Microsoft Secure Score for SMB MSPs: Stop Treating It Like a Report Card and Start Running It Like a Work Queue

Microsoft Secure Score is one of the most underused operational assets in the Microsoft 365 stack. Most MSPs know it exists. Most have shown it in a QBR. Most do not run it as part of service delivery.

That is the mistake.

If you manage Microsoft 365 for small and midsize businesses, Secure Score is not best understood as a dashboard, a maturity grade, or a client-facing marketing number. It is a Microsoft-maintained, impact-weighted queue of hardening actions, with tenant history, trend data, comparison data, and a Graph API. In practical terms, it is a free source of prioritized security work that many MSPs already pay for through the licenses they sell, then ignore in day-to-day operations.

For SMB-focused MSPs, that matters because the biggest failure mode is not the lack of security tools. It is the lack of an ownership loop. A control regresses, an exception gets added, a legacy app forces a bad compromise, or a policy quietly gets weakened to solve a ticket. Secure Score usually notices the change. The MSP often does not. The issue is not visibility. The issue is that the visibility never enters the workflow.

This article explains how to fix that. We will cover what Secure Score actually measures, why many MSPs do not trust it, where it is operationally useful, where it is incomplete, and how to turn it into a repeatable SMB security process instead of another unused portal tile.

What Microsoft Secure Score Actually Is

Microsoft defines Secure Score as a measurement of an organization’s security posture. A higher score means the tenant has taken more of Microsoft’s recommended actions. Microsoft is also explicit about what the score is not: it is not an absolute measure of breach likelihood, and it should not be treated as a guarantee of security.

That disclaimer is important because it is where many MSP conversations go wrong. When teams argue about whether the score is “accurate,” they are usually asking the wrong question. The useful question is whether the recommendation set helps you prioritize hardening work inside the Microsoft 365 estate. In that role, it is often very useful.

Secure Score groups improvement actions across major areas such as identity, devices, apps, and data. In the Defender portal, you also get historical views, comparison trends, regression tracking, risk acceptance trends, and benchmarks against similar organizations. In Microsoft Graph, the secureScore resource exposes tenant-level score data and control-level score data. Microsoft documents that the secureScores collection retains 90 days of data by default and is sorted by createdDateTime.

For an MSP, that means three things. Microsoft is already maintaining the recommendation model for you. The model is weighted, so high-impact items rise above low-value cleanup work. The data is retrievable, so you are not limited to screenshots and manual review.

Why MSPs Distrust Secure Score

The skepticism is not irrational. MSPs have good reasons to be wary of vendor scoring systems.

Secure Score can be gamed. Some controls can be marked as addressed by third-party solutions. Some organizations can push the percentage higher without meaningfully improving real-world resilience. Some recommendations align cleanly with Microsoft’s commercial interests. And a tenant can look respectable in Secure Score while still being weak against a framework-based assessment such as CIS Microsoft 365 Foundations.

All of that is true.

It is also beside the point if you use Secure Score correctly.

The score itself is not the deliverable. The recommendation queue is the useful artifact.

If you stop treating Secure Score as a grade to defend and start treating it as a stream of prioritized hardening opportunities, most of the common objections lose force. Whether the overall number is inflated matters much less when the MSP’s process is built around four operational questions:

What changed?
Which recommendation regressed?
Who owns the remediation?
Is the exception documented if the control cannot be implemented?

That is the shift SMB MSPs need. Do not sell the number. Operate the queue.

Why This Matters More in SMB Than Enterprise

Enterprise security teams can afford parallel governance structures, dedicated platform owners, and formal architecture boards. Most SMB MSPs cannot. They are working across dozens or hundreds of tenants with a small engineering team, limited time for advisory work, and constant pressure to resolve issues quickly without breaking line-of-business applications.

That environment creates predictable drift:

MFA gets partially rolled back to support a legacy workflow.
Conditional Access exclusions accumulate because no one wants to block the owner on Monday morning.
POP, IMAP, or SMTP AUTH remains enabled longer than intended.
Admin accounts sprawl because shared support habits were never fully cleaned up.
Secure defaults are deferred until “after onboarding” and then never revisited.

Secure Score will not solve those cultural problems by itself. But it does give the MSP a standardized, per-tenant signal that the drift happened. That is useful when the alternative is discovering the gap after a compromise, an audit finding, or a cyber insurance questionnaire.

For SMB clients, the outcome you want is not elegant theory. It is repeatable motion: detect regressions, turn them into tickets, assign ownership, track exceptions, and report change over time.

The Best Way to Think About Secure Score

The most useful framing for an SMB MSP is this:

Secure Score is a free, Microsoft-maintained, prioritized work queue for Microsoft 365 hardening.

That framing is better than “dashboard” for several reasons.

