Most SMB tenants have a guest graveyard

Most SMB tenants I look at have a “Guest Users” list that’s basically a graveyard. People invited for a project that finished in 2022. A contractor whose engagement ended last March. Somebody’s external accountant who hasn’t signed in since the BAS that prompted the invite.

Nobody removes them. Nobody can remember why they were added. Nobody’s even sure who should remember.

That’s not a guest problem. That’s a governance problem.

Now do the same exercise with Global Administrator. Or Privileged Role Administrator. Or that mystery security group somebody pinned to a SharePoint site three years ago and called “Finance – All”. Same pattern. Stale access. No owner. No expiry.

This is exactly what Access Reviews in Entra ID Governance is built to fix — and most MSPs I talk to either don’t know they’re licensed for it or have never actually run one.

Time to fix that.

What is Access Reviews, really?

Access Reviews is a recurring “are you sure?” loop. You point it at a group, an application, a privileged role, or every guest in your tenant. On a schedule you pick, it emails a reviewer — you, the group owner, or the user themselves — and asks them to confirm whether each person still needs the access they’ve got.

If the reviewer says no, or doesn’t reply and you’ve configured “no response = deny”, the access gets removed automatically when the review ends. No tickets. No spreadsheet. No “I’ll get to it next quarter”.

It’s the same job your auditor wants you to do at a desktop level. Just done in the portal, on a timer, with an audit trail attached.

What you need to run one

Licensing trips most people up here. Access Reviews is an Entra ID P2 or Entra ID Governance feature, and licensing is per user, not per tenant. Every user whose access you’re reviewing needs to be covered. Guest accounts don’t need a license to be reviewed, which is the one bit of good news.

Business Premium customers don’t have P2 in the box. If they want this, they need Microsoft 365 E5 or the Entra ID Governance add-on. Tell the client up front — don’t promise the feature and discover the gap at invoice time.

You’ll want Identity Governance Administrator or Global Administrator to set the first review up. Group owners can run reviews on their own groups once an admin enables the toggle in the Access Reviews settings.

Step-by-Step: a recurring guest review

Start here on every tenant. It’s the easiest win.

Open the portal

Sign in to entra.microsoft.com as Identity Governance Administrator. Go to ID Governance > Access Reviews > New access review.

Pick what to review

In Select what to review, choose Teams + Groups, then All Microsoft 365 groups with guest users. This is the magic option. It creates one recurring review that sweeps every M365 group containing guests, across the whole tenant, automatically, forever.

Set Scope to Guest users only.

Pick your reviewers

Pick Group owners with a fallback. Group owners actually know whether Alice from the partner agency still needs Teams access. You don’t. You also don’t want to be reviewer-of-last-resort for fifty groups.

Set the schedule

Recurrence: Quarterly. Duration: 5 days. Long enough that nobody can claim they were on leave. Short enough that the next quarter doesn’t lap it.

Set the settings that actually matter

This is where most people skim and lose the whole value of the feature. Slow down.

Auto-apply results to resource: On. Without this, denied users stay in the group until somebody manually clicks apply. They never do.
If reviewers don’t respond: Remove access. Yes, really. If the owner can’t spend two minutes confirming a guest, the guest goes.
Justification required: On. Forces reviewers to type a reason for “keep”. Stops the rubber-stamp click-through.
Mail notifications + reminders: On.

Name it Quarterly Guest Review - All M365 Groups, hit Create, done.

Step-by-Step: privileged groups and admin roles

Same engine, different doorway. PIM for Entra roles and PIM for Groups each have their own access review entry point — not the one above.

For Entra admin roles

Open PIM > Microsoft Entra roles > Access reviews > New. Review every role with active or eligible assignments. Reviewer = the user themselves, because self-attestation forces them to type a justification. Add a second-stage approver if you want belt-and-braces. Recurrence: every 90 days for admin roles. No exceptions.

For privileged groups

If you’re using PIM for Groups to gate access to sensitive things, you can review the eligible members on the same cadence. Same wizard, hosted under PIM. Same settings. Same auto-apply.

