Controls You Should Never Give Up as a Business Owner
Nine controls every business owner should keep in their own name, even when fully outsourcing IT. Domains, tenants, admin accounts, recovery, and why.
TL;DR
Nine controls every business owner should retain in their own name, even with IT fully outsourced. Domain registrar. DNS. Tenant Global Admin or Super Admin. Licensing portal customer account. Backup vendor account. Endpoint security console root. MDM tenant root. Banking and accounting MFA. The recovery email and phone behind all of it. Lose any one, and you can lose the business when the IT relationship ends.
Why does this matter?
Outsourcing IT is sensible. Pretending the IT provider is the business is not. Most owners we meet have paid invoices for years and never asked the question that matters: if I fired my IT provider tomorrow, could I sign in to everything by Friday?
For roughly half the businesses we audit, the honest answer is no. The Microsoft Partner Centre customer admin is a firstname@msp.co.za address. The domain renewal goes to the IT provider’s reseller account at a registrar the owner has never seen. The Bitdefender console root is a technician who left the MSP six months ago.
This is not hypothetical. We have helped clients exit at least a dozen of these tangles. A few cost five figures and three months of legal correspondence. One ended with a domain held to ransom on renewal.
What follows is the working list. Nine controls. You do not need to be technical. You do need to know they exist.
1. Domain registrar account ownership
Your domain (yourbusiness.co.za, yourbusiness.com, the lot) must be registered in an account owned by the business, paying from a business card that is not the IT provider’s.
Common failure mode: years ago somebody at the IT provider helpfully registered the domain “for you” inside their reseller account. The card on file is theirs. The contact email is theirs. The invoice is bundled into your monthly fee. You have never seen the registrar control panel.
Then the relationship ends. Transferring the domain costs a fee, takes a week, requires their cooperation, and is sometimes refused until a final invoice is settled. You negotiate from the back foot, with email about to break the moment they point nameservers somewhere unhelpful.
What good looks like: registrar account in your name, business email recovery, business card on file, MFA you control. The IT provider gets a delegated user role, not the master account. Registrars trusted in South Africa: Domains.co.za, Hetzner, Cloudflare Registrar, Namecheap, GoDaddy. The choice matters less than the ownership.
2. DNS hosting account ownership
DNS hosting is often confused with domain registration. They are separate.
The registrar points the world at the DNS servers. The DNS host runs those servers and holds the actual records: the MX that decides where mail lands, the A and CNAME for your website, the TXT records that make DMARC, SPF and DKIM work. If the DNS host disappears or refuses to make changes, your business goes dark.
Common patterns: DNS at Cloudflare, AWS Route 53, the registrar itself, or (a 2026 red flag) the IT provider’s in-house BIND server. Wherever it lives, the master account must be in the business’s name.
The Cloudflare case is worth a specific note. Cloudflare lets the IT provider invite you as a member of their dashboard “for convenience”. Wrong direction. You own the Cloudflare account and invite the IT provider in. Same at Route 53: the AWS root account is yours, with an IAM user delegated to the technician.
If you cannot log in today to the place that holds your DNS records, you do not control your DNS.
3. M365 / Google Workspace tenant Global Admin or Super Admin
The Microsoft 365 Global Admin and Google Workspace Super Admin roles are the keys to everything inside the tenant. Mailboxes, files, calendars, identities. Whoever holds them owns the business’s information.
At least one Global Admin (M365) or Super Admin (Workspace) account must be in the business’s name. Not “shared with” the IT provider. Yours. Hardware security key in a safe, recovery email on the owner’s personal account, credentials sealed in a password manager entry the owner can open without asking permission.
This is the break-glass account. It exists for the day the IT provider is unreachable, the day a regular admin’s MFA token is compromised, the day a relationship ends abruptly. If you have not tested it in six months, it does not work. Read the companion article on why most break-glass accounts won’t work for the long version.
Practical setup: name the account explicitly (breakglass-1@yourdomain.co.za and breakglass-2@yourdomain.co.za), exclude both from every Conditional Access policy, give them FIDO2 keys not authenticator apps, store the keys in two physically separate locations, document the recovery path on paper inside a fire safe. Test sign-in quarterly and log the result.