It turns advisory data into service delivery work

Most MSPs already know how to manage queues. They know how to triage, assign owners, set SLAs, escalate blockers, and review aging items. Once Secure Score is treated as a work source instead of a summary chart, it can be managed with the same disciplines as patching, backups, or incident response.

It gives smaller MSPs prioritization they did not have to build themselves

Building a credible cross-tenant security backlog from scratch is expensive. Microsoft has already done a significant part of that work by maintaining a recommendation catalog and weighting system for the Microsoft 365 estate. That does not replace judgment, but it removes a lot of low-value manual triage.

It creates a missing ownership loop

This is the central operational gap in many MSP practices. Somebody reviews the score at QBR time. Nobody owns the regressions between reviews. A queue model closes that gap by creating named responsibility.

What Secure Score Is Good At

Secure Score is most useful for four operational jobs.

1. Baseline hardening of Microsoft 365 tenants

For Business Premium-heavy client bases, Secure Score is a practical way to identify incomplete baseline work in identity, email, collaboration, and access control. It is especially useful during onboarding and during the first 90 days after standardization.

2. Detecting configuration regression

The most valuable Secure Score capability for MSP operations is not the headline number. It is the visibility into changes, regressions, and trends over time. Microsoft documents history views, score changes, regression trends, and risk acceptance trends in the Defender portal. Those features support a simple but important operating model: when the score moves for a meaningful reason, someone should know why.

3. Supporting client communication

Clients generally do not want a pile of raw control language. They want to know whether their tenant is improving, where material gaps remain, and what decisions are blocked by budget, licensing, or business risk tolerance. Secure Score gives MSPs a way to show movement while still tying the discussion to concrete recommendations.

4. Feeding automations and downstream workflows

The Graph API is what makes Secure Score operationally interesting. The secureScore and secureScoreControlProfile entities mean the data can be extracted, normalized, compared, and pushed into PSA tickets, reporting systems, Power BI, or an internal security dashboard.

What Secure Score Is Not Good At

If you overstate Secure Score, you will lose credibility fast.

It is not a complete security program.

It is not a replacement for CIS-based assessment, conditional access architecture review, privileged identity strategy, incident response readiness, or broader governance work.

It is not proof that a tenant is secure.

It is not enough on its own for cyber insurance, regulated compliance, or board-level assurance.

And it does not reliably represent controls outside the parts of the Microsoft estate it can actually observe and score.

The correct role is upstream triage. If a tenant is weak in Secure Score, it is almost certainly not ready for anyone to pretend the security program is mature. If a tenant is strong in Secure Score, that is useful evidence of operational discipline, but it is still not the same thing as a framework-level assessment.

The MSP Operating Model: How to Turn Secure Score Into Real Work

If you want this to matter, you need a workflow, not a portal habit.

The simplest operating model for SMB MSPs looks like this.

Daily or scheduled collection

Pull each managed tenant’s latest Secure Score data on a schedule. For most SMB practices, daily is enough. The point is not constant polling. The point is to avoid relying on somebody remembering to open the Defender portal.

At minimum, collect:

current score
max score
controlScores
createdDateTime
comparison data where available

Because Microsoft retains 90 days in the secureScores collection by default, MSPs that want trend history beyond that should store snapshots in their own reporting or data platform.

Change detection

Compare the latest data with the prior snapshot. You are looking for:

newly regressed controls
high-impact recommendations not yet addressed
large score drops
repeated exceptions on the same control

This matters more than chasing every available point. A tenant that loses 8 points because a meaningful identity control regressed deserves faster attention than a tenant sitting 12 points below your target because of a lower-priority backlog item.

Ticket creation

Do not create tickets for every single recommendation blindly. That becomes noise.

Instead, define queue rules such as:

create a ticket when a control regresses
create a ticket when a high-impact control remains open beyond a threshold
create a project task when multiple related controls point to the same architectural gap
suppress informational items that do not change the actual risk picture

For SMB MSPs, the PSA categories should be simple: remediation, client decision required, license blocker, accepted risk, and monitoring only.

Ownership and SLA

Every generated item needs one owner. Not a team. Not “security.” One owner.

If the ticket requires client approval, assign a technical owner internally anyway. The owner is responsible for moving the item to a decision, not just waiting for the client to act.

Review cadence

The cadence that usually works is:

weekly internal review of new regressions and aging items
monthly or quarterly client review of trend movement and blocked recommendations
onboarding review for every newly managed Microsoft 365 tenant

Without this rhythm, the queue becomes another ignored data source.

What Good Looks Like for an SMB MSP

For most SMB-focused MSPs, “good” is not a perfect score. Good looks like operational discipline.