Notice what’s missing? PowerShell. None of this needs it. Portal only.

One artefact you can paste into every client runbook

Guest access:     quarterly, 5-day window, owner-reviewed,
                  no response = remove, auto-apply on.
Admin roles:      every 90 days, self-attest + 2nd stage,
                  no response = remove, auto-apply on.
PIM for Groups:   every 90 days, owner-reviewed,
                  no response = remove, auto-apply on.

Notice what’s not in there? Anything called “annual”. Annual reviews don’t do anything except let stale access fester for eleven and a half months. If the cadence isn’t quarterly or better, you don’t have a control — you have a calendar reminder.

Why this actually changes behaviour

Before: “I’ll clean up guests when I get a chance.” After: “The system already did it last Tuesday.”

That’s the shift. Access Reviews moves access cleanup from a thing humans intend to do into a thing that happens whether they intend to or not.

For an MSP the win is bigger. Every client tenant you manage produces a quarterly evidence trail — who reviewed what, what got removed, who signed off. Exactly the evidence the cyber insurer asks for at renewal. Exactly the evidence an SMB1001 or Essential Eight auditor wants on the table. According to the Access Reviews FAQ, reviewers and decisions are captured against each instance, so the audit trail is already there — you just have to turn the reviews on.

You’re not selling “we’ll clean up your guests” anymore. You’re selling governance with a paper trail.

Access Reviews isn’t there to help you remember to remove stale access. It’s there to remove it whether you remember or not.

If you’re not turning this on for your clients, you’re leaving the easiest governance win in Microsoft 365 on the table.

The First Client Problem Isn’t What You Think It Is

I’ve watched a lot of people sit on the edge of starting something — a side practice, a Copilot consultancy, a niche advisory offer — and almost none of them are stuck for the reasons they tell themselves. They’ll say they need another certification, one more course, a tighter offer, a better website. What they actually need is to be seen doing the work before the work feels finished.

This is the quieter truth about building anything online, and I think it’s worth saying out loud. The distance between where you are right now and your first paying client is almost never a knowledge gap. Most people reading this already know enough to genuinely help someone tomorrow morning. What’s missing is the willingness to stand up in public as someone building a thing before they feel they’ve earned the right to be seen that way.

The Permission You’re Waiting For Isn’t Coming

Nobody hands out the badge. There is no moment where the industry quietly agrees you’re now ready to charge for advice. I waited a long time for that feeling early on, and I can tell you it doesn’t arrive — you just start, and the evidence catches up.

The strange part is that the evidence is usually already there. If you’ve spent the last few years inside Microsoft 365 — wrangling Conditional Access, untangling SharePoint permissions, helping a team actually adopt Copilot in Outlook instead of just licensing it — you already know more than the SMB owner who is googling at 9pm trying to work out why their Teams meetings won’t record. You don’t need another module. You need to write the post, record the short video, send the email to the contact who half-asked about it last month.

Make Yourself Findable Before You Feel Ready

The practical move is to put something out into the world that someone could trip over. A LinkedIn post about a real Copilot rollout you ran last week. A short Loop page you can share with prospects that walks through how you set up Copilot governance for an SMB. A simple SharePoint site with three case write-ups on it. None of this needs to be polished. It needs to exist.

I use Copilot in Word to take rough voice-memo thoughts and shape them into a draft I can edit down — not to write the post for me, but to break the inertia of the blank page. Then I’ll ask Copilot in Outlook to help me re-thread an email to a warm contact I’ve been meaning to nudge for a fortnight. The tool isn’t doing the courage part. It’s removing the friction so the courage has somewhere to go.

Your First Client Is Watching, They Just Haven’t Said Anything Yet

Here’s what I’ve noticed across years of MSP work: the person who eventually becomes your first paying client is almost always already in your network. They’ve seen a comment of yours, half-read a post, remembered something you said at an event. They are waiting for a small signal that you are open for business. That signal is you — visible, building in public, named as the person who does this thing.