The Microsoft 365 and Google Workspace pages cover the tenant-level configuration around break-glass accounts.
4. The master licensing portal customer account
This one trips up almost everyone, because the licensing portal is invisible during normal operations.
For Microsoft, it is the Microsoft Partner Centre customer admin. Every CSP-licensed M365 tenant has one. The IT provider has delegated admin access; the customer-of-record sits with one specific identity. If that identity is helpdesk@msp.co.za, the IT provider can re-route licensing, change billing, and complicate your exit.
For Google Workspace the equivalent is the Super Admin on the Cloud Identity / Workspace billing account. For Bitdefender bought through a partner, the customer account inside Bitdefender’s partner-managed customer portal. For Datto, Hexnode and any other vendor in the stack: the customer-of-record account must be in the business’s name.
What good looks like: every licensing portal has an administrator account on a business email under your domain. Owner or finance lead can log in independently. The IT provider is a co-administrator, not the only one.
If you have never been told the URL of your Microsoft Partner Centre customer view, you do not have one in your name. Ask, in writing.
5. The backup vendor’s customer account
Backups are the control you discover is broken the day you need them. The vendor account is the control you discover you do not own the day the IT relationship ends.
If your M365 or Workspace data is backed up to Datto SaaS Protection, SpinOne, AvePoint or Veeam, there is a customer account at that portal that owns the repository. That account must be in your name. The repository holds copies of every mailbox, Drive and SharePoint site. If the IT provider’s email is the master account, they own your historical record.
The shared-responsibility framing applies in full: Microsoft and Google do not back up your data, you do, and “you” means the business not the MSP.
What good looks like: you have logged in to the backup portal at least once. You can see the last successful backup date. You can initiate a test restore yourself, or watch the IT provider do it on screen-share. Annual recovery test, non-negotiable. Backups never restored are not backups, they are hopes.
6. The endpoint security console root account
Bitdefender GravityZone, SentinelOne, CrowdStrike Falcon, Sophos Central, Microsoft Defender for Business: each has a console with a root or super-admin user. That user can push policies to every endpoint, change exclusions, disable protection, and exfiltrate data without anyone noticing for weeks.
Wherever your endpoint security lives, the root account must be a business account. The IT provider gets a named admin underneath. We have walked into too many environments where the GravityZone console root is a personal Gmail belonging to a technician who hasn’t worked at the MSP since 2023. They could still log in and disable protection on every device. Nobody has noticed because the dashboard looks fine.
Deployment detail lives on the Bitdefender page. The control side belongs here. Same rule: business email, business-owned recovery, MFA the business holds, audit trail of admin rights.
7. The MDM tenant root admin
Hexnode, Intune, Jamf, Kandji: the fleet management console holds remote-wipe authority over every enrolled device. A root admin can erase the entire fleet from a coffee shop in twenty minutes.
Intune is slightly different because it lives inside the M365 tenant: if you control the Global Admin (Control 3), you control Intune by extension. Hexnode, Jamf and Kandji are separate tenants with separate identity boundaries. Each has its own root admin account. Each needs to be in the business’s name with a recovery path the business controls.
The MDM page covers deployment patterns for mixed Apple and Windows fleets. The control checkpoint here is simpler: log in, know the URL, know the credentials, test quarterly.
8. The financial, banking and accounting MFA
Not strictly an IT control, and the single most over-shared credential we encounter.
The MFA token for the business banking portal (FNB, Standard Bank, Nedbank, Investec), Xero or Sage Business Cloud or Pastel admin, SARS eFiling, the CIPC director portal: these MFA prompts must land on a phone or hardware key the business owner physically holds. Not the bookkeeper. Not the accountant. Not the IT provider helpfully storing the SMS interceptor. The owner.
Why this sits in an IT-controls article: the IT provider is often the person who set up the systems, “helped” with the MFA enrolment, and stored the recovery phone number on a SIM in a drawer at the office. We have unwound this twice in the past year. The bank requires identity documents, sometimes physical visits, occasionally a court letter. Months pass.