A mature practice usually has the following traits:

a defined Business Premium baseline for standard clients
a target Secure Score range by client profile, not one universal number
documented exceptions where business requirements block a recommendation
automated collection and comparison of score history
tickets generated from regressions or materially important open actions
reporting that shows trend, ownership, and blocked items rather than just a percentage

This is a much stronger position than telling clients, “Your Secure Score is 71%,” with no explanation of what changed, what remains open, and what the MSP is doing about it.

Practical Guidance for Business Premium-Centric Client Bases

Many SMB MSPs serve clients that standardize on Microsoft 365 Business Premium. That is a useful licensing position because it enables a meaningful portion of the high-value identity and security controls most small clients actually need.

In that environment, Secure Score becomes particularly effective as a baseline enforcement tool.

Examples of actions that usually deserve attention early include:

enforcing MFA for admins and users where appropriate
blocking or reducing legacy authentication exposure
implementing Conditional Access with minimal, well-governed exclusions
hardening privileged roles and admin account practices
reviewing risky exceptions in Exchange, SharePoint, Teams, and collaboration settings
tightening access paths that grew organically during onboarding or support work

The goal is not to squeeze every point out of the platform. The goal is to reach a defensible, supportable baseline and then catch drift quickly.

A Practical Graph API Pattern for MSPs

The technical unlock is Microsoft Graph.

Microsoft documents the Secure Score entities in the Graph security API, including secureScores and secureScoreControlProfiles. That means an MSP can stop relying on manual portal checks and start pulling the data into its own tooling.

At a high level, the pattern is:

authenticate to Microsoft Graph for the tenant context you manage
pull the latest secureScores data
store a normalized daily snapshot
compare the latest snapshot to the previous one
create or update PSA records based on meaningful changes

For example, the REST path for score history is:

GET https://graph.microsoft.com/v1.0/security/secureScores?$top=1

And for a specific score object:

GET https://graph.microsoft.com/v1.0/security/secureScores/{secureScoreId}

If you prefer PowerShell, a lightweight pattern with the Microsoft Graph PowerShell SDK is:

Import-Module Microsoft.Graph.Beta.Security

$latestScore = Get-MgBetaSecuritySecureScore -Top 1

$latestScore | Select-Object createdDateTime, currentScore, maxScore, vendorInformation

That example is intentionally simple. In production, an MSP should enrich it by extracting the control-level detail, normalizing the tenant identifier, storing the snapshot outside the 90-day retention window, and mapping meaningful changes to ticket logic.

Two cautions matter here.

First, the partner security score API is still documented in Graph beta. Microsoft explicitly notes that beta APIs can change and are not supported for production use. That makes it appropriate for research, internal visibility, and forward planning, but not something you should build a fragile client-facing dependency around without a fallback.

Second, do not confuse “we can query the score” with “we have an operational program.” The code is the easy part. The service workflow is the real work.

The Emerging MSP Angle: Microsoft Is Starting to Score the Partner Too

This is the part many MSPs are still underestimating.

Microsoft’s partner security score API preview exists to help partners understand the posture of their own tenant and their customer tenants. That is strategically important because it suggests the market is moving from optional tenant-level scoring toward partner-level accountability.

Even if the preview evolves before it reaches broader production maturity, the direction is clear. Microsoft wants partners to improve, monitor, and evidence security posture across customer estates, not just their own internal environment.

For SMB MSPs, the implication is straightforward: if you do not already have a method for turning customer posture data into operational action, you will eventually be judged as if you should.

Common MSP Mistakes to Avoid

There are a handful of failure patterns that show up repeatedly.

Showing the score without showing the work

If the QBR slide says 74% but you cannot explain the top regressions, top blockers, and next remediation steps, the number is decorative.

Chasing percentage points instead of risk reduction

Not every available point has equal operational value. Some changes are cheap but noisy. Some are strategically important but require client sign-off, licensing, or rollout planning. Mature MSPs do not let the metric outrank judgment.

Treating exceptions as invisible

Accepted risk is still risk. If a recommendation cannot be implemented because of a legacy app, business process, or licensing constraint, document it cleanly and review it on a schedule.

Leaving the score in the portal

If the only place Secure Score lives is inside someone’s browser tab, it is not part of operations. Export it, compare it, and attach action to it.

A 30-Day Rollout Plan for a Small MSP Team

If your MSP wants to operationalize Secure Score without overengineering it, use a staged rollout.

Week 1: Define the baseline

Decide which tenant types you serve and what “good enough” means for each. Separate standard Business Premium SMBs from regulated or higher-risk clients. Define which control categories matter most and which exceptions require formal documentation.

Week 2: Collect and store the data

Pull the latest Secure Score snapshots for a pilot group of tenants. Store the results somewhere you control so you keep history beyond Microsoft’s default retention window.

