HomeDocsMSP onboarding

MSP onboarding

Setting up a managed service tenant in ScanPosture. The MSP portal, role-based access, branded customer outputs, and how the billing model works.

Last updated 2026-04-25

MSP pricing is handled separately

Direct-customer per-Entra-user pricing does not automatically apply to multi-tenant partner deployments. MSP pricing is based on customer count, total managed users, branding requirements, and the reporting model. See /pricing for the direct-customer rate, or email msp@scanposture.com to discuss partner terms.

The MSP portal at a glance

  • Fleet view: a single view across every customer tenant — posture score, last scan, open-priority count, and trend.
  • Per-customer drill-down: click into any customer to see the full ScanPosture dashboard for that tenant, with the same controls a direct customer would see.
  • Branded outputs: upload a logo and brand colour pair per customer (or one set across the fleet). PDF reports and the scheduled email summary use the customer’s branding when enabled.
  • Cross-tenant search: find a finding type across the entire fleet — e.g. “which customers still have legacy SMTP auth enabled?” in one query.

Role-based access

  • MSP adminFull access across the MSP portal — onboard customers, manage MSP team, manage branding, configure billing.
  • MSP analystRead access across every customer tenant — can run scans, view findings, generate reports. Cannot manage MSP team or billing.
  • Customer adminFull access to their own tenant only — same as a direct customer admin. Used when the customer wants to see their own posture alongside MSP oversight.
  • Customer viewerRead-only access to their own tenant. Suitable for the customer’s leadership or compliance officer.

MSP roles and customer roles are independent. An MSP analyst can access every customer tenant in the fleet; a customer admin can only see their own tenant. There’s no path for one customer’s users to see another customer’s data — RLS enforces tenant isolation at the database level, not in application code.

Onboarding a customer tenant

From the MSP portal, the flow per customer is the same three-minute path a direct customer would take, with one difference: the MSP’s admin holds the relationship, so the customer’s Global Administrator only needs to grant the Microsoft admin consent — not create an account, not pick a subdomain, not set up MFA.

Add customer in MSP portal

Enter the customer name and choose a colour for the per-customer branding (optional). ScanPosture provisions the customer tenant under your MSP account.

Send admin-consent link

ScanPosture generates a consent URL specific to this customer. Send it to the customer’s Global Administrator. They click it, sign in to Microsoft, and approve the same read-only permission set as a direct customer would (see Permissions).

First scan runs

Within a minute of consent, ScanPosture runs the customer’s first scan. Same 1–3 minute typical duration as a direct customer.

(Optional) Invite customer-side users

If the customer wants to log in and see their own posture, invite them as customer admin or customer viewer. They get a magic-link welcome email and onboard themselves.

Branded customer-facing reports

With branding enabled, the PDF executive report and the scheduled email summary use the customer’s logo and colour palette — not the MSP’s and not ScanPosture’s. This is what most customers expect when the report lands in their leadership’s inbox. MSP attribution stays on a small footer line so it’s clear who’s producing the report.

Billing model

  • Billing relationshipThe MSP is the billing customer. ScanPosture invoices the MSP, the MSP invoices their customer.
  • Pricing inputsNumber of customer tenants, total managed Entra users, branding requirements, and reporting cadence.
  • Volume bandsPer-user rate steps down at 1k, 5k, and 25k managed users. Specifics agreed in the MSP order form.
  • Customer additionsNew customers added mid-cycle are pro-rated on the next invoice. No per-customer setup fee.
  • CancellationCancel any time. Final invoice prorated to the cancellation date.

Common questions on a partner intro call

  • Can MSP analysts trigger scans on customer tenants? Yes — that’s the point of MSP analyst.
  • Can a customer revoke MSP access? Yes — by removing ScanPosture from their tenant’s enterprise apps. Revocation is immediate, total, and surfaces in the MSP portal as a connection-lost state.
  • Can the MSP brand the ScanPosture login screen? Not yet — the login screen is the standard ScanPosture brand. Branding applies to outputs (reports, emails) only.
  • Is there an API for MSP automation? Not yet — the in-product webhooks and AI helpers documented under Integrations cover most workflows. A REST API is on the roadmap; if you need it, tell us at the partner call.

Still got questions? Email hello@scanposture.com — UK working days, real human, same-day reply.