Get Started
IT Strategy
field note · IT Strategy · Business Protection

Succession Planning for SMBs: How to Not Lose Your Business to Your IT Provider

How South African SMBs lose access to their own tech stack when an IT provider quits, sells or hikes prices, and the account-ownership map that prevents it.

Cathleen Ogier · founder 08 May 2026 12 min read

TL;DR

Most SMB succession planning focuses on the owner. The bigger blind spot is the IT provider. If your provider quits, sells, dies or doubles their price tomorrow, can you still log into your own Microsoft 365 tenant, your domain registrar, your DNS host and your backup vendor? Most owners cannot. This article maps what you should own, what your provider should hold delegated rights to, and the contract clauses that protect you when the relationship ends.

What does “succession planning” mean for IT in a small business?

When an accountant says succession planning, they mean the owner. Who runs the business if you fall ill. Who buys the shares if you retire.

When an IT person says it, the picture widens. There are three successions an SMB needs to plan for, and only one is about the owner.

Owner-succession: you sell, retire, hand over to a partner. Most firms have a partial answer to this.

IT-provider-succession: your IT company gets sold, the senior tech leaves, the founder retires, the firm goes under, the relationship breaks down, the price doubles overnight and you decide to walk. Almost no SMB has this documented.

Key-person-succession inside your own team: the administrator who knows the M365 password leaves on bad terms; the marketing manager who set up the social accounts emigrates; the bookkeeper who registered the domain twelve years ago dies. Account ownership scattered across former employees is a common failure mode.

If a single phone number, email address or person is the only path to a critical account, you do not have a succession plan. You have a single point of failure waiting to retire.

Why this matters more than most SMBs realise

A scenario that lands in our inbox at least twice a year, names changed.

A 40-seat accountancy firm in Cape Town has used the same one-person IT shop since 2014. The shop registered the domain in their own Afrihost account. Set up Microsoft 365 under their own Partner Centre tenant, alongside their other 30 clients. Pointed DNS at Cloudflare, on an account in their own name. Installed Bitdefender on a master GravityZone console under their reseller portal. Sold and configured backup on the same portal.

The IT shop owner has a heart attack. Recovery is uncertain. His wife, who runs the office side, doesn’t have the credentials or any contractual relationship with the firm.

What does the firm own? Their data. Their licences, in name. Nothing else. They cannot reset a password without the shop’s delegated Partner Centre token. They cannot transfer the domain because the registrant email points at an account they don’t control. They cannot move DNS because Cloudflare will not hand over the account. Backups are running but they cannot log in to verify or restore. Endpoint protection is running but they cannot push a policy change.

Not theoretical. Not malicious on the shop’s part either. It is the natural drift of a small operator setting things up the most efficient way for themselves and never being challenged on it. The firm signed nothing that documented who owned what.

Account ownership is something a business owner claims and documents deliberately. Nobody volunteers it back when the relationship is healthy. They do when it is dying, but by then the recovery cost has mounted.

What you should own as a business owner

Here is the working list. If any of these are not in your name, on email addresses you control, with credentials in your own password vault, you are exposed.

Domain registrar. Whoever holds the registrar holds the keys to your email and website. Registrant email must be a controlled mailbox (something like domains@yourbusiness.co.za going to two directors), not your provider’s address. The account itself, at Afrihost, Domains.co.za, GoDaddy or Cloudflare Registrar, must be in the business’s name, paid on the business’s card.

Microsoft 365 tenant. Global Administrator accounts must include at least two break-glass accounts in the business’s name, credentials held by the business. The provider keeps their own admin accounts for daily work. That is fine. But the top of the tenant has to be yours.

Google Workspace tenant. Same shape. Two Super Admin accounts in the business’s name, credentials in the business’s vault, hardware keys held by the business.

DNS account. Cloudflare, Route 53, Hostinger DNS, registrar nameservers: wherever it lives, the console has to be on an account you own. DNS holds MX, SPF, DKIM, DMARC, MTA-STS and your A records. Losing DNS is losing the business overnight.