Week 3: Build ticket rules

Start with one rule only: create a ticket for meaningful regressions. Do not begin by flooding the PSA with every open recommendation. Tune for signal first.

Week 4: Review and report

Run the first internal security review. Validate that the created tickets were useful, not noisy. Adjust thresholds, add owner fields, and prepare a client-facing summary that focuses on movement, blockers, and decisions.

That is enough to move from passive observation to active management.

The Real Opportunity for SMB MSPs

The opportunity here is not that Secure Score is a perfect metric. It is that it is an available one, already present in the client estate, backed by Microsoft-maintained recommendations, visible in the Defender portal, and accessible through Graph.

For SMB MSPs, the winning move is not to argue endlessly about whether the number deserves trust. The winning move is to extract operational value from the recommendation set faster than competitors do.

The MSP that uses Secure Score as a workflow input can prove ownership, detect regressions, preserve history, and tie security posture directly to tasks, exceptions, and client decisions. The MSP that uses it only as a QBR screenshot gets none of that.

Secure Score is not the security program.

It is the free upstream queue that tells you where your Microsoft 365 hardening work should start, where it slipped, and where someone in your team needs to act next.

That is more useful than a dashboard. It is the beginning of an operating model.

Sources

Microsoft Learn, Microsoft Secure Score
Microsoft Learn, Assess your security posture with Microsoft Secure Score
Microsoft Learn, Track your Microsoft Secure Score history and meet goals
Microsoft Learn, secureScore resource type
Microsoft Learn, Get secureScore
Microsoft Learn, Microsoft Graph security API overview
Microsoft Learn, Partner security score API overview (preview)

Nobody buys tickets to a concert when they haven’t heard the songs

A mate of mine said something last week that I’m still chewing on. We were talking about the slog of marketing — the endless push to fill webinar seats, chase trial sign-ups, follow up on outreach that goes nowhere. He stopped mid-sentence and said he was done with all of it. He didn’t want to spend his career flogging tickets to a show. He wanted to make a body of work so strong that the show booked itself.

That hit me, because most MSPs I speak to are stuck in the wrong half of that sentence. They’re flogging tickets to a concert when nobody has heard a single track.

The album is the persuasion

Think about what actually changes someone’s mind in this business. It isn’t a sales page. It isn’t a “book your free assessment” button at the bottom of a generic landing page. It’s the post they read on a Sunday morning that made them rethink how they saw their own business. It’s the short video that answered a question their current provider had been dodging for months. It’s the comment on someone else’s post where you said something sharp and useful, and they thought, hang on, who is that.

That body of work is the album. The offer at the end — the assessment, the migration, the security review, the Copilot rollout — that’s just the tour. If the album is good, the tour fills. If the album is thin, the tour costs you blood to fill every single time, and you’re back to the slog my mate was so tired of. It’s the same hustle dressed up in a new font.

Make the work before you sell the work

The trap is producing thin content with a CTA stapled to it. A 200-word post that took twenty minutes and ends with “DM me to book a call” is a flyer, not a song. Nobody travels to see a flyer.

A real piece takes longer. It needs a genuine opinion. It needs a story you actually lived. It needs editing — the part most people skip because it isn’t fun.

Microsoft 365 is built to take the friction out of that work without taking the soul out of it. I draft most of my posts in Word with Copilot sitting next to me, asking it to push back on my argument, sharpen the opening line, surface the point I’m circling but haven’t written yet. I’ll record a short Teams call talking an idea out loud and ask Copilot to pull a structure from the transcript. I keep a SharePoint page where every client conversation that surprised me gets dropped in as a few lines, and over a month it becomes a list of post ideas I’d never have remembered otherwise.

The point isn’t to make more. It’s to make better, more often, with less of the activation energy that usually kills the habit before the third post lands. That’s the shift that matters — not the volume, but whether you can keep showing up with something actually worth someone’s attention.

Then you stop selling tickets

When the work is genuinely good, you stop chasing. People who already trust how you think don’t need to be sold the offer — they need a way to say yes. The hustle quietly drops away, because the persuasion happened months ago, in public, while you weren’t pitching anything at all.

So before the next campaign, the next list, the next funnel — ask the harder question. Are the songs any good? Good enough that someone would forward one to a colleague without you having to ask. Because nothing on the tour can rescue an album nobody wants to hear.

The Compliance Conversation You’re Avoiding Will Eventually Find You

I had a chat recently with a business owner who runs a tidy operation — about fifteen staff, healthy margins, the sort of place that quietly does well without ever making noise. Halfway through, I asked how they were tracking on privacy and security obligations. The answer was a laugh and a wave of the hand. “Mate, we’re too small for anyone to care about that.”