You don’t have to declare yourself an expert. You only have to be specific about what you’re working on right now and who it’s for. The credibility compounds from there.

If you’re sitting on enough knowledge to help someone, the next step isn’t more learning. It’s letting yourself be seen mid-build. The evidence really does catch up. You just have to take the step before it does.

What is Microsoft Agent 365, really?

Most folks I talk to think agents are just Copilot with extra steps. They’re not.

A Copilot prompt is a single user, asking a single question, in a single session. An agent keeps running. It has tools, it has access, it makes decisions, and it does all of that whether you’re watching or not.

Agents don’t sleep. They also don’t ask permission.

That’s the part nobody seems ready for. Last year your tenant had users. This year it has users and agents. Some you bought, some your developers built, some your staff spun up in Copilot Studio over the weekend and forgot about.

So here’s the question I keep asking MSPs: do you actually know how many agents are running in your client’s tenant right now? If the answer is “probably some”, that’s not governance. That’s hope.

Microsoft Agent 365 is the control plane for agents. That’s it. It’s not a new agent. It’s not a new Copilot. It’s the place you go to see every agent in the tenant, decide what each one is allowed to do, and shut down the ones that shouldn’t be there.

Think of it like the Microsoft 365 admin centre, but for non-human accounts. The agents your team built. The agents your vendors sold you. The agent embedded inside that SaaS app marketing signed up for last quarter. All of them, in one registry, with one set of policies.

It went generally available on 1 May 2026 at USD$15 per user per month, and it pulls Microsoft Entra Agent ID(opens in new window), Microsoft Purview, and Microsoft Defender into a single agent lifecycle story. The official overview lives on Microsoft Learn(opens in new window).

Notice what’s missing? You. The user. Agent 365 isn’t an end-user tool. It’s for admins, MSPs, and security folks. It’s the dashboard your clients don’t see — and the one that keeps them out of trouble.

Step-by-Step: Finding the agents already in your tenant

The first thing I’d do in any tenant is just look. You’ll be surprised.

Sign in to the Microsoft 365 admin centre

Go to admin.microsoft.com as a Global Admin or AI Administrator.

Open the Agents workload

In the left navigation, expand Agents and select Overview. That’s the Agent 365 dashboard. If the tenant has a qualifying licence, you’ll see Agent 365 branding. If it doesn’t, you still get the baseline agent management view.

Review the registry

Select All agents. This lists every agent the tenant knows about — Copilot Studio agents, declarative agents, SharePoint agents, third-party agents, and anything registered via the new Agent 365 API. Each one shows its owner, source, and current status. The admin centre docs(opens in new window) walk through the columns.

Hunt for ownerless agents

Filter by owner. Anything marked ownerless is a red flag — that’s an agent doing things in the tenant with no human accountable for it. Assign an owner or block it. Don’t leave it.

Apply a policy

From an agent card, set access policies — who can run it, what data it can touch, whether it needs review before it publishes. Use the policy templates rather than rolling your own.

Before Agent 365, the question was “what agents are we using?” After Agent 365, the question is “what agents are we allowing?” Different question, different answer.

Why this actually changes the game

Here’s the real win. Agents inherit risk in a way users don’t. A user clicks a phishing link and one mailbox is compromised. An agent with delegated access and a bad prompt can touch SharePoint, send mail, and rewrite records — at machine speed, across hundreds of users — before anyone notices.

That’s why Agent 365 leans on Entra Agent ID to give every agent a first-class identity. No more agents hiding behind a generic service account. Each one shows up in sign-in logs, audit logs, Conditional Access, and Defender. You can revoke an agent the same way you’d revoke a user.

That’s not a feature. That’s a fundamental shift in how you secure a tenant.

My recommendation?

If you’re an MSP, start the conversation with your clients this quarter. Open the admin centre. Show them the agent list. Most of them have no idea what’s in there, and the longer they don’t know, the bigger the eventual cleanup.

If you’re not showing your clients this, somebody else will — and they’ll be the ones writing the agent governance policy on your client’s tenant.

