Buckle up Aussie MSPs: Microsoft digital products are complex

Microsoft does not care that the channel has “mixed” reactions to its changes in cloud service provider licensing rules as these deliberate changes send a clear message that its products are no longer a billing revenue stream.

Earlier in May, ARN reported the software giant made changes to cloud service provider (CSP) licensing rules, updating the maximum resale price calculation for channel partner agreements.

The changes will come into effect in July, impacting all products and volume licensing frameworks.

Microsoft chief partner officer and corporate vice president for global partner solutions Nicole Dezen said at the time these changes would streamline customers when it comes to monthly billing support and its focus on cloud and AI.

Former consultant Loryan Strant said a mixture of “prices going up and incentives dropping isn’t exactly foreign” to Microsoft, vendors or partners.

“It’s just a case of normalisation, especially as partners aren’t as critical for sales as they once were due to digital and other methods,” he said. “Plus, all customers are now customers of M365, so can be reached directly.

“It would be incredibly rare for an organisation to be net-new to M365 and require selling to.”

According to Strant, some partners might find something negative about all of that, but the reality is it was “just where and how the market flows”.

Gartner principal analyst Domenico Scriva explained Microsoft products are extremely complex because they’re software-as-a-service products.

“Some partners are still living in the break-fix model, where they just sell everything and then fix it as things come up, but because they don’t specialise in that model, they tend to struggle when it comes to break-fix situations,” he said.

Complexities of security

Scriva believes what is often missed in the discussions about Microsoft 365 with CoPilot are the challenges and nuances about its security, as well as data sovereignty issues and the overall cloud services model.

“The example I always give is if a client purchases Microsoft 365, Defender isn’t automatically switched on,” he said. “You must understand how to flip on Defender and set up the security policies correctly.

“This is where partners need to start coming in and tell their customers, ‘We will help you serve your security structure’.”

According to Scriva, there’s still a mid-2000s mindset around security, but the landscape has changed dramatically since then.

Partners need to be able to double-check each of the settings within Microsoft digital products, he said.

“With the rise of AI, security threats are becoming increasingly complex and harder to detect,” said Scriva. “Traditional antivirus solutions alone aren’t enough anymore—simply running Trend Micro on a PC won’t cut it.

“You now need to secure your entire environment. Exchange systems, Defender on your laptop, Microsoft 365 and even data loss prevention tools that recognise and block sensitive data like credit card information.

“Security must go beyond basic antivirus.”

If partners were claiming to be security specialists, they needed to truly understand what that meant, especially if a customer experienced a breach, he said.

“It might even be necessary to have a dedicated engineer on board to properly drive that security strategy forward.”

Data sovereignty and compliance challenges

Microsoft’s software-as-a-service (SaaS) model introduces complex considerations around where data is stored and how it aligns with compliance requirements.

For example, when it comes to training, Microsoft states that emails sent from any work or school email aren’t used to train the vendor’s artificial intelligence models.

“I’m pretty sure it’s an enterprise data protection policy that they have,” said Scriva. “Microsoft states that their data is stored in the same data centre or the same tenant that your Microsoft reaches for.

“Still, there is a caveat and these have been grey lined at the moment.”

Scriva has submitted a query to Microsoft regarding its AI systems and whether its data has been stored within Australian shores.

He said its response was depending on capacity, the data may transit offshore to another country, complete whatever it must do, and come back to Australia.

This is because of latency issues, which has been impacting Microsoft’s capacity issues in their servers lately, Scriver noted.

“Obviously, [Microsoft’s] aim is to try to spread out the capacity, so that if something core was needed then there’s capacity in the Australian East server.”

Having data split across Asia Pacific, even if data sovereignty was paramount to a small to medium business client, it isn’t guaranteed because there are no amendments in the CSP licensing agreement.

“There’s no way for them to actually state it needs to be on a server,” said Scriva.

“I think that’s the case — [it doesn’t] really have a leg to stand on as to where the data is being held,” he said. “I am pretty sure there’s a paid service you can buy that guarantees it.

“Which, for some organisations, is important. Stuff needs to stay onshore, especially for government or public sector or education, where they have these policies that data needs to stay here.

RedeMont dispute and resolutions lawyer Ryan Solomons told ARN that concerns are rising in regard to users unknowingly enable features that process their data in ways they haven’t consented to.

“For example, Microsoft’s smart features may analyse document contents to provide suggestions, which often involves processing data on remote servers,” said Solomons. “This can conflict with data residency requirements, as the data may be processed overseas and may breach confidentiality agreements if users haven’t explicitly consented to such use.

According to Solomons, this issue is particularly pertinent as privacy becomes a focal point in the digital age.

“Technological advancements often lead to enhanced user experiences, but it’s crucial to consider whether such improvements align with legal and ethical standards,” he said. “Organisations must assess whether their use of technology inadvertently compromises client confidentiality or breaches legal obligations.”