I’ve heard that line more times than I can count. And I understand why people say it. When you’re flat out keeping the lights on, compliance feels like a problem reserved for the big end of town — banks, hospitals, listed companies with legal departments. The trouble is, that comfortable assumption is quietly expiring, and most small businesses haven’t noticed.

The rules are walking towards you, not away

For years, smaller organisations sat below the threshold of most privacy regulation. That gap is closing. Governments around the world are tightening data protection laws and shrinking the carve-outs that used to let small businesses off the hook. Here in Australia, the conversation about extending privacy obligations to organisations that were previously exempt has been building for a while, and it isn’t going to reverse.

So the question isn’t whether regulation reaches your business. It’s whether you’ll be ready when it does, or scrambling because you assumed it never would.

What strikes me is how avoidable the scramble is. A lot of what compliance asks for is simply knowing what data you hold, where it lives, who can touch it, and what happens if it walks out the door. If you’re running Microsoft 365, you already have the tools to answer those questions. Microsoft Purview can show you where sensitive information sits across your tenant and flag where it’s being shared in ways it shouldn’t be. That’s not a future purchase. For most small businesses, it’s sitting in a licence you already pay for and have never switched on.

Cyber insurance is doing the regulating for now

Here’s the part that catches people off guard. While the laws are still catching up, your insurer has already arrived. The renewal questionnaire for cyber insurance has become a de facto compliance audit, and it’s getting longer every year.

Do you enforce multi-factor authentication? Do you have email filtering? Are backups tested? Who has administrator access? I’ve watched owners stare at these forms with genuine surprise, because nobody warned them that a policy renewal would turn into a security interrogation. And the consequences are real — answer loosely, suffer an incident, and you may find the claim contested because the controls you ticked weren’t actually in place.

This is where I tell people to stop treating the questionnaire as paperwork and start treating it as a checklist worth acting on. Turn on MFA through Entra. Tighten who holds admin rights. Confirm your data is actually backed up, not just assumed to be. None of this is exotic. It’s the same hygiene the regulators will eventually demand, so you may as well do it now while an insurer is the one asking.

Where to start when it feels like too much

The reason this conversation gets avoided is that it feels enormous — like you’d need to stop everything and become a compliance expert overnight. You don’t. You need to start, and starting is smaller than you think.

This is one of those tasks where I’ve found Copilot genuinely useful. Ask it in Word to draft a plain-English data handling policy based on what your business actually does, then refine it. Ask Copilot to summarise the key obligations from a privacy guidance document you’ve been meaning to read for six months. Use it to turn that intimidating insurance questionnaire into a list of specific actions, each owned by someone, tracked in Planner. Suddenly the mountain is a series of steps, and steps are doable.

The point isn’t to achieve perfect compliance by Friday. It’s to be able to show, honestly, that you’ve thought about this and you’re doing something — because “we’re too small to matter” is not a defence that ages well.

The compliance conversation you’re avoiding doesn’t disappear when you ignore it. It just waits, and it tends to introduce itself at the worst possible moment — mid-breach, mid-claim, mid-audit. Far better to have the conversation now, on your own terms, with a coffee in hand and nothing actually on fire. That’s a much nicer way to meet it.

The next wave of millionaires won’t be coders. They’ll be the people who know how to ask.

I sat across from a small business owner last week who was running a five-person company out of a single browser window. No engineering team. No marketing department. No sales operations. Just her, an Outlook tab, an Excel sheet, a Teams chat with her bookkeeper, and Copilot stitching the whole lot together. She wasn’t writing code. She wasn’t filming videos. She wasn’t cold-calling anyone. She was directing — asking the right thing, of the right tool, at the right moment. And quietly, almost without realising it, she was out-earning people I know with three times her headcount.

That image has stayed with me. For most of my career, the people who built real wealth in small business fell into three buckets — they could build the thing, sell the thing, or reach an audience. The bottleneck was always one of those three. AI has just removed two and a half of them.

The compounding point has moved

Software used to be the hard part. Then writing was. Then distribution. Each wave produced its own millionaires — the engineer-founders, the creators, the inside-sales operators with a phone and a CRM. The pattern was the same every time: somebody figured out how to compound their output past what a single human could reasonably produce, and the market paid them for it.

Copilot has quietly opened that same door for an entirely different kind of person. The new compounding skill isn’t writing code or shooting reels. It’s knowing what to ask, what to push back on, and what “good” looks like when something comes back at you. The advantage has moved from making to directing.

The unglamorous skill nobody talks about

The owners I see pulling ahead this year aren’t the ones using the most apps. They’re the ones who’ve learned to live inside Copilot in the surfaces they already use. They draft a difficult client email in Outlook, then ask Copilot to soften the tone before they send. They drop a messy supplier statement into Excel and ask Copilot to find the months that don’t reconcile. They walk out of a Teams meeting and ask Copilot for the three things they actually committed to. None of this looks heroic. It just adds up.

