Microsoft
Microsoft
MicrosoftJoshuaK - PCI-DSS has robust provisions for handling service providers with access to in scope data, if a customer has PCI relevant data in Sentinel then Microsoft will already by a PCI service provider for them for which Microsoft has accreditation - https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-pci-dss
Any other MSP with access to that data would also have to go through an accreditation and audit process but this is a well established path for QSAs.
As for malicious actors gaining access via a partner it is a threat vector to consider as attackers have targetted service providers to gain access to customers, however it with robust auditing of MSP security controls this risk can be managed. In addition the Lighthouse configuration allows you to assign granular controls over what an MSP has access to meaning it could be limited to read-only access to Sentinel data, limiting the scope of impact in a scenario where an MSP might be breached.