If you manage Microsoft 365 across a dozen or more clients, you probably already know where it's breaking down. Tenant-hopping in Entra ID. Defender alerts with no real prioritisation. Posture tracked across a mix of Secure Score, spreadsheets, and gut feel. A slow, inconsistent response when something actually happens.
The instinct is to look for another tool. Usually that's the wrong move. The problem isn't tooling. It's that the operating model doesn't hold up at scale, and most platforms aren't built to fix that.
So before you start demos, be honest about what you're actually trying to fix. The answer shapes everything.
Most MSPs don't have a tooling problem. They have an operational problem. This is a practical framework for making a clear platform decision - without wasting months on demos that go nowhere.
Microsoft's security stack is genuinely powerful. It's also not built for multi-tenant operations, and that gap creates four practical problems that don't go away on their own.
Each tenant tells its own story. There's no natural way to answer:
→ Which customers are most exposed right now?→ Where are the repeated gaps across tenants?→ What should we fix first across the whole estate?
You end up reacting per customer rather than managing risk across your business.
Most security monitoring tools surface activity, not decisions. You'll see suspicious sign-ins, inbox rule changes, privilege escalations. What you won't get is clear prioritisation, cross-tenant context, or a consistent response path. Alerts pile up. Real issues get buried.
You might have reasonable posture management in place - Secure Score, baselines, policy checks. But when something actually happens, response lives somewhere else. Different tools, different workflows, sometimes different people.
That gap is where incidents escalate.
Without a platform that encodes how things should be done:
→ The same problem gets solved differently every time→ Junior staff can't act confidently→ Senior engineers become a bottleneck
That's risky, and it doesn't scale.
Strip away the marketing and it comes down to four things. Any platform worth evaluating should handle all of them.
If it can't do these four things, it's just another tool to manage.
Not scores or dashboards - actual misconfigurations, patterns across customers, and a clear prioritisation of risk. If the platform can't tell you which client is most exposed right now and why, it's not doing the job.
Apply the same control across multiple tenants, maintain it over time, avoid configuration drift. If every fix is a manual process, you don't have a platform. You have a more expensive version of what you were already doing.
Good monitoring reduces alerts, it doesn't multiply them. Context matters more than volume. The platform should help you decide what to act on - not hand you a longer queue to work through.
You should be able to take the same action across multiple tenants in seconds - safely, without needing a senior engineer in the room. If response is still tenant-by-tenant, you're exposed in a way that detection can't compensate for.
Most serious Microsoft 365 incidents don't start with malware. They start with identity.
Compromised credentials. Overprivileged accounts. Persistent access that was granted once and never reviewed. Session tokens stolen after a successful MFA bypass. These are the vectors that matter right now, and most platforms treat them as an afterthought.
Conditional Access is where this gets complicated for MSPs.
Every client has different CA policies. Some are well-configured. Most aren't. And the gap between what a CA policy is supposed to do and what it actually enforces is where attackers operate.
A platform that doesn't give you:
→ Visibility into CA policy gaps across all tenants→ The ability to identify misconfigured or missing policies at scale→ Assurance that policies are actually enforcing what you think they are
...is leaving you exposed in the most common attack path in Microsoft 365 today.
Token theft makes this worse. An attacker with a stolen session token bypasses MFA entirely - meaning even a well-configured CA policy won't catch it unless your monitoring is specifically looking for post-authentication anomalies.
This is the detail most MSPs don't find out until after an incident. Your platform should surface it before.
Feature lists are a distraction. In a demo, vendors will always show you what their product does well. These five questions are designed to surface what it doesn't.
A lot of platforms show a multi-tenant dashboard where actions still happen one tenant at a time. That's reporting, not multi-tenancy. Push on this in every demo.
Ask the vendor to show actual misconfigurations, how controls interact, and where access or risk still exists after hardening.
If the demo stays at "your score is 78%", walk away.
Look at alert volume, alert quality, and whether actions are suggested or automated. If it just centralises alerts from somewhere else, you've gained nothing except another interface to manage.
Ask directly:
→ Can I apply the same action across multiple clients instantly?→ Can a junior team member do it safely?
If the answer is uncertain, response will stay slow and inconsistent.
A good platform replaces parts of your stack, it doesn't sit on top of them. If it adds another dashboard, another workflow, another cost layer without removing something, it's probably not solving the right problem.
This is the one most MSPs forget to ask. Push on:
→ Can I see CA policy gaps across all my clients in one place?→ Does it detect token theft or post-authentication anomalies?→ Can I identify overprivileged accounts and persistent access across tenants?
If the answer is vague, identity is not a priority for that vendor. It should be yours.
Dashboards can look healthy while gaps still exist - especially in identity and access. A high Secure Score and a compromised tenant are not mutually exclusive. Don't let the number do the thinking.
A policy that looks configured isn't the same as a policy that's enforcing correctly. CA misconfigurations are one of the most common root causes of Microsoft 365 breaches - and one of the hardest things to spot without the right tooling across tenants.
MFA is not the end of the story. Attackers increasingly steal session tokens after authentication, bypassing MFA entirely. If your platform isn't monitoring for post-authentication anomalies, you have a detection gap that your current stack probably isn't covering.
Most serious incidents trace back to identity, not endpoints. Compromised credentials, overprivileged accounts, persistent access nobody noticed. If your platform doesn't go deep here, it's incomplete regardless of what else it covers.
A simple control applied everywhere beats an advanced control applied to four of your twelve clients. Reliability is a security property. Don't trade it for features.
If you can't act quickly across tenants, detection alone won't save you. The gap between detection and response is where damage happens. Platforms that make response slow or complex are a liability, not a safeguard.
Most MSPs don't have a tooling problem. They have an operational problem that more tools keep making worse.
When you're evaluating a Microsoft 365 security platform, ignore the feature matrix. Ignore the Secure Score integrations and the compliance badges.
Ask one thing: does this make my operation simpler, faster, and more consistent across every tenant I manage?
If it doesn't, it's just another tool to manage.