What separates the power users from everyone else is taste. They know when the first draft is wrong and they keep asking. They know which spreadsheet question will surface the real answer. They’ve built a private library of prompts the way previous generations built rolodexes. That instinct — the one that decides whether to trust a draft or rewrite it — is the new scarce skill, and almost nobody is teaching it.

The quiet wealth shift

I don’t think this is a story about technology displacing people. I think it’s a story about advantage shifting toward whoever can direct an intelligent tool well — and that’s not always the most technical person in the room. Often it’s the operator, the bookkeeper, the franchise owner, the practice manager. People who were already good at making decisions, now equipped with an assistant that turns a good decision into ten finished pieces of work. The wealth doesn’t show up as a single big windfall. It shows up as a quietly higher margin, a smaller payroll, a calendar with more white space than their competitors’.

Watch the small operators in your own network over the next twelve months. The ones quietly buying back time, taking on more clients without hiring, and looking suspiciously relaxed on a Friday afternoon — they aren’t working harder. They’re just better at asking.

Copilot Agents Are the Next Real MSP Conversation

I’ve been having a lot of conversations lately with MSP owners who are still treating Copilot as a licence SKU to resell. They tick the box, push the price up, and wait on the renewal. Meanwhile a small group of their clients are quietly building agents in Copilot Studio and starting to ask sharper questions — questions about data, permissions, governance, and ownership. If your MSP isn’t in those conversations, somebody else is.

Agents are not “Copilot, but more.” They are a different shape of work. And they are the first part of the Copilot story where technical depth genuinely matters again.

Agents change what your clients ask you for

For two years the Copilot pitch has been “draft my email, summarise my meeting, polish my deck.” That is a user training problem dressed up as a technology problem. Agents are different. An agent is a piece of configured behaviour — a declarative agent in Microsoft 365, an agent built in Copilot Studio with actions, or a SharePoint agent grounded in a specific library — that does a specific job, with specific knowledge, for a specific group of people.

The moment a client builds one, the questions change. Which SharePoint sites is it allowed to read? What happens when somebody who shouldn’t see a document asks the agent about it? Who owns it when the person who built it leaves? These are not user questions. These are MSP questions. Nobody else in the client’s world is set up to answer them, and frankly, nobody else should be.

The technical groundwork is the billable work

Here is the part I keep flagging in peer groups. Before an agent is useful, the tenant has to be in shape. SharePoint permissions need to actually reflect reality, not the historical sediment of five years of “just give them access.” Sensitivity labels need to exist and be applied. Purview DLP policies need tuning for the way Copilot grounds answers. Entra ID app governance needs to be switched on, so a rogue agent in Copilot Studio can’t quietly start calling external connectors against a client’s data.

None of that is glamorous. All of it is billable, repeatable, and exactly the kind of work an MSP should be packaging right now. I’d rather sell a tenant readiness engagement than another round of “Copilot adoption training” that doesn’t survive contact with a real inbox.

Agents are how MSPs stop being interchangeable

The MSPs I see pulling ahead aren’t the ones with the slickest Copilot demo. They are the ones building reusable agents for their own clients — a client onboarding agent grounded in a policy library in SharePoint, a compliance Q&A agent pinned in Teams, a quoting assistant that reads the price book and drafts the response in Outlook. Each one is small. Each one is specific. Each one is harder for the next MSP down the road to replicate, because it sits inside the client’s data and inside the client’s workflow.

That is a moat. Not a big one, but a real one — and it compounds.

The watch-this-space part

I think the next twelve months are when the gap between MSPs who treat Copilot as a licence and MSPs who treat it as a platform starts to show up in client retention. Agents are the lever. The technical work to make them safe and useful is squarely in our lane. The MSPs who pick that work up early get to keep having the interesting conversations. The ones who don’t will find their clients having those conversations with somebody else.

You Hired People to Grow — So Why Are You Still the IT Help Desk?

I had a conversation a few weeks ago with a business owner who genuinely couldn’t understand why he never had time to think. He’d built a team of capable people. He’d handed over the org chart boxes. And yet there he was, at his desk on a Saturday morning, resetting a password for someone who could have done it themselves, then untangling why a shared mailbox wasn’t showing up for a new starter. He’d hired people so he could grow the business. Instead, he’d become the help desk.

I see this constantly, and it’s rarely about ego. It’s habit. The work lands on you because it always has, and saying yes is faster than explaining how. But every time you do the ten-minute job nobody else picked up, you’re quietly telling your team that it’s still yours.

The work below your pay grade is training you, not them

Here’s the part that stings. When you keep doing the small stuff, you’re not just losing an hour. You’re getting better at being the help desk while your people stay exactly where they are. The muscle you’re building is the wrong one.

