So we tried to implement by the book the recently released Azure Lighthouse in order to centrally manage multiple Azure customers. The recommended Contributor role that is highest Azure role you can use with Lighthouse, has some very interesting limitations, especially around what you can do with the Azure Policies: Microsoft.Authorization/*/Delete and Microsoft.Authorization/*/Write operations are actually prohibited, so you cannot actually deploy any Azure Policies to a customer subscriptions.
There is a way to bypass this limitation of the Contributor role, by adding another role to the on-boarding process: Security Admin.