Agent 365 isn’t there to add another dashboard to your day. It’s there to stop the shadow AI mess before it starts.

The Lie Your Planning Workbook Tells You

I’ve watched people spend a year getting ready to start something. New service line, new niche, new offer to clients. Workbooks filled out. Whiteboard sessions. A document called “strategy v7” sitting in OneDrive. Twelve months in, nothing has shipped. No client has been pitched. No post has gone live. And the strangest part is they don’t feel lazy — they feel busy. That’s the trap. The feeling of preparing is almost identical to the feeling of progress, and you can run on that feeling for a very long time before you notice the bank balance hasn’t moved.

Why preparation feels like the work

Preparing is comfortable because it’s measurable in ways that don’t expose you. You can finish a chapter of a workbook. You can refine a niche statement for the eleventh time. You can sit through another planning session in Teams and walk away feeling like the day mattered. Nobody pushes back. Nobody says no. There’s no awkward silence on a call, no email that doesn’t get replied to, no proposal that gets ghosted. It’s all upside, no risk, and it produces just enough output — notes, frameworks, lists — to convince you that you’re moving forward.

The honest test is simple. After all that preparing, can a stranger pay you for it? If the answer is no, you haven’t built anything yet. You’ve built a feeling.

What actually moves the needle

The thing that breaks this loop is uncomfortable, and it always looks the same: do the scary version of the work while it’s still scary. Send the email to the prospect before the offer is perfect. Post on LinkedIn before the niche is fully refined. Quote the client before you’ve memorised every line of the service catalogue. Real signal only comes from real exposure — somebody’s response, or the silence where a response should have been.

This is where Copilot quietly takes the excuse away. You don’t need another month of preparation to draft a cold outreach email — open Copilot in Outlook, give it the rough idea, and you’ve got a working draft in under a minute. You don’t need a workbook to scope a new managed service offer — Copilot in Word can spin up a first-pass outline from a few bullet points. The friction that used to justify months of “getting ready” has mostly been removed. What’s left is the only thing that ever actually mattered: the willingness to put it in front of someone real.

Doing it scared

I’d rather work with someone who has sent ten ugly proposals than someone who has perfected their elevator pitch in a Loop document for half a year. The ugly ten teach you something the workbook never will — what people actually push back on, what they don’t care about, what they’re willing to pay for. You can fold all of that back into a Planner board the next morning and refine in public, while the work is live, instead of refining in private while nothing exists.

The quiet cost

The cost of staying in preparation isn’t just lost revenue. It’s the slow erosion of belief that you’ll ever ship at all. Every month you spend tidying the runway is a month the plane doesn’t take off, and the longer it sits there the heavier it feels to move. The fix isn’t more clarity. It’s a smaller, scarier version of the thing — done today, in public, with whatever you’ve got.

Intune compliance policies + Conditional Access integration

Most people I speak to think the work of locking down devices in Microsoft 365 is creating the Intune compliance policy. They tick the boxes — BitLocker on, minimum OS, no jailbreaks — hit Save, and walk away feeling secure.

They aren’t.

A compliance policy on its own does precisely nothing to a sign-in. It’s a label. Intune looks at a device, decides “compliant” or “not compliant”, and writes that state back to Entra ID. That’s it. Nothing is blocked. Nothing is challenged. The policy is information, not enforcement.

The enforcement lives somewhere else entirely. It lives in Conditional Access.

If you’re not wiring those two things together, you’ve done half a job. And the half you skipped is the half that actually protects the tenant.

What is an Intune compliance policy, really?

Think of a compliance policy as a health check that runs on the device and ships the verdict back to your tenant. Encrypted? Patched? Joined to your tenant? Defender running? Out comes a true/false, and Entra ID writes it onto the device record.

That verdict is now available as a signal. Anything that can read Entra signals — and Conditional Access is the big one — can use it to make access decisions.

So the compliance policy is the sensor. Conditional Access is the gate. You need both, or you have neither.

Step-by-Step: wiring compliance to Conditional Access

Portal only. No PowerShell. This is what I do on every Business Premium tenant I touch.