Think about what actually fills those gaps. Someone can’t find last month’s report, so they ping you instead of searching for it. A new client onboarding stalls because only you know the five steps. Half of this isn’t even hard — it’s just undocumented and sitting in your head.

That’s where I’ve watched Microsoft 365 quietly change the equation, if you let it. A lot of the questions that get routed up to you aren’t decisions. They’re lookups. “Where’s the latest version?” “What did we agree with that client?” “How do we usually handle this?” Copilot in the flow of work answers those without you. Someone can open Copilot in Teams and ask what was decided in last Tuesday’s project meeting, and get the answer straight from the transcript — no need to interrupt you to retell it. That’s a question that used to have your name on it.

Stop being the single point of knowledge

The reason work keeps boomeranging back to you is that you’re the documentation. The process lives in your memory, so people have to come through you to access it. Break that, and you break the dependency.

This doesn’t mean writing a 40-page manual nobody reads. It means putting the knowledge where people already are. I’ve seen owners take the recurring “how do I do this” questions and turn them into a SharePoint page or a pinned Teams tab the team can actually reach. Then Copilot can draw on that content when someone asks, so the answer comes from the system, not from you on a Saturday. The first time a staff member solves their own problem without messaging you, something shifts. They realise they don’t need permission, and you realise the sky doesn’t fall.

The same goes for the genuinely repetitive jobs. The new-starter setup that you do by hand every time. The weekly report you rebuild from scratch. Power Automate can carry a lot of that, and Copilot can draft the first version of the email, the summary, the client update — so your role becomes checking and sending, not creating from zero in Outlook.

Delegation is a decision, not a personality trait

I think a lot of managers wait to feel ready to let go. You won’t. The discomfort of handing something over and watching it be done at 80% of your standard is real, and it’s the price of getting your week back. Eighty percent done by someone else, repeatedly, beats 100% done by you, occasionally, while everything else waits.

Be honest about what only you can do. For most owners and managers, it’s a short list — the relationships, the direction, the calls that carry real risk. Almost everything else is a candidate to move, automate, or document. If a task isn’t on that short list and it’s still landing on you, that’s the work to hand off first.

You hired people because you wanted to build something bigger than one person could carry. That only works if you actually let them carry it. The help desk was never your job. It just felt easier to keep than to give away.

The question worth sitting with this week is simple: of everything I touched today, how much of it genuinely needed me? Whatever the honest answer is, that’s your starting point.

Stop Paying for Software You Don’t Use — A Licensing Reality Check

I had a conversation with a business owner a few weeks back that I keep thinking about. We were going through his monthly expenses, and when we got to software, he genuinely couldn’t tell me what half of it was for. There was a project management tool nobody had logged into since the bloke who set it up had left. A standalone video conferencing subscription, paid annually, sitting right beside the Microsoft 365 licences that already included Teams. A note-taking app the marketing person swore by, except marketing had moved on eighteen months ago.

None of these were big numbers on their own. Twelve dollars here, forty there. But added up across a year, he was handing over the cost of a part-time wage for software that was doing precisely nothing. And the part that stung wasn’t the money. It was that he had no idea it was happening.

The quiet leak nobody’s watching

Software waste doesn’t announce itself. There’s no alarm when a tool stops being used. The direct debit just keeps going, month after month, long after the person who championed it has gone or the project it supported has wrapped up. We call it shelfware, and almost every small business I look at has more of it than the owner expects.

The trouble is that nobody actually owns the question “are we still using this?” The person who signed up has moved on. Finance sees a line item but not a behaviour. And because each subscription feels small, it never quite makes it to the top of anyone’s to-do list. So it sits there, quietly compounding.

What makes it worse is duplication. You’d be amazed how often I find a business paying for a separate tool to do something Microsoft 365 already does. A third-party file-sharing service running alongside SharePoint and OneDrive. A standalone form builder when Microsoft Forms is sitting right there. A digital signature product when the basics are already covered. You’re not just paying for shelfware — you’re paying twice for the same job.

Do the audit you keep putting off

Here’s the good news: finding the waste is far easier than people assume, and you’ve already paying for the tools to do it.

Start in the Microsoft 365 admin centre. The usage reports will show you, plainly, who has signed into what and when. If you’ve got people assigned licences they haven’t touched in ninety days, that’s a conversation worth having. If you’ve got Copilot or premium licences sitting on accounts that don’t need them, that’s money you can claw back this afternoon.

Then turn Copilot loose on the question. Drop your last twelve months of software invoices into a folder and ask Copilot to pull every recurring software charge into a single list, grouped by vendor, with the annual cost beside each one. What used to be a tedious afternoon of scrolling through bank statements becomes a five-minute job. Ask it to flag anything that looks like it overlaps with a capability you already have in Microsoft 365, and you’ll have your shortlist of suspects before your coffee’s gone cold.

