My Favorite Multi-tenant Tools for Microsoft 365 Cloud

Back to Blog
Multi-tenant 365

My Favorite Multi-tenant Tools for Microsoft 365 Cloud

Today I want to address something that Managed Services Providers in particular struggle with daily. And that is managing dozens if not hundreds of Microsoft tenants, each of which represents a unique security boundary, with its own set of users, devices, licenses, security configurations, and so on. This problem is not new to the cloud by any means. In the past, we had to figure out how to scale management of many disparate physical networks, servers, and workstations.  The same is true of our cloud assets.

Note: This is not a post about Multi-tenant organizations which is a totally different thing, and which I may blog about someday–it is important for small and mid-sized businesses to know about this too, as sometimes an SMB is acquired by a VLB (Very Large Business).

So let me just start by saying that five years ago, the list of potential solutions here was very small. Mostly providers were just trying to figure out how to streamline their repetitive work using PowerShell and other means, and that helped them to move more quickly from one tenant to the next. But unless you were on the cutting edge or had in-house developers, you likely didn’t have a multi-tenant tool for managing all of your Microsoft 365 and Azure tenants.

Today the landscape looks a lot different, and there are three multi-tenant tools in particular that I will discuss, which have been built from the ground-up with the Managed Services Provider in mind. To be crystal clear, just because I haven’t mentioned a specific tool in this article doesn’t mean it isn’t a good product. I cannot be intimately familiar with every single vendor out there, and I am not in a position to comment on every single one of them. The ones I am highlighting here are easy to use and relatively inexpensive, and I think they are widely applicable to MSPs in general. But there are other good options too. I just want to acknowledge that.

CyberDrain Improved Partner Portal (CIPP)

We’re going to kick off this train by looking at CIPP—what a great product. Kelvin Tegelaar developed this application about three years ago, partly out of frustration. In his own words:

MSP vendors were massively lagging behind on cloud management. It either was an extremely expensive exercise to get a cloud management product, or it was just ignored by the major vendors who you would expect to help MSPs… After not seeing any movement for so long I decided to create an application out of spite; partly to show how easy it actually is to create a Microsoft 365 management product. The very first version took me three weekends to make and release.

I have watched as other tools have come and gone in the last few years, but CIPP has been one that continues to see regular updates, improvements, and development. The reward of course has been that CIPP continues to see enormous growth. As Kelvin puts it, “From there we kind of exploded, with 100 MSPs in the first month, and 4,400 MSPs using CIPP now.” That’s fantastic.

I follow Kelvin on LinkedIn, and it seems like he is always announcing a new release with cool new features and improvements. When I asked him about this he replied, “In general, I love all our features equally especially when they come from MSP requests. We have a release today where we are implementing something like 20 new features that have all been asked for by MSPs.” That is exactly what we like to see—vendors who are responsive to the markets they serve.

I also want to highlight that I regularly see really creative features in this product that I just haven’t come across anywhere else. For example, there is a custom anti-phishing CSS login page that you can deploy to tenants with the click of a button. As Kelvin explains it, “I love the anti-phishing CSS I’ve developed with some security researchers at Huntress. It allows users to see when an AITM attack has happened and gives users a clear ‘Do not login’ message when they reach a phishing page.

Anti-phishing CSS login page

This effectively interrupts the flow of a typical “adversary-in-the-middle” phishing scenario and gives the user a chance to bail out before accidentally granting a bad guy access to their Microsoft data.

I’m very glad that CIPP has lit a fire in the industry – You’re seeing many vendors trying to break into the market now and finally looking at holistic cloud management as something MSPs need.

I couldn’t agree more, Kelvin. CIPP can be self-hosted for free, or, for a relatively inexpensive price if you want to get support. See this page for more details.

Microsoft Lighthouse

Microsoft themselves have also come onto the scene in the last few years with their own multi-tenant management product, Microsoft Lighthouse ( This is actually a pretty big deal, because the tool is free to partners, and therefore it represents a huge investment by Microsoft to cater specifically to the needs of all the Managed Services providers out there. Perhaps for the first time.