Microsoft Partner Centre relationship. If your provider resells M365 through CSP, they hold a delegated relationship against your tenant. Granted by you, revocable by you. If you cannot revoke it, something is wrong.

Master security accounts. Bitdefender GravityZone, Hexnode or Intune, Exclaimer, patch management (NinjaOne, Action1), backup (Datto, Veeam, Backupify, SkyKick). Each has a “tenant owner” tier. That tier sits in the business’s name. The provider is a delegated user under it.

Hosting and marketing accounts. WordPress on Hostinger, Webflow, Squarespace, Hugo on GitHub Pages, plus LinkedIn, Facebook Business Manager, Google Business Profile, the email marketing platform. These usually end up in the name of whichever assistant set them up. When that assistant leaves, the brand walks with them unless you hold the recovery email and second factor.

The pattern is not “lock the provider out.” It is “their access is granted by you, scoped by you and revocable by you.”

What does “tenant ownership” actually mean?

Tenant ownership is a specific technical setup, not a feeling.

Microsoft 365. The tenant has a small number of Global Administrator accounts. Best practice is two break-glass plus the day-to-day admins. Break-glass accounts should:

  • Be named after the business, not a person (breakglass1@yourbusiness.onmicrosoft.com, not paul.smith@yourbusiness.com).
  • Use the .onmicrosoft.com domain, so they keep working if custom-domain DNS or licensing breaks.
  • Have hardware FIDO2 keys (a YubiKey or two) held by the owner or in a documented safe.
  • Be excluded from every Conditional Access policy so a policy change cannot lock them out.
  • Have sign-in alerts going to the owner’s email and phone.
  • Be tested in a quarterly fire-drill.

If your provider is a CSP, they get delegated access through the Partner Centre. Granular Delegated Admin Privileges (GDAP) is the modern model: specific roles, time-bound, explicit scope. You revoke in two clicks under Settings → Partner relationships. That is what good looks like.

Bad looks like: the provider holds a Global Admin account they made at setup and never gave you a separate one. You do not appear in Partner relationships because GDAP was never configured. They say “you have full access through the accounts I created,” which is true for end-user actions and false for tenant-level changes. If they go silent, recovery runs through Microsoft’s tenant-recovery process: multiple weeks, signed letters on letterhead, ID documents, a forensic conversation with someone at Microsoft who is not having a good day.

Google Workspace. The top role is Super Admin. Two Super Admin accounts in the business’s name (super-admin-1@yourbusiness.com and super-admin-2@yourbusiness.com), each with hardware keys, each excluded from any context-aware access rule that could lock them out, each with sign-in notifications going to the owner.

Your reseller gets access through the Google Cloud Partner relationship. They can hold admin rights, but you sever that from the admin console under Account → Account settings → Reseller at any time.

The bad version is the same shape. The reseller is the only Super Admin. Your “admin” is a delegated role with limits. If the reseller disappears you recover through Google’s domain-verification process, but you have to prove ownership via DNS, which means owning the DNS account, which loops back to the previous section.

Remember this: delegated admin is fine. Owned admin is the problem. Your provider can be a delegated admin on every account on this list, all day, as long as the ownership tier above them is yours.

What about the IT provider’s accounts?

“Are you saying my IT provider should not have admin access?”

No. The opposite. Your provider should have admin at every layer they need. Without admin rights you end up paying them to file tickets with the vendor.

The framing matters though. Not “do they have admin.” “Is their admin granted by you and revocable by you?”

The healthy pattern:

  • Provider has named admin accounts, clearly identifiable as provider-side.
  • You hold the Global Admin or Super Admin accounts above them.
  • The Partner Centre or reseller relationship is in place, scoped, visible to you.
  • You can disable any provider account in under 60 seconds without breaking the tenant.

The unhealthy pattern is the inverse. Provider is the only Global Admin or Super Admin. No business-owned admin accounts above them. Partner Centre relationship missing. You cannot disable their access without breaