse APIs
- Last updated timestamp shows data freshness
- Click the external link icon next to any device or incident
- Opens the relevant admin portal (Intune, Defender, Entra)
- Perform write operations in the portal with proper RBAC
Edit src/auth/msalConfig.ts to customize:
- Token cache location (sessionStorage vs localStorage)
- Redirect vs popup authentication flow
- Additional Graph scopes
Edit tailwind.config.js for:
- Color scheme
- Font sizes for large displays
- Spacing and layout
- Check GDAP roles: Ensure your account has appropriate roles in customer tenants
- Verify Lighthouse access: Confirm Lighthouse is enabled and you have a Lighthouse RBAC role
- Review Graph permissions: Ensure admin consent was granted for all required scopes
- Check API response: Open browser console (F12) and look for device data logs
- Verify Lighthouse data: Some tenants may not report compliance data to Lighthouse yet
- Wait for sync: Device compliance data may take time to populate in Lighthouse
- Check tenant IDs: Ensure tenant IDs match between tenants and devices
- Review console logs: Look for filtering errors in browser console
- Refresh data: Try refreshing the dashboard data
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
This project was made possible by the incredible people and tools that inspire innovation:
IBM Bob - The excellent AI coding assistant that enabled rapid development of this application in less than 4 hours outside business hours. Bob's intelligent code generation and architectural guidance were instrumental in bringing Dashboardus to life.
Sripathi Dantuluri - For introducing me to IBM Bob and consistently showing me cool geek stuff that pushes the boundaries of what's possible. Your enthusiasm for cutting-edge technology is contagious!
Richard Hogan & David Rowley - For creating similar projects that served as huge inspiration for this application. Your work in the MSP space demonstrates what's possible when we think creatively about multi-tenant management.
Tim Callaghan - For encouraging me to think outside the box and generate added value for Microsoft and our customers at IBM. Your leadership and vision make projects like this possible.
Microsoft - For building world-class cloud services (Entra, Intune, Defender, Lighthouse) that make this dashboard possible. We're proud to showcase the best of Microsoft's platform.
The Open Source Community - For the amazing libraries and tools that power modern web development: React, TypeScript, Vite, Tailwind CSS, and countless others.
- Issues: GitHub Issues
- Discussions: GitHub Discussions
If you find Dashboardus useful, please consider giving it a star on GitHub! β
Built with β€οΈ by MSPs, for MSPs
Making multi-tenant security monitoring simple, secure, and beautiful.