Fix the tenant default first

Open the Intune admin center, go to Devices > Compliance > Compliance policy settings.

Find the setting Mark devices with no compliance policy assigned as. It ships set to Compliant.

Change it to Not compliant. Save.

That one setting is the difference between “any device in my tenant counts as good” and “a device has to earn it”. You’d be amazed how many tenants I audit where this is still on the default.

Build the compliance policy

Same portal. Devices > Compliance > Policies > Create policy. Pick Windows 10 and later (start there — do iOS and Android next).

Use the settings catalog options to set sensible rules — require BitLocker, a minimum Windows build, Defender real-time protection on, Defender signatures up to date. Don’t try to be heroic on day one. Set what you can defend with a straight face. Microsoft’s own walkthrough is the canonical reference.

In Actions for noncompliance, do not leave the default of “Mark device noncompliant: 0 days”. Give yourself a grace window — 1 to 3 days — and add a Send email to end user action a day earlier. People deserve a heads-up before they’re locked out of email.

Assign to a pilot user group. Not all users. A pilot group.

Build the Conditional Access policy

Now flip over to the Entra admin center: Entra ID > Conditional Access > Policies > New policy.

Users: include your pilot group. Exclude your break-glass account. Always.

Target resources: All resources.

Grant: Require device to be marked as compliant. Save.

And here’s the critical bit — set Enable policy to Report-only. Not On. Report-only.

Users:       Pilot group
Exclude:     Break-glass account
Resources:   All resources
Grant:       Require device to be marked as compliant
Enable:      Report-only

Notice what’s missing? MFA. That belongs in a separate policy. One policy, one job. Stack them, don’t fuse them.

Watch report-only for a week

Sign-in logs > Report-only tab. You’re looking for users who would have been blocked and shouldn’t have been — usually a missing enrollment, a personal device that needs the App Protection path instead, or a service account.

When the report-only data is clean, flip the toggle to On. Microsoft’s compliant-device CA template walks the same path.

Why this actually changes behaviour

“But MFA is already on. Isn’t that enough?”

It isn’t. MFA proves the user. Compliance + CA proves the device. Token theft doesn’t care about your MFA prompt — it cares whether the device the token landed on is one you trust. This is the bit MFA-only tenants are missing.

It also collapses three messy conversations down to one. “Is this laptop ours? Is it patched? Is it encrypted?” All of it rolls into one signal — compliant, or not. Conditional Access reads that one signal and decides. No more inventory spreadsheets. No more guessing.

And if you’re an MSP, this is the most defensible artefact you can show a client during an incident. The device was non-compliant. Access was blocked. That’s a finished sentence.

A compliance policy isn’t there to make a list of bad devices. It’s there to make sure they never sign in.

Why Being Small Is Your Real Advantage With AI

I had a conversation last week with the owner of a twelve-person business who spent the first ten minutes telling me how far behind they were. The big firms in their industry have AI strategies, AI committees, AI roadmaps. He didn’t have any of that. He thought it was a problem.

I told him it was the opposite. The thing he saw as a weakness — being small — is actually the only real advantage he has right now. And he was wasting it by feeling sheepish about it.

The giants are not as far ahead as they look

When you read the announcements from large enterprises about their AI programs, it sounds impressive. The reality on the ground is messier. Inside those organisations there are governance committees, procurement cycles, security reviews, change boards, and three different vendors pitching competing platforms. By the time they finish arguing about which group owns the rollout, eighteen months have gone past.

A small business doesn’t carry that weight. There is no internal committee. There is the owner, the team, and the work. That’s it. Decisions get made on a Tuesday afternoon and acted on by Wednesday morning.

You can turn Copilot on this week

This is where the gap becomes obvious. A small business can switch on Microsoft 365 Copilot for ten people on a Monday and by Friday have someone using it inside Outlook to triage their inbox before lunch, someone else using it in Excel to clean up a messy supplier list that’s been sitting there for two years, and another person catching up on a Teams meeting they missed without watching the recording. None of that requires a steering group. It requires a licence, half an hour of curiosity, and a willingness to have a go.

The big firm down the road is still drafting their pilot scope document. You’re already past the awkward learning phase and into actual benefit.

Pivoting is cheap when there’s nothing in the way

The other thing being small lets you do is change your mind. When a better way of doing something comes along — a new agent in Copilot Studio that automates an approval, a Power Automate flow that handles client onboarding, a smarter way to use SharePoint as a knowledge base — you can swap it in without unwinding a tangle of legacy processes. There’s no 200-page change management plan. There’s a conversation, a test on Thursday, and a rollout next week if it works.

Bigger organisations can’t move like that. Every change touches another change, which touches a third. There’s a process owner who needs to be consulted, a training team that needs to be briefed, an integration that needs to be re-tested. The cost of pivoting goes up sharply the larger you get. For you, that cost is almost nothing — and you should be spending it freely.

Stop trying to look like them

The mistake I see SMB owners making is trying to copy the way big businesses adopt technology. They want a strategy document, a steering committee, a phased rollout plan. They think that’s what serious looks like.

It isn’t. That’s what slow looks like.

Serious, for a small business, is being three steps ahead because you didn’t waste six months talking about it. The bigger players will catch up eventually — they always do. Your job between now and then is to use the head start, not apologise for it. Get Copilot in front of your team, let them break things, and bank the lead while you’ve got it.

Restricted SharePoint Search Is Not the Fix You Think It Is

Most people’s first reaction to Copilot and SharePoint goes something like this: “Wait — Copilot can see all of that?”

Then they panic. Then they Google. Then they find Restricted SharePoint Search and flip it on like it’s a fire extinguisher.

I get it. The instinct is right — you should care about what Copilot can reach. But RSS isn’t a security control. It’s a stalling tactic. And if you leave it on too long, it’ll cause more problems than the one you were trying to solve.

What is Restricted SharePoint Search, really?

RSS lets a SharePoint admin maintain an allowed list of up to 100 SharePoint sites. Only those sites show up in organisation-wide search results and Copilot chat responses.

That’s it. It doesn’t change a single permission on a single site. It doesn’t block anyone from accessing anything. It just hides sites from search and Copilot — unless the user has recently visited the site, or it was shared with them in Teams or Outlook. In which case, it shows up anyway.

That’s not a security boundary. That’s a curtain.

Microsoft’s own documentation on RSS says it plainly: this is designed as a short-term solution while you audit permissions and apply proper governance. It’s not meant to stay on.

Step-by-step: Setting up RSS the right way

If you’re going to use RSS — and there are situations where it makes sense — do it in this order.

Audit your active sites first

Open the SharePoint admin centre > Active sites. Filter by activity in the last 30 days. Customise columns to show page views, file counts, and last activity. Export the list to CSV. This is your starting inventory — the sites people actually use.

Review permissions on each candidate site

For every site you’re considering for the allowed list, open its details and check the Permissions tab. Look for “Everyone except external users” or company-wide groups. Those are the oversharing patterns you’re really worried about.

Enable RSS and build the allowed list

RSS is managed through PowerShell — there’s no toggle in the admin centre GUI for this one.

Set-SPOTenantRestrictedSearchMode -Mode Enabled
Add-SPOTenantRestrictedSearchAllowedList -SitesList @("https://contoso.sharepoint.com/sites/intranet","https://contoso.sharepoint.com/sites/hr")

Notice what’s missing? A portal button. That’s deliberate. Microsoft wants friction here because they don’t want you to leave this on.

Plan your exit from day one

Before you enable RSS, set a calendar reminder for 30 days out. That’s your deadline to fix the permissions that made you turn it on in the first place — and then turn it off.

When RSS backfires

Here’s where most people get into trouble. They enable RSS, breathe a sigh of relief, and forget about it. Months later, three things have gone wrong:

Search breaks for everyone. RSS doesn’t just limit Copilot — it limits all organisation-wide search. Your finance team can’t find the policy site. Your HR team can’t find the onboarding hub. Nobody told them you turned this on, so they log a ticket blaming SharePoint.

