Running an MSP has always been difficult, but the last few years have been particularly challenging. The ongoing stress of cybersecurity risks has definitely become top of mind for MSP owners, and that’s on top of the many other tasks required to run a successful technology provider. Managing Microsoft 365 (M365) tenants for multiple clients adds another layer of complexity that can drain resources and stretch teams thin. But there are ways to streamline these maintenance tasks and ensure that your MSP remains efficient and secure. 

Maintaining Security Standards 

One way growing MSPs try to manage cybersecurity is making sure they have security standards documented, likely based on a public framework such as Security Cloud Business Applications (SCuBA) from the Cybersecurity & Infrastructure Security Agency (CISA), the Cybersecurity Framework from NIST, benchmarks from the Center for Internet Security (CIS) or any other applicable checklist, based on the services you sell or the country you serve. Here we’re going to focus mostly on Microsoft 365, but these pain points are generic across SaaS platforms and IT systems in general.  

Settings Configuration 

Having selected a security standard is only the start, now you’ve got to apply the standard to every client, document every time there’s an exception, and keep this documentation up to date over time. And if there’s a change in the rules, either because the framework itself has changed, or because there’s a new vulnerability or attack that you need to protect your clients against – how do you apply this change at scale across all your clients in an effective and timely manner? 

Even more concerning is configuration drift, common in IT systems in general, especially where you have multiple techs resolving tickets or rolling out new applications, but particularly concerning when it comes to security settings. Unfortunately, Microsoft 365 doesn’t offer a built-in, comprehensive way to inventory all security settings across a tenant, compare them to your baseline, and monitor them on an ongoing basis. 

Of course, this isn’t a new problem, and there are some attempts at solutions available. For instance, Microsoft itself offers Microsoft 365 Lighthouse, not to be confused with Azure Lighthouse which is a completely different service.  

Lighthouse is definitely a work in progress and today offers centralized account management so that your help desk staff won’t have to open individual M365 tenant portals to reset a user’s password, for example. You’ll also see risky users (with the right licensing), and devices, plus their device compliance with Intune policies. There’s also a Default baseline with settings that you can deploy across tenants, along with the ability to create custom baselines. However, while Lighthouse does provide some centralized management features, it remains limited in scope—particularly when it comes to security settings, configuration drift, and multi-tenant oversight. 

Default Baseline in M365 Lighthouse

So, finding a good tool that can apply and update security settings quickly is a challenge, which becomes especially important as your MSP grows. 

Conditional Access Policies 

One particular area that deserves attention are Conditional Access (CA) policies as these are becoming increasingly important as the centralized “engine” for applying security policies to sign-ins, applications, and access. Documenting these is important, especially as they’re often customized for each client’s specific needs and there’s no inbuilt way to easily track changes and configuration drift. A misconfigured CA policy, with too broad of an exclusion for example, can open a security hole in the tenant that can be hard to detect before it’s too late.

Conditional Access Policies

Onboarding New Clients 

This also applies to onboarding new clients, you want a smooth process that identifies all settings that deviate from the MSP’s baseline in the tenant, and an easy way to remediate those settings, today that’s a manual process, perhaps assisted by a home-grown PowerShell script or two.  

For old tenants the challenge might be a lack of standardization, with different approaches to naming accounts and devices, or multiple accounts for the same user, with different settings in SharePoint, OneDrive for Business and Teams. This again has both efficiency and security implications because this added complexity makes it even harder to ensure the right security settings are adhered to. You need a tool to help you merge accounts and harmonize settings.  

Licensing and Compliance Requirements 

In larger tenants you may have a mix of licensing SKUs across different user cohorts, or they may be in different countries or regions and thus subject to different compliance regulations – the ideal tool would let you apply different policies to different user populations and track settings drift accordingly.  

A growing area of concern is Microsoft Teams – we’ve been doing email security for a few decades now and while phishing and spam are still challenges, it’s a known problem with existing solutions. For Teams collaboration, the risks of phishing messages and shared malicious files is a newer risk. The default setting in Teams is to allow external users to be invited and collaborate with your client’s users in teams, and here both the technical controls and the user awareness is much lower, leading attackers to pivot to this as a way to compromise users. You need a tool that gives you insight and reporting on externally shared files, and interactions between your client’s users and external guests in Teams.  

Microsoft offers CA templates to ease the setup of certain CA policies but ideally, you’d want your MSPs custom templates applied across all your client’s tenants and the same goes for password policies. For ongoing maintenance, you also need any changes (configuration drift) to these to be flagged so you can investigate.  

Device Management in a Multi-Tenant World 

Finally, device management is also challenging, particularly in this era of Bring Your Own Device (BYOD) – how can you manage device policies, especially in multi-tenant environments, when those devices are used to access sensitive data?  


Introducing 365 Multi-Tenant Manager for MSPs: Your Comprehensive Solution 

Designed specifically to address the challenges faced by MSPs managing multiple M365 tenants, this tool offers a powerful set of features that streamline maintenance tasks and bolster security. 

Automate tenant discovery and onboarding 

Seamlessly discover and manage all M365 tenants via Microsoft Partner Center integration, streamlining service provisioning. This means that all tenants under the Partner Center are automatically discovered and listed in the Hornetsecurity Control Panel service dashboard—no manual entry required, although it’s still possible for MSPs who prefer to have that flexibility. For MSPs, this means a significantly reduced time investment in onboarding new clients, and assurance that each tenant is set up according to best practices right from the start. 

Standardize and secure M365 configurations 

Maintaining consistent security settings across multiple tenants is one of the most challenging aspects of managing M365 environments. 365 Multi-Tenant Manager simplifies this by offering out-of-the-box templates featuring M365 settings that every organization can quickly adopt with minimal impact on their user base. These templates, curated by Hornetsecurity experts, ensure that your clients’ tenants adhere to best practices, reducing the risk of misconfigurations that could expose them to threats. 

Pre-configured and custom settings library 

For MSPs, managing multiple clients often means manually configuring each tenant’s settings, which is time-consuming and prone to errors. The Multi-Tenant Manager’s Setting Library offers a powerful solution by providing pre-configured best practice settings recommended by Hornetsecurity, ready to be assigned directly to tenants. This eliminates the need for manual configuration, saving time and reducing the risk of misconfigurations. Additionally, users can clone and customize these settings to create tailored solutions for specific tenant needs easily. This means, they are able to create a custom setting even before Hornetsecurity creates it. 

Monitor and Manage Compliance

Monitor and manage compliance effortlessly 

Staying compliant with industry regulations is a top concern for MSPs, especially when managing clients in regulated industries. The 365 Multi-Tenant Manager addresses this by providing extensive monitoring and reporting capabilities, allowing you to visualize tenant compliance states and detect configuration drifts in real time. If non-compliance is detected, the tool facilitates remediation either automatically or through manual intervention. 


Conclusion 

Running an MSP has never been easy, but the last few years has certainly upped the game’s difficulty level. In this article we looked at some of the challenges that face MSPs looking for a way to manage security (and non-security) settings in Microsoft 365 for their clients in an efficient and scalable manner. If you’re an MSP looking to streamline your maintenance tasks and enhance your security posture, 365 Multi-Tenant Manager is the tool you need to stay ahead of the curve. Effortlessly configure, manage, and monitor M365 tenants from a single pane of glass, and ensure that your clients are always secure and compliant. Get in touch for more information. 

Leave a Reply

Your email address will not be published. Required fields are marked *