Set it up properly the first time. Owner’s personal phone, backup hardware key in a personal safe. The accountant gets delegated access below the master. The IT provider does not touch banking MFA. Ever.
9. The recovery email and phone for everything above
Each control above has a recovery channel: a recovery email that receives the reset link, a recovery phone that receives the SMS code.
The recovery channel is the master key. Whoever controls it, controls everything chained to it. It is also the most rarely thought-through piece of the stack.
The default pattern is wrong: a work email as the recovery for the work tenant. The work email lives inside the work tenant. The recovery for admin@yourbusiness.co.za cannot be cathleen@yourbusiness.co.za if the entire yourbusiness.co.za tenant is the thing you are recovering. Recovery has to live outside the failure domain.
What works: a personal Gmail in the owner’s name, MFA on the owner’s personal phone, registered as the recovery for every business-critical control. A South African mobile number on a contract in the owner’s personal name, port-out protection enabled at the carrier, as the secondary recovery factor.
Two implications people miss. The personal Gmail must be defended properly: hardware key, MFA, no shared access. The phone number must not be on a SIM the IT provider or operations manager holds. Port-out fraud is real; SIM swap is the standard precursor to a recovery-channel takeover. Both major South African carriers offer port-out protection if you ask.
If your recovery email is info@yourbusiness.co.za and your recovery phone is the office landline, fix it this week. Cheapest, fastest, most useful control on the list.
What does retaining the control actually look like?
Three tests. Pass all three for each of the nine, and you control it.
Password manager test. Credentials live in a password manager entry the owner can open without asking the IT provider. Not the provider’s vault with read access for the owner. The owner’s vault.
Recovery test. The owner can complete the password-reset flow without input from the IT provider. Recovery email arrives where the owner reads. Recovery SMS arrives on a phone the owner holds. Hardware key sits in a safe the owner can open.
Thirty-day call test. On a thirty-day notice call, the owner can demonstrate independent access to every account before the relationship ends. Not the day after. Before. While there is goodwill and a legal obligation to cooperate.
If any answer is “I’d have to ask,” the control is not yours. Schedule the fix.
What happens when these are wrong
Each scenario below has a real engagement behind it.
The registrar hostage. Cape Town retailer, six years with the same MSP, ends the relationship over service quality. Domain expiry hits forty days later. The MSP lets the renewal lapse. The retailer, who never had registrar access, scrambles. Email down for three days, web shop down with it. By the time the registrar’s escalation path resolves it, the business has lost a measurable chunk of quarterly revenue and the legal bill is well into five figures. Cost of holding the registrar account beforehand: zero rand.
The ex-technician’s super-admin. Professional services firm on Google Workspace. A technician at the IT provider, who set up the tenant in 2019, leaves the MSP under sour terms. Two years later an employee receives an oddly-targeted phishing email in private. Investigation shows the ex-technician’s super-admin was never disabled. They had read every email in the firm for two years. Discovery happened by accident. Police, attorneys, the kind of board meeting nobody wants to chair.
The Partner Centre customer admin. Manufacturing client switches MSPs. Old MSP is cooperative. The handover reveals the Microsoft Partner Centre customer admin is accounts@oldmsp.co.za. Transferring the CSP relationship needs Microsoft’s intervention, takes nine working days, and the new MSP cannot raise partner-channel tickets in that window. Inconvenient, not catastrophic. Entirely avoidable.
The companion article on how to lock down your reseller from owning your stuff covers the contract and onboarding clauses that prevent these up front.
Get a 30-minute business-owner control audit
Sixty rand says you do not own at least three of these nine. We will tell you which.
Thirty minutes on a video call. We walk through the list, you tell us where each control lives, and we produce a written sheet scoring each as Owned, Shared, Provider-Held, or Unknown. For the last two categories, we map the recovery path: cost, dependencies, time.
The sheet is yours whether you engage us further or not. Most owners are mildly horrified at three or four entries and entirely calm about the rest. The point is to know.
This is what the /professional-services/ practice is for, sitting inside the broader /services/ stack. Email support@osh.co.za to book.
You do not need a new IT provider to do this. You need to know what you own.
