Why aren’t you charging your customers to take care of Microsoft 365?

This is a simple question.

The way I see it, there are many opportunities to provide Managed Services for SMB customers with regard to their Microsoft 365 subscriptions. Yet to this day, hardly anyone is doing it. Why? I suspect some folks have difficulty connecting all the dots and putting together comprehensive packages. But aren’t you already doing some regular work in these tenants anyway? If so, are you letting revenue slip through your fingers? Today, I will try to suggest some more structure for your (future) offerings.

In the past, most managed services providers articulated their various support services in terms of hardware. So for example, they would charge “per device” or “per server” for the technology that they had under their care. Thus, there would be a dollar amount per month to take care of a collection of physical or virtual “devices.” In the cloud, most of these components are invisible to us, and we do not manage at that layer. Instead, with regard to SaaS, we manage at the service or application layer exclusively (or the database management layer, in the case of PaaS).

But just because we cannot see or manage the hardware does not mean that the service does not have ongoing support requirements. I like to consider two different pillars of support:

• Business process support
• Cybersecurity support

These needs never disappear, no matter how much of the technology stack you outsource to a cloud provider. Now within each of these support pillars, I suggest that you have the following opportunities (at a minimum):

• Business Process support
  • Basic subscription management
  • Enhanced productivity
  • Compliance management
• Cybersecurity support
  • Security essentials (protect)
  • Advanced security (detect & respond)
  • Full SOC (including SIEM/SOAR)

Furthermore I suggest that you just plan to charge per user, since that is how the subscriptions are already structured (plus users are a more permanent/important feature of the business, versus a device or app).

Now, let’s take a look at each of these potential offerings in turn.

Basic Subscription Management

Every subscription requires some looking-after. For example, customers may request license and software changes (which you administer via CSP). This includes new users, terminated users, upgrades or add-ons that are requested, and so on. Examples: What is your SLA for new user/licensing requests? What is included in a new user onboarding or set up process? How do you deal with departed user data? This service should spell that type of information out clearly. An entry-level or non-technical person in your org can admin simple license changes and user turnover requests. You are probably already doing this stuff less formally, without getting paid.

As well, customers will want to be notified of important changes that are coming to the service; in some cases they cannot opt out of these changes, but in other cases they can (with your help). But how will they know unless someone is staying on top of it for them? As you probably know, most SMB’s aren’t watching the Message Center or the Microsoft 365 Roadmap. You can include critical alerts and high impact or “opt-out” notifications. You probably wouldn’t charge very much for this “Basic” service, but it would still be dollars you are not collecting today. And if you manage several hundred or even thousands of seats already, then even a dollar or two per seat still adds up when you’re talking about MRR.

Enhanced Productivity

As an upgrade to the Basic service, you can also offer a premium version, which I like to call “Enhanced Productivity” (but you can call it anything you like). The characteristics of this offering would be similar to how we might think of application integrators, for various Line of Business apps that exist today. Only in this case, you would strive to help the business get the most out of their investment in the “World’s Productivity Cloud.”

For starters, you would expand on the basic offering by notifying customers of any upcoming changes that could potentially enhance their productivity (not just critical changes and opt-out), and you can even offer to opt them into new experiences that are either in Preview or becoming Generally Available soon, but which may not be “visible” or present by default. This obviously requires you to have folks who know the apps inside and out, and who are tuned into what is coming down the pike.

Additionally, you would have opportunities to provide interactive training or exclusive live events. You might offer some other digital resources on a monthly or quarterly basis. For example: webinars, newsletters, ebooks, and more.

Finally, customers should be able to reserve monthly time with productivity experts within your organization who can help each customer to customize their collaboration experience in apps like Teams and SharePoint Online, or even assist with workflow automation (e.g. Power Automate). In general, your integrators would help customers to advance their learning and consumption of Microsoft 365.

