How to Maximize MSP Client Capacity Without Adding Headcount
There are many difficulties in running an MSP today, not the least of which is managing growth. Taking on new clients, onboarding them to “your way” of doing IT and making sure they have appropriate policies applied, particularly security policies, is challenging. In this article we’ll focus mainly on Microsoft 365 as the collaboration platform of choice, as it’s the one that most MSPs sell to their clients.
Standardizing Security Policies Across Clients
The overall challenge is to standardize – if all your clients have different policies, and varying settings you end up with “snowflakes”, where manual work is required for each of them. There will be occasional edge cases where a system or account is exempted from the standard policy, but the vast majority should be subject to the same policy, or you’ll never be able to grow your MSP without adding tech staff for each client. Now there’s an easy-to-use tool from the leader in Microsoft 365 security solutions, Hornetsecurity, called 365 Multi-Tenant Manager (MTM) which does exactly this – allows you to apply policies across tenants from a centralized console, and also manage any required exceptions.
Security policies are particularly difficult as there are many settings to manage across sharing policies in SharePoint and OneDrive, access policies for Exchange Online, a plethora of settings in Entra ID (formerly Azure Active Directory), baseline security settings in Intune, not to mention endpoint settings for Windows and other platforms. You’ll want these to be configured to an appropriate standard across all your clients. 365 Multi-Tenant Manager, built specifically for MSPs handles both Microsoft 365 security policies and Conditional Access policies in Entra ID.
Scaling Challenges: Staffing and Manual Configuration
As mentioned, one way of approaching this is adding more staff, the problem with this approach is that it doesn’t scale. If you have to add another tech for every 2-5 new clients, you’ll soon be hampered in your growth efforts / profitability. Particularly in today’s market, where finding technicians with good technical as well as soft skills at a manageable salary level is challenging. Also, manually applying security governance policies across clients is an invitation for mistakes and configuration drift. You need a system that can apply policies at scale across your entire tenant estate. Ideally, you’d want to get to a point where you only need to add staff when the non-automated work adds up to the point where you actually need more techs to manage it.
Another challenge when it comes to scaling and security policies is applying them across different clients easily. There will be times when business needs dictate required customizations, which will differ from business to business. Easily documenting these deviations, and the reason for them, while still applying “your template” for all the other settings is vital.
Related to growth challenges is the time taken during onboarding of a new client. Once the client has made the decision to sign the contract with you, this is the first real opportunity you have to make a good impression. Up until now, it’s been talk and sales pitches, onboarding is where the rubber meets the road. If this phase bogs down into lengthy meetings dissecting every single setting, rather than a smooth process of bringing them into your “care”, this first impression will not be ideal. You’ll want to standardize and easily apply your security policies, minimizing the time it takes to apply these to a new client.
Multi-Tenant Manager is a great help when it comes to onboarding new clients – you can compare their current settings to your baselines (which can be based on the CIS framework) and apply your policies, saving many hours in manual work. This also shows the client that you are serious about managing their entire digital estate with care, plus they’ll be more secure with the right settings applied.
Of course, your security policies aren’t static. There are many forces which may generate changes in the policies you have – vendor recommendations (Microsoft do update their best practises guidance regularly), newly disclosed vulnerabilities, and regular updates to Conditional Access Policies for example. Again, scaling your MSP is hampered when you are forced to assign engineers to manually make these updates across all your clients.
Sometimes you have the opposite situation, you need to remove certain policies from one or more clients, again this is time consuming if done manually.
Again, 365 Multi-Tenant Manager is right there for you, allowing you to customize policies quickly in a single place, and then apply the new policies across many tenants in a single step, or even remove policies if you need to.
One particularly difficult situation is when you have a larger client that spans regions, states or even countries. For MSPs that primarily serve very small businesses this is rarely an issue, but for larger MSPs or those that cater to bigger SMBs, the need to apply different policies to parts of the business in different locations, based on region, bring additional manual work if it’s not automated. This also applies in scenarios where different roles within the client’s business needs different security policies, maybe the frontline workers in the stores need a different set of policies than the backend staff in the finance department. The scoping options in 365 Multi-Tenant Manager allows you to target policies granularly to the right users or devices which is particularly useful in larger tenants.
Leveraging Templates for Faster and Consistent Policy Deployment
Another important point is the speed of policy application / updates. If you have hundreds of clients, and urgently need to deploy a change, you need a strong system in place to be able to do this quickly and efficiently.
So far, we’ve been looking at security policies you’ve designed yourself, but what you really want for effortless scaling are ready made templates that you can customize and then apply across different tenant cohorts for consistency. 365 Multi-Tenant Manager out of the box templates are built on the industry standard CIS 3.1 benchmark for Microsoft 365, giving you a good starting point to customize settings to suit your clients’ needs. Many different industries have different regulatory demands, as does different countries and regions, and MTM is the tool that allows you to effectively customize and apply the right settings for different tenants with minimal administrative effort.
A particular area where policies are paramount are SharePoint / OneDrive and Teams sharing settings. In today’s open, collaborative environments users are encouraged to share files in SharePoint sites, and from their own OneDrive for Business sites (which are really just SharePoint sites behind the scenes), both with internal colleagues, as well as external collaborators. Furthermore, Teams not only encourages file sharing, but it also hides some of the complexity behind the scenes (files are stored in SharePoint sites, but appear in the Team itself), to ensure file sharing is seamless.
The problem of course is that easy file sharing with “anyone” may not be in the business best interest, nor in keeping with relevant regulations. Applying the appropriate security policies to all your clients for these settings, as well as tracking current shared files, is vital, but difficult to do with the built in tools in Microsoft 365. Here, Hornetsecurity offers a unique product, 365 Permission Manager which allows you to inventory all current sharing and permissions settings across every SharePoint and OneDrive for Business site, easily right size them, and apply custom policies to limit oversharing.
Conclusion
In this article we looked at the challenges that MSPs face when attempting to automate and manage security policies across their client base, particularly as they’re trying to grow. And how these challenges can be turned into opportunities for growth, standardization and better security for all clients of your MSP with a simple to use tool, 365 Multi Tenant Manager.
