Expert analysis and practical guides for navigating Microsoft 365 and the evolving world of cybersecurity. Your go-to hub for staying secure and efficient in the cloud.
Microsoft licensing can be complicated. Tools and resources to help with license cost optimization are widely available, yet the process itself remains challenging. That’s because, even just within M365, Microsoft offers a wide range of products with varying cost structures. Worse yet, licensing terms are frequently subject to change, which means what works today may not tomorrow.
That leaves MSPs in a tricky spot. They must continuously update their knowledge and adapt their billing practices to accommodate these changes. This can be inefficient and may lead to client confusion regarding contracts and billing disputes.
Why Microsoft License Tracking is Difficult for MSPs
MSPs typically retrieve license information from 3 primary sources: Microsoft Portals, PSA (professional services automation) tools, or from their Microsoft CSP reseller program. While these tools do provide the needed information, all 3 can contribute to an MSP’s license management challenges.
Here’s why.
Microsoft Portals
Microsoft Portals show your clients’ current number of licenses but don’t track changes over time. This makes it difficult for you to bill clients accurately at the end of the month since you can’t clearly see when modifications occurred.
Without detailed change logs, tracing each license modification is incredibly time-consuming. As a result, many MSPs choose to absorb discrepancy costs rather than spend resources tracking every small change.
PSA Tools
PSA tools include features for billing and contracts. However, these tools are often complex, which means few people update them as frequently as they should. As a result, they aren’t reliable for tracking real-time changes.
CSP Reseller Information
Microsoft’s Cloud Solution Provider programs allow MSPs to buy licenses through vendors. Yet, these vendors don’t make it easy to see what changes have been made over time. Therefore, it’s still difficult to provide accurate, up-to-date billing information to your clients.
How an MSP Can Solve Their Microsoft Licensing Challenges With Augmentt
Accurate End-of-Month License Counts
Augmentt makes it easy to compare current and past data, like how many licenses were assigned last month vs. this month, or if there were any new additions or upgrades. You won’t have to worry about digging through cumbersome resources to find the information you need.
Resolve Billing Disputes
If a client questions a bill, you can use Augmentt to pinpoint when and why changes were made. For example, a client’s bill may be higher this month compared to last because they onboarded a new employee who needed a new license. If your client doesn’t understand the price increase, Augmentt’s data gives you the evidence to show them why.
Identify Unused Licenses
Augmentt can help identify unused licenses to reduce costs for your clients. Additionally, minimizing the number of tools used decreases a client’s attack surface. While O365 has some built in security features, it’s always a best security practice to keep the number of applications used to a minimum.
As an MSP, demonstrating that you helped a client reduce their Microsoft licensing costs makes for a happy customer and a great case study. That’s something you can use in your own branding to attract new leads.
Increase Your Efficiency With Augmentt Today
When you onboard Augmentt, there’s no need to wade through multiple platforms to find the information you need for accurate billing.
Using Augmentt, you’ll gain a comprehensive view of all Microsoft licenses across multiple clients from one centralized dashboard. By providing intelligent insights and actionable data, Augmentt’s license management tools help you optimize license allocation so you can avoid unnecessary costs and enhance client satisfaction.
MSP license management doesn’t need to be difficult. Request a demo from Augmentt to streamline your licensing process.
One of the best ways a managed services provider (MSP) can keep a client’s Office 365 environment secure is by performing a Microsoft 365 security assessment.
At its core, a Microsoft 365 security assessment is a structured review of how identity, devices, information, apps, and infrastructure are configured and protected, ending with a prioritized list of recommendations.
The assessment is often used to spot the security vulnerabilities in a client’s Microsoft 365 setup that could be exploited by attackers. By proactively identifying and addressing these vulnerabilities, you can help enhance your client’s overall security posture.
Additionally, many industries have regulatory requirements that dictate how data should be handled and protected. An M365 security assessment can help ensure that your client’s use of Microsoft 365 complies with legal and regulatory standards.
So, today, we’re going to give you a simple step-by-step guide on how you can conduct an Office 365 security assessment for your clients. This simple 5 step guide should work in most cases, however, always adjust based on your client to ensure a strong security posture.
Key Takeaways
Identify Vulnerabilities: Regular assessments uncover security gaps in M365 setups before attackers can exploit them.