Therefore, this agreement could contain some monthly service hours in addition to the base fee (you could even make it adjustable: reserve 4 hours a month, or 8, or 16, etc.). This way you can have predictable work that can offset or “even-out” the more unpredictable project work that I most often see dominating in this space.

Compliance Management

Compliance Management is a service that I include on the Business Process side, not the cyber security side. Just one more reminder that compliance does NOT equal security. But businesses who are subject to specific legal compliance requirements, such as HIPAA in the United States, or GDPR in Europe, may require a closer watch on certain things.

I suggest that you leverage the Compliance Manager (tied to Compliance Score), to track and measure progress, and even store policy documents and so forth. Compliance is rarely set and forget, however; you may be required to do regular reviews of accounts, data locations, access control lists, and so forth. Plan to bake this review process into the offering on a quarterly or semi-annual basis. You might also want to generate your own custom reports to present as part of this service (you can use some of the data/charts from Compliance Score, etc. to help).

Security Essentials

Now moving over to the cybersecurity side of things, we have to acknowledge that not every SMB customer is going to have the same appetite, nor the same set of features available, since many will choose to forgo the more expensive subscriptions (like E5 or other premium security add-ons). Nevertheless, you can be very heavy handed about certain requirements. I suggest the following, at a minimum:

• Single Sign-On for other SaaS apps
• Multi-factor Authentication
• Unified audit log and Alert policies (monitoring/responding)
• MDM and MAM for mobile devices and workstations
• Hardware and software inventory & lifecycle management
• Use Secure Score to benchmark and track progress
• Maintain alignment with a basic Cybersecurity standard such as CIS Controls (Implementation Group 1)

This does imply a licensing pre-requisite: subscriptions that include Azure AD Premium and Intune, such as Microsoft 365 Business Premium, or Enterprise Mobility + Security E3. This is pretty affordable (and approachable) even for the SMB market. I have two courses that describe how to implement these subscriptions and the corresponding cybersecurity standard (CIS IG1) in detail.

Advanced Security

Some organizations will be interested in having a more thorough treatment when it comes to security. Especially if they work with high value targets or store and process a lot of sensitive data. These environments should have additional protection as well as strong detection and response capabilities, such as those offered in Microsoft 365 Defender and Azure Sentinel. (My Advanced Security course covering these topics will be available soon).

When you get into these tools, it implies that you will have additional capacity on your team to investigate and respond to potential cybersecurity events. Unlike traditional MSP monitoring for issues like hardware failure or full disk, etc., these alerts may often come back as “false positives,” but they still need to be investigated (because you never know). That means you want cybersecurity pros such as SOC analysts (not just IT generalists). Therefore this will be a more expensive offering if done right.

Some providers might choose to offer this service in parts, as well. For example, a lightweight Endpoint Detection & Response service using Defender for Endpoint as a starting place, and then have other components of monitoring (cloud apps, on-prem identities, firewalls, etc.) as add-on, or available together in a bundle at a discount. As well, with Microsoft Cloud App Security you could have an additional monthly fee per application that you monitor and manage beyond Office 365 (remember that you can connect common third-party apps like DropBox or Salesforce). Full SOC service with Azure Sentinel (cloud native SIEM) might be a further upgrade or add-on.

Still want help?

I am trying to give you a roadmap on this site, and basically all of what I learn and share ends up on here for free eventually anyway, but very often I find that folks want to be able to engage with me directly, and have more time for Q & A, or to bounce ideas off me. Good news for you: that’s what I do now. I quit my day job last month, and suddenly find myself “early retired” from Managed Services. Early retirement just means that I only work on stuff that I enjoy (and first and foremost on that list is helping YOU to advance your cloud-first, mobile-first Microsoft 365 practice).

To that end, I am constantly building additional materials and offerings for the MSP community. I will have more to share here very soon. But in the meantime, would you be so kind as to help me prioritize my task list? I have a survey available here, and if you took a few minutes to fill that out, it would really help me (to help you). Thanks!