Copilot is an AI tool

Products like Microsoft 365 Copilot provides AI-powered productivity capabilities by coordinating components like large language models (LLM).

Solomons said he was concerned about Microsoft because it can take seven layers for users to turn off AI training. For example, to do so in Microsoft Word, the following sequence must be followed: File > Options > Trust Centre > Trust Centre Settings > Privacy Options > Privacy Settings > Optional Connected Experiences > Uncheck box: “Turn on optional connected experiences”.

As explained previously by Scriver, while Microsoft has stated to the media that it isn’t training a public LLM, the issues of data sovereignty and where that data is being held raise questions.

Solomons warns that businesses often assume major software providers handle data responsibly but AI-driven tools may store and process information in ways that conflict with privacy laws and confidentiality obligations.

“Companies must scrutinise their agreements and software settings to avoid legal exposure,” he said. “The key question is whether liability falls on the software provider or the business using these tools.

“In most cases, businesses bear the greater risk. Large tech companies often include indemnity clauses protecting themselves, exposing firms to potential privacy law violations and lawsuits.”

Courts will assess whether businesses took reasonable steps to protect confidential data and what was agreed regarding use, Solomons noted.

“Simply relying on a software provider’s assurances without understanding how the technology works is insufficient.”

According to Scriva, for Microsoft, if an MSP isn’t properly securing an environment for their customers, this could leave a huge bill if there was a huge cloud usage spike due to a hack.

For example, MSPs need to request access to their customer’s Microsoft 365 tenant.

“This typically involves a delegated admin privilege, which is a fairly granular level of access,” he said. “This privilege can be time-bound, say, for a week, which makes sense for limited support Windows.

“Alternatively, a customer can assign you global admin access, which gives you full control over their tenant. Again, this can be granted for a set period, like one week.

“If the customer needs to raise a support ticket on your behalf, the partner will need to request admin privileges, and the customer has to approve the access for a specified duration.”

Scriver explained that is what the official process is supposed to look like.

“However, many partners find this model inconvenient because it involves too many steps – clicking links [and] sending approval requests.” he said. “As a workaround, some smaller partners will log directly into the client’s tenant using a generic IT account, typically one created specifically for MSP use.

“This setup gives the partner more access than a proper delegated account but poses significant security risks.”

Scriva noted that customers often aren’t aware of these practices, but they should be.

“It’s easy to set up a risky backdoor like this. Meanwhile, the same partner might be preaching about security best practices,” he said. “There have even been cases where a partner was hacked and because they had access to multiple client tenants, the attack spread across all their customers.”

For example, one incident involved unauthorised Azure resources being spun up, which led to massive cost spikes for affected clients, explained Scriva.

“When this happens, Microsoft generally won’t cover the costs, stating that the breach was the partner’s responsibility … not theirs,” he said. “As a result, customers end up paying the price for insecure practices they may not have even known were happening.”

Policies are there if you have time to read it

There’s a large number of different policies in Microsoft Security Centre and understanding what each one does can take time, noted Scriva.

“If they can’t employ someone that really understands the cyber security system, they should go out there and work with someone that does understand,” he said. “You don’t want to be the MSP that’s in the next article suffering a breach.”

Customers use MSPs because they don’t know what they’re doing.

“If I knew what I was doing as a customer, [I’d] go direct to Microsoft and buy whatever licenses I want,” he said. “MSPs aren’t there to be transactional and Microsoft is making that very clear.

“Just giving the bill to a customer is not going to cut it anymore.”

MSPs need to understand the bigger picture around security, not just around Microsoft 365 but around Azure as well, Scriva explained.

“I don’t expect a partner to have [specialisations],” he said. “Customers aren’t asking partners to do everything. It’s a lot of work, but hire a security partner.

“There is a mindset shift that needs to happen for these smaller partners that have support teams.”

Become more strategic

According to Scriva, partners need to become more strategic.

“This is a crucial program that’s being definitely built into,” he said. “We’re going to have a flurry of Enterprise Agreement clients and they’re going to go into the CSP market.

“Understand what CSP means and understand the situation of CSP, just to really get their mind around how that works.”

Microsoft 365, from a business premium perspective, is going to be the top-tier fund for an SMB client.

“The biggest thing today for MSPs to look at has to be security,” he said. “I think that’s the biggest thing. If they want to really get their mind around the security products, and I’m not talking about Trend Micro or one of those CD-based companies.”

Licensing partners need to really understand the product they are selling, and they need to have it installed themselves.

Scriva said MSPs can become a solution-designated partner of some sort.

“You should be designated as strategic in Azure, or strategic in Modern Workplace, or Dynamics,” he said. “Dynamics is probably a big market at the moment.

“Being able to have a specialisation in in Azure or Dynamics, setting up a CRM system or an ERP system allows MSPs to be relied on more,” he said. “This makes the partner valuable, because customers can’t easily move away from a partner who’s strategic in a certain area just for other things.

“Being serious about selling Microsoft solutions means looking at security, Azure and coming out of on-premises servers.”