Ensure Compliance: Align client environments with industry-specific regulatory standards and CIS benchmarks.
Follow a 5-Step Process: Move from initial assessment and configuration review to compliance, implementation, and monitoring.
Prioritize Risk: Focus remediation efforts on issues with the highest impact on business operations and legal standing.
Leverage Automation: Use specialized tools to generate security reports and apply baselines across multiple clients quickly.
5-step Microsoft 365 security assessment for MSPs
Step
Focus Area
Key Action
1. Initial Assessment
Baseline Discovery
Audit MFA, admin counts, and app usage.
2. Configuration Review
Security Hardening
Compare settings against CIS benchmarks.
3. Compliance Verification
Regulatory Alignment
Document gaps in HIPAA, SOX, or GDPR.
4. Apply Recommendations
Remediation
Deploy tools and tighten security policies.
5. Continuous Monitoring
Ongoing Protection
Set up alerts and staff training.
1. initial assessment
Conduct an in-depth analysis of your client’s current Microsoft 365 usage and security posture. Gather information about their infrastructure, employee usage patterns, and their existing security features and policies. This step will help you identify areas that require attention and sets the baseline for the rest of your assessment.
Some questions you may want to ask during this initial assessment include:
Is your client set up with multi-factor authentication (MFA)? If so, how?
Are their security settings higher than the default?
Is the number of administrators in the M365 environment appropriate for your client’s needs?
Is auto-forwarding enabled in Outlook?
Are there any third-party security solutions integrated with Microsoft 365? If so, which ones?
Have they installed all of Microsoft’s recommended updates?
How many applications are they using? How many do they actually need?
2. configuration review
Review the security configurations of your client’s Microsoft 365 services against CIS benchmarks. This step involves checking settings in services such as Teams, Exchange Online, and SharePoint to ensure they comply with the best security practices. This review helps identify misconfigurations that could expose your client to security risks.
By performing a detailed configuration review, you also gain a better understanding of how your client may want their environment set up. That allows you to perform more precise adjustments where necessary that enhance their security maturity without compromising their preferred setup.
Don’t stop at workload settings. Identity misconfigurations are still among the most common weak points, so expand your checklist to include:
MFA enforcement settings and any legacy authentication still in use
Conditional Access policies for admins, guests, and risky sign-ins
Role-based access control to confirm least-privilege assignments
3. compliance verification
Evaluate your client’s Microsoft 365 digital environment against relevant compliance standards based on their industry, location, or any regulations they tell you they must follow. Document compliance gaps and perform a risk assessment to help prioritize compliance needs.
After the assessment, focus on the compliance issues that pose the highest risk to security and/or business operations and go from there. Other factors that may affect prioritization include:
Legal requirements
Resource availability
Business impact
User impact
Make sure you consult your client and any supplementary compliance documentation as well.
4. apply recommendations
Suggest security enhancements based on your findings from the initial assessment, configuration review, and compliance verification combined. Recommendations could include tightening security policies, adjusting security controls, and deploying additional security tools.
Package those findings into clear deliverables your stakeholders can act on:
Executive summary that distills the highest-priority risks and next steps
Comprehensive security & compliance report detailing every check performed
Gap analysis and roadmap mapping each finding to recommended remediation
Consider your client’s security capabilities and assess what you will have to do compared to what their in-house employees can do. From there, you can implement your recommendations appropriately. If you offer IT procurement services, you can also use these recommendations to guide your team as they find the right new tools for your client.
5. training and continuous monitoring
Remember, regular check-ins keep the tenant aligned with evolving best practices and compliance requirements, so schedule repeat assessments at least annually.
If needed and/or offered by your business, provide training sessions for your client’s staff to educate them on best practices for using Microsoft 365 securely. Additionally, whether or not training is part of your services, you should still set up ongoing monitoring of their Microsoft 365 environment to help yourself detect and respond to cybersecurity risks promptly.
Both of these measures help ensure that your newly implemented recommendations yield the intended results. Continuous monitoring can also pinpoint areas where additional analysis may be necessary.
Frequently asked questions
What is a Microsoft 365 security assessment?
A Microsoft 365 security assessment is a detailed review of a tenant’s settings, user activity, and compliance posture. It checks how identity, devices, data, and apps are protected, then lists the gaps and recommends fixes.