Also, I know that in general, the SMB community (and especially the MSPs that serve the SMB) can feel like the red-headed stepchild in the Microsoft family. Everyone knows it: Microsoft always thinks of the Enterprise first and foremost, while the Small Business has historically been something of a second-class citizen. Honestly, I think the development of Microsoft 365 Lighthouse, Project Orland, and other efforts, are slowly changing that. For the first time, I feel like Microsoft is starting to “get it” and they are paying attention, and listening to what it is that MSPs do, in an attempt to understand what our needs are. It’s not perfect by any means, but there is real progress being made.

GDAP wizard in LighthouseThis is reflected in some key features that have been developed and released over the last year, such as the GDAP wizard, which makes setting up roles and permissions, as well as connecting to new customer tenants a breeze. We also now have custom baseline policies, which allow you to develop your own standard security policies and apply them across multiple tenants at once. This includes support for several different configuration and policy types including Intune policies. You can also import policies from “golden” tenants and then bring them into your custom baseline, allowing you to more quickly deploy the policies again across your other tenants.

Custom baselines in Lighthouse

You might notice some overlap between Lighthouse and other tools, including CIPP! That should come as no surprise. These development teams are aware of each other and have even worked together for common benefit. Call it “coopertition” if you will.

Kelvin Tegelaar of CIPP had this to say: “We try to work with the Lighthouse team as much as possible, we’re one of the biggest ingestors of their APIs so we always try to keep close contact… Thanks to our collaboration we’ve gotten some beautiful things working – a cool example of this is that CIPP created a method to use the license APIs to track license expiry, and Lighthouse then improved on that by making those APIs more multi-tenant capable and reportable.”

Chris Boyd, PM for Microsoft 365 Lighthouse, adds: “With regards to CIPP, I believe it is a great solution that can work alongside of Lighthouse. There is feature overlap and there is complementary functionality. What is important to me is our goal is to help keep our shared SMB customers safe, secure, and productive, while helping partners to scale their business. Both CIPP and Lighthouse help to achieve that goal.

While you probably could just work out of one or the other of these tools, if I were starting a new MSP today, I would almost certainly be implementing both of them. While it is true that some overlap does exist, I think there is also unique value in each one, and long term the development of these tools will be interesting to watch. As Kelvin puts it: “I love seeing that when we implement a feature, Microsoft picks up on it and implements the improvements we need. We are very much products that grow side-by-side and that’s why I always recommend everyone to also check out Lighthouse next to CIPP. Sometimes we have some other goals and MSPs should choose the product that aligns with their workflow most.

I will also mention that there are a couple of other “general management” tools like this that you might be aware of that offer similar multi-tenant functionality. Most of these products are generally going to cost an MSP a little bit more, but they might also offer more in some respects than these less expensive tools. If you’re just starting out as an MSP, or just getting into multi-tenant management, and cost is a concern (as it often is, especially for smaller sized MSP’s) then Lighthouse and CIPP can be a really inexpensive way to get going, and honestly, there is a lot of really great value and features to be found in both. With a lot of development happening in this space, I will have more to say about this, later.

SaaS Alerts

Next, let’s talk about a more “specialized” product, which is focused on security.

As I have mentioned in the past on this blog, Microsoft’s security tools are great, but they aren’t always partner-friendly. Just consider the “alerts” that we have to configure in various places. For example, the built-in Alert policies in the Microsoft Defender security center, or what they previously dubbed “Advanced alerts” (which are sourced from Microsoft Defender for Cloud Apps a.k.a. Cloud App Security)—these alerts have to be configured individually and inside each tenant, not to mention they are always subject to changes, and that means you may periodically have multiple adjustments to make (and in however many dozens or hundreds of tenants you manage).

The problem is, all these alerts were designed from the start to be monitored from a single tenant by security administrators working within that tenant, not by outside partners who are trying to watch 50, 100 or 1,000 tenants. For this reason, I recommend you check out SaaS Alerts.