The point isn’t to cancel everything. Some of those subscriptions earn their keep. The point is to make a deliberate decision about each one, rather than letting inertia decide for you.

Consolidation is the real saving

Once you can see the full picture, the pattern usually becomes obvious. A handful of scattered tools, each solving one small problem, most of which the stack you already pay for could handle. Trimming the dead subscriptions feels good. But folding three overlapping tools back into Microsoft 365 is where the real money is — and you get the bonus of everything living in one place, with one login and one support number instead of five.

I’m not suggesting you rip everything out tomorrow. Specialist tools exist for good reasons, and sometimes the dedicated product genuinely is the better fit. But “we’ve always paid for it” is not a reason. Neither is “someone set it up once.”

The habit, not the one-off

The owner I mentioned trimmed his software spend by nearly a third in an afternoon. The bigger win was the habit. Now he runs the same check every quarter — a recurring task in Planner, fifteen minutes, no drama.

Your software bill is one of the few costs you can cut without touching a single person or a single customer. That’s rare. Go and have a look at what you’re actually paying for. I suspect you’ll be surprised.

The Real Cost of Cheap IT (And Why It’s Always More Expensive)

Every so often a business owner tells me, with a certain pride, that they’ve just slashed their IT bill. They found someone cheaper. They dropped a subscription. They put off an upgrade for another year. And I always think the same thing: I’ll see you in about eight months, when the bill comes due.

Because cheap IT doesn’t make the cost disappear. It just moves it somewhere you can’t see it yet — and adds interest.

The bill you don’t get an invoice for

Here’s the trap. IT done well is mostly invisible. Nothing breaks, nobody’s locked out, the backups run, the laptops just work. So it’s easy to look at that calm and decide you’re paying too much for not much. You trim it back to the cheapest option that still technically functions.

Then a staff member spends forty minutes fighting a file that won’t sync, twice a week. Then an invoice goes out with last quarter’s pricing because the document everyone was working from wasn’t the real one. Then someone clicks a link they shouldn’t have, and suddenly you’re not saving money — you’re paying a security firm by the hour and explaining yourself to clients.

None of those land as a line item. There’s no invoice that says “rework: $14,000”. But it’s real money, and you paid it. You just paid it in lost hours, redone work, and the slow drag of people working around problems instead of through them.

“Expense” and “investment” aren’t the same sentence

The language we use shapes the decision. The moment you file IT under “expenses”, it sits next to the stationery order and the cleaning contract — things you’re naturally trying to shrink. And shrinking it feels responsible.

But you don’t talk about your best salesperson as an expense to be minimised. You talk about what they return. IT deserves the same question: not “how little can I spend on this?” but “what does this give back?”

Take something as ordinary as Microsoft 365. Plenty of businesses run the cheapest plan, treat it as email-and-a-spreadsheet, and never look again. Meanwhile the business down the road is using the same platform as an actual operating layer — documents living in SharePoint instead of scattered across desktops, a quick approval running through Teams instead of a three-day email chain, Copilot in Outlook turning a tangled forty-message thread into a clear summary before a meeting, or drafting the first version of a proposal so someone isn’t staring at a blank page for an hour.

Same vendor. Same monthly cost, give or take. Wildly different return. One business bought a licence. The other bought time back.

Cheap is a decision you make again every week

The thing about underspending on IT is that it isn’t a one-off saving. It’s a recurring tax. Every week the slow systems are still slow. Every week the manual process is still manual. Every week the thing you didn’t secure is still sitting there, unsecured. You congratulated yourself on the saving once, but you pay for it continuously.

And the cruel part is that it compounds in the wrong direction. The longer you defer, the further behind your setup drifts, the more painful and expensive the eventual catch-up becomes. Cheap today quietly guarantees expensive tomorrow.

I’m not arguing for spending more for its own sake. Throwing money at IT is just a different kind of waste. The point is to spend deliberately — on the things that actually move your business. Ask what a tool returns, not just what it costs. Ask what an hour of downtime costs you, then look again at the price of preventing it. Ask whether your people are working with their tools or fighting them.

The real question

So when you’re staring at an IT quote and the cheaper option is winking at you, don’t ask which one costs less. Ask which one costs less over the next three years — once you’ve counted the downtime, the rework, the risk, and the hours your team gets back when things simply work.

Cheap IT isn’t a saving. It’s a loan you take out against your future, and the repayments show up exactly when you can least afford them. The businesses that treat technology as something that earns its keep — Microsoft 365 and Copilot included — aren’t spending more. They’re just refusing to pay the expensive kind of cheap.