Are Microsoft 365 security assessments free?
Microsoft offers free tools like Secure Score and Compliance Manager. However, a full assessment—especially one done by an MSP—usually includes paid labor or third-party software. Augmentt gives you a free Microsoft 365 security report and paid plans for deeper, automated reviews.
What is the CIS Microsoft 365 assessment tool?
The tool runs your tenant’s settings against the Center for Internet Security (CIS) Microsoft 365 Benchmark. It pulls Secure Score and Compliance data, then scores each control so you can see exactly where you meet—or miss—CIS best practices.
How often should an MSP run a Microsoft 365 security assessment for a client?
Run a full assessment at least once a year, plus:
Quarterly mini-reviews of high-risk settings
After major tenant changes (mergers, new apps, migrations)
Immediately following any security incident
Which key areas should an MSP review during a Microsoft 365 security assessment?
Simplify your next security assessment with Augmentt
Planning and following a tailor-fit security assessment checklist based on our 5 key steps will help you protect your clients from most cybersecurity threats. However, you can make the assessment process much simpler by using the right technology.
Augmentt offers assessment tools that follow CIS and can detect compliance gaps for HIPPA, SOX, and more. We also provide simple, at-a-glance roadmaps that allow you to quickly plan effective recommendations for each client. Instantly apply security baselines using pre-set templates or your custom designs to secure more clients faster than ever before.
In an era where digital threats are everywhere, staying ahead of cybersecurity challenges is #1 priority for most MSPs and their customers. Canada is poised to take a significant step forward in bolstering its cyber defenses with the introduction of Bill C-26, also known as the Critical Cyber Systems Protection Act (CCSPA). Let’s dive deeper into the this proposed legislation and explore its potential implications for MSPs across various sectors.
Understanding Bill C-26:
At its core, Bill C-26 seeks to address the ever-growing cybersecurity threats facing Canada by imposing a set of rigorous obligations on private-sector entities operating in federally regulated sectors. These sectors include telecommunications, finance, energy, and transportation, which are deemed critical to the nation’s infrastructure and economy.
Scope and Significance of the CCSPA:
The CCSPA introduces a framework designed to safeguard critical cyber systems – defined as those whose compromise could jeopardize the continuity or security of vital services or systems outlined in Schedule 1. From telecommunications services to banking systems, the legislation casts a wide net, aiming to ensure robust cybersecurity measures across key sectors of the economy.
Compliance Obligations in Focus:
Under Bill C-26, designated operators (such as MSPs) are tasked with a series of compliance obligations aimed at fortifying their cybersecurity posture. These obligations include the implementation of comprehensive cybersecurity programs, the identification and mitigation of risks within the supply chain, and the prompt reporting of cybersecurity incidents to regulatory authorities.
Furthermore, designated operators must be prepared to comply with directives issued by the Governor in Council, which may include specific measures to protect critical cyber systems. Additionally, stringent record-keeping requirements mandate the maintenance of records within Canada, underscoring the importance of accountability and transparency in cybersecurity practices.
Enforcement Mechanisms and Penalties:
To ensure adherence to the CCSPA, the legislation introduces an enforcement mechanism in the form of an administrative monetary penalty scheme. Designated operators found in violation of the Act may face substantial fines, with maximum penalties reaching C$15 million. Moreover, directors and officers of non-compliant entities could be subject to fines of up to C$1 million.
Beyond monetary penalties, industry regulators will be empowered with expanded authority to compel information, conduct inspections, and issue notices of non-compliance. These enforcement measures aim to incentivize proactive cybersecurity measures while holding organizations accountable for safeguarding critical infrastructure and sensitive data.
Preparing for the Future:
While the fate of Bill C-26 hangs in the balance pending its passage through the legislative process, organizations must proactively prepare for potential changes in Canadian cybersecurity law. Embracing cybersecurity best practices outlined in the CCSPA can serve as a foundation for enhancing resilience against evolving threats and mitigating risk exposure.
Conclusion:
In an increasingly interconnected world, the need for robust cybersecurity measures has never been greater. Bill C-26 represents a pivotal moment in Canada’s cybersecurity landscape, signaling a proactive approach to addressing emerging threats and safeguarding critical infrastructure. By understanding the implications of this legislation and taking proactive steps to enhance cybersecurity readiness, organizations can navigate the evolving cybersecurity landscape with confidence and resilience.