Copilot gets dumber. With only 100 sites to draw from, Copilot has less information to reference. Answers get vague. Users lose trust. You’ve just paid for Copilot licences and then blindfolded the thing.

False confidence sets in. The admin thinks the problem is solved. It isn’t. RSS doesn’t stop Copilot from surfacing content a user has already accessed. If someone opened that sensitive spreadsheet last week, Copilot can still reference it — allowed list or not.

The actual fix: permissions, not curtains

RSS buys you time. Use it. But spend that time on the thing that actually matters: fixing your SharePoint permissions.

Start with Data Access Governance reports in SharePoint Advanced Management. These reports show you exactly which sites have broad sharing, “Everyone” links, or sensitivity labels missing. That’s your real oversharing map.

Then work through it site by site. Remove company-wide sharing links. Tighten group memberships. Apply sensitivity labels where they belong. This is the work that actually makes Copilot safe — not hiding sites from search and hoping for the best.

Once permissions are clean, disable RSS. Let Copilot use the full breadth of your tenant. That’s how you get value from it.

“We turned on RSS six months ago and Copilot still isn’t helpful.”

That’s not a Copilot problem. That’s an RSS problem.

My recommendation?

Use RSS if you’re deploying Copilot to a tenant you haven’t audited yet and you need breathing room. Thirty days. Not six months. Not “until we get to it.”

Set the allowed list. Fix the permissions behind the scenes. Then take the training wheels off.

If you’re an MSP and you’re not walking clients through this sequence — temporary RSS, permission remediation, RSS removal — you’re either leaving them exposed or leaving them hobbled. Neither looks good at renewal time.

RSS isn’t there to protect your tenant. It’s there to give you a window to actually protect your tenant. Don’t confuse the window with the wall.

Trust Now Happens Before Contact

Here’s the uncomfortable truth:

By the time a prospect contacts you, the decision is often already made.

They’ve read your blog posts.
They’ve watched your videos.
They’ve scanned your LinkedIn.
They’ve compared you to three other MSPs.

They’re not calling to be convinced.
They’re calling to validate a choice.

That’s why trust has moved upstream — before the sales conversation even starts.

And that’s why we replaced the old model with something radically simpler:

Content → Offer Doc → Decision

No calls.
No chasing.
No closing.

Content Does the Heavy Lifting

Your content is now your best salesperson.

Not polished marketing fluff — real, opinionated, practical content that shows how you think.

Content that answers:

Who this is for
Who it is not for
What problems you actually solve
What you believe about IT, security, risk, and responsibility

When done properly, content pre‑qualifies better than any discovery call ever could.

Bad‑fit prospects self‑select out.
Good‑fit prospects lean in.

That alone removes enormous friction from your pipeline.

The Offer Doc Replaces the Sales Call

Instead of “let’s book a call”, we give prospects an offer document.

Not a proposal.
Not a quote.
An offer.

It clearly spells out:

The problem we solve
The outcome we deliver
Exactly what’s included
Exactly what it costs
Exactly how to say yes

No mystery. No theatre. No “we’ll tailor it after the call”.

If someone needs a call to understand the offer, the offer isn’t clear enough.

Decision Without Pressure

This is the part most MSPs struggle with.

Letting the prospect decide — without pressure.

But when trust is built upstream, and the offer is clear, the decision becomes simple.

They either want it or they don’t.

And that’s a good thing.

Because the clients who say yes without being chased are the same clients who:

Respect boundaries
Value your expertise
Pay on time
Stay longer

What This Means for MSPs

This isn’t about “anti‑sales”.

It’s about modern sales.

Sales that respects how buyers actually behave today.
Sales that removes friction instead of adding it.
Sales that attracts adults who can make decisions.

If your growth still depends on more calls, more follow‑ups, and more convincing — you’re fighting the market.

The MSPs who win next won’t close harder.

They’ll clarify better.

And they’ll let trust do the work.