This is a fantastic solution that filled such an important void for partners. Not only does it do a great job of surfacing interesting and suspicious activities in your tenant, but it gives you the tools you need to automate your responses to these events, with several built-in examples out of the box.

'Respond' module in SaaS Alerts

This is huge for Managed Services Providers—it’s like adding a robotic employee who is always working 24/7 on your behalf toward the goal of safeguarding and protecting your user base. Jim Lippie, CEO of SaaS Alerts says, “We are very proud that in 2023, the ‘Respond‘ module automatically caught over 7,900 incidents of compromise on behalf of our MSP community.

But it gets even better, because SaaS Alerts integrates with other cloud applications besides Microsoft, too. It can even watch security events in several popular MSP tools including RMMs! Besides being an outstanding boon on its own, this also gives us additional superpowers. For instance, using a feature called “Unify” you can tie the security information coming out of the Microsoft cloud, to that of your RMM, and get a fuller picture of user and device context.

Connecting NinjaOne to SaaS AlertsRegardless of whether a device is part of Intune, or not, if your RMM knows about it, then SaaS Alerts knows about it, and that helps SaaS Alerts better determine the truly suspicious account activity from the “noise” that other tools might generate, absent this data. This means less false-positive results, and more precise actionable information.

With the “Fortify” feature, we get both a clear picture of where each tenant stands with regard to Microsoft’s built-in “Security Score,” and the means to remediate or improve those scores easily. This is a great tool for conducting assessments, demonstrating value, providing useful reports, and in general, pushing forward the security initiatives and driving additional opportunities with customers. Jim explains, “The average Microsoft security score baselined by SaaS Alerts [upon install] is only 44, and we are seeing a 35-point average increase after implementing the recommended actions in the ‘Fortify’ module.

'Fortify' module in SaaS Alerts

This product also boasts some unusually strong “Community DNA.” For example, you can share your automations with the community and have them published for use by other MSPs. You should also check out the weekly Saa$y MSP Community call; discussions in this forum regularly inform development of the tools in SaaS Alerts.

Ryan Ricciardi, Sr. Vice President of Partner Success at SaaS Alerts sums it up: “SaaS Alerts exists because this is not a risk-free world. There is a transition underway in cybersecurity from an on-premise and device-centric focus to a user behavior and account-centric approach. SaaS Alerts helps MSPs win on this transition.

This product gets an A+ in my opinion, and it would be one of the very first ones I implement for each customer I onboard, along with a more generalized management tool such as Microsoft Lighthouse or CIPP. As a matter of fact, I was so impressed with SaaS Alerts, that I negotiated a special group rate for my MSP Practice Development group, SquareOne. We are excited to add this benefit to our membership program.

Other important tools

I said I would discuss three tools. And those are my “top three” that I think are very approachable, and widely applicable to the majority of Managed Services Providers today. But there are others out there we should mention. As I said earlier, yes, there are competitors to Lighthouse and CIPP (which I think of as “general” tenant management tools, and those might be worth a go, although they probably cost a bit more to run. I am not aware of as much competition with regard to the unique features found in SaaS Alerts (which doesn’t mean they don’t exist, per se, I just haven’t seen something quite like it yet). Now, aside from those three tools, there are a few more “specialized tools” I want to highlight briefly:

  • Endpoint security: At the time of this writing, I would guess that fewer than 10% of Service Providers out there are using Microsoft Defender for Business, and have opted to stick with their existing third-party vendors. In the long term, I think that Microsoft is going to continue to make big gains in market share here, for three reasons. First, they have a great product, second, it is already included with their flagship small business SKU, and third: the Lighthouse team plans to bring more and more Defender-related data into the portal over time. That having been said, there are often additional things I would like to accomplish which are more difficult to do in the Microsoft universe. For example, the Application Control features we have available via Microsoft (as of today) leave something to be desired. I would supplement this with ThreatLocker or another similar solution.
  • Printer Management: Even though Microsoft has their own offering in this space (Universal Print), most partners find it unworkable for their use case. Instead, they are more likely to use a multi-tenant-ready, third-party product such as Printix.
  • Application management/patching: Microsoft Update for Business is configurable via Intune and can handle the basic Microsoft Windows and Office updates, and that might cover the needs for a lot of small businesses out there, but if you manage other third-party business applications that require frequent updates, then you are going to want another tool. Personally, I have been a longtime fan Scappman (now owned by Patch My PC), but there are other popular choices as well (e.g., sometimes bolted-on or built-in to your RMM of choice).
  • Virtual Machines: If you have Azure Virtual Desktop or Windows 365 deployments, you just have to check out Nerdio. Also, Nerdio is starting to include additional management features for products such as Intune! This is great news and I am excited to see what the future holds for them.
  • Backup: This topic almost deserves its own blog post. Actually, I might have one out there already, but it’s undoubtedly outdated at this point, because so much has changed. The quick version is, Microsoft now offers their own native backup solution. Hooray. However, many will see this as equivalent to “backing a server up to itself” or “putting all your eggs in the Microsoft basket,” and of course, management is still per-tenant, instead of multi-tenant. Datto, Veeam, Acronis, and many other providers have long offered a multi-tenant, robust backup solution for Microsoft 365. I personally really like the Acronis product, but I think they are probably all equally good at this point. However, they all share similar weaknesses, too—not by their own fault, but because of the data that Microsoft does—and doesn’t—make available via their APIs. For example, good luck backing up data in apps like Forms, Planner, Power Platform, and pretty much anything else that doesn’t live in an Exchange mailbox or a SharePoint site/list.

You probably noticed all this is a far cry from the mythical “Single Pane of Glass.” No kidding, and welcome to reality; MSPs have been chasing that chimera for the last couple of decades and it has yet to materialize. With the cloud, in many ways, you could argue that things have become more complicated, not less. I think we can still aim for “fewer” panes of glass and look for opportunities to collapse into fewer portals/tools over time. But expect that for the foreseeable future, you will be juggling a variety of management UIs, whether you are working with first or third-party tools (and likely a mixture thereof).

Well, that’s all I had to share for today. You might know of additional third-party, multi-tenant-capable products that fill a particular need or niche that would be a boon to Managed Services Providers. If so, I encourage you to drop a quick mention or note about them in the comments section of this blog, below!


Comments (4)

  • Nathan Taylor Reply

    Multi-tenant defender and Sentinel management, configuration, and alerting is an area that can be a challenge. Lots of opportunity there especially on the Sentinel front (azure lighthouse only goes so far). I know Defender is improving API access to facilitate more options here and lots of third parties integrate with defender for reporting/alerting.

    February 29, 2024 at 12:36 pm

    SAAS Alerts sounds promising. I have always felt it’s easy to sort of go in circles within the 365/Defender for Business Device Management.

    February 29, 2024 at 4:21 pm
  • David Watson Reply

    A concern of ours is the security of the tool vendor. If they can access all our clients’ M365 tenants then surely then a breach on their system could prove disastrous for us.

    What advice would you give to keep things as secure as possible and reassure our clients?

    March 1, 2024 at 3:21 am
    • Alex Fields Reply

      These days vendors should be using a secure application model, where the app gets only the permissions it needs for management and no more. So, it wouldn’t be able to do stuff like send and receive emails, download out of OneDrive/SPO sites, etc. unless you gave the application those permissions explicitly. In the olden days there were vendors selling backup solutions where you just had to use a global admin account with basic auth to login. Which is a huge risk of course. Those days are over, thankfully. As well, you would protect your access to the apps just as you would any other management app. I will mention that CIPP is not a centralized application, but decentralized. So you can stand up your own version of this in your partner Azure tenant for example. This also means responsibility for the security falls on you, but that was already true for RMM’s in the past, etc. And Lighthouse is baked in for partners already. Both of these tools leverage GDAP so you can control how much access technicians have by default, and provide a means for JIT access too. One more note, if you want to buy Workload Identities Premium license for each app, you can use CA policies to further protect those applications:

      March 1, 2024 at 8:57 am

Leave a Reply

Back to Blog

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.