Let’s face it. Microsoft security can be a huge pain.
The second you half understand something the best practice evolves. Be it the product name changes or is moved to a different portal, keeping up with Microsoft’s constant changes is a headache. There is a very real reason why most MSPs don’t try to keep up with Microsoft security.
The thing I find funny is that Microsoft publishes article after article about how basic security hygiene prevents 98% of attacks, yet makes it so tricky to implement at scale. Our CEO recently attended a security conference where a Whitehat hacker described the process of hacking organizations. The truth is hackers don’t even bother breaking into secure environments! The 1 in 100 businesses that have MFA and a few other measures gets puts on a “don’t waste your time” list and the hackers proceed to go after the other 99 organizations with no security.
It’s literally a “you don’t have to outrun the bear, just have to outrun your friends” situation.
So how do you help clients out run the other businesses?
This is where Microsoft recommendations meet reality.
Security Defaults in Microsoft are a great start and will bump your Secure Score, however it will break most 3rd party apps that are integrated to your clients’ environments. Say goodbye to that custom software the Dentist office uses.
Speaking of the Microsoft Secure Score, MSPs have to pay to play, and I haven’t heard of any offices interested in doubling their Microsoft bill for questionable value. I do see more MSPs mandating premium licensing, or they won’t take on a client. This can work in higher end markets like healthcare and finance, but good luck selling this to non-profits, marketing agencies and other less cash-flush, less security-conscious organizations.
The market seems to be solving for cash & time-rich organizations that can throw people & money at this problem while leaving behind SMBs.
In reality, most MSP clients turn down pure security offers, but what if there was a security service for the rest of us.
What if security was so easy to deliver you could price it so even THOSE customers might pay for it. Ya you know the ones I’m talking about.
Or, what if O365 security was so easy, protecting Microsoft Accounts, Email & Data became a default since it’s kinda/sorta already part of managed services agreements.
One-click Microsoft security
The feedback from our MSP partners is they aren’t trying to solve security world hunger. They want to take a best practices approach that eliminates the majority of risk but takes a fraction of the time.
This is why we’ve launched Augmentt Autopilot. The vision with Autopilot is to automate Microsoft security service delivery by:
Hardening client environments in minutes using our templates or build your own
Receiving PSA tickets for configuration changes or security breaches
Receiving automated security & licensing reports
Join us on this journey to put Microsoft security on autopilot. A huge shout out to our 150 MSP technical advisors. You’ve shared your insights, your best practices, you took time to test and give feedback. We couldn’t do it without you and this is just the beginning!
Be vigilant with email. Common hacker phishing attacks play on COVID-19 fears, financial issues (refund checks), and link to fake websites.
2. Backup your Important Files
Expect the best but plan for the worst. Ensure all critical data is backed up offline and online (in the cloud) so you can restore if you’re breached (ransomware attack).
3. Take Breaks and Keep a Schedule
Include lunchtime walks and 15-minute breaks to stand up and walk around. Clear your mind and return to work invigorated. Working remote securely.
4. Complete your Training Assignments
If your company trains its employees, complete your training. If it doesn’t, watch our free Cybersecurity training videos.
5. Over Communicate
Over communicate with colleagues or clients to set expectations on timing, deliverables, outcomes, and to seek feedback. Get projects done right the first time.
6. Know the Rules
Become familiar with your company’s remote work policies and requirements.
7. Adopt a Password Manager
Most password managers (LastPass, Dashlane, 1Password), have free versions for personal use. Learning this skill is critical for 21st century protection!
8. Work Free from Distractions
CyberHoot staff prefer a workspace free from distractions though we do love orchestral music (free Philadelphia Philharmonic concerts on YouTube).
9. Regularly Connect with your Colleagues
Web-conferencing meetings have replaced in-person meetings allowing us to catch up, share stories, and discuss our well-being. That’s as important as the latest project update.
10. Secure your Tools
Secure and patch personal devices, secure web conferences (Zoom Security), and secure your passwords.
“We built an entire managed service around the Augmentt platform so we can sell our customers a service that will keep their tenants up to date and configured all the time rather than needing to do these professional services engagements periodically. I think not only has the quality improved, but it’s opened up an entirely new service. We’ve been able to sell to our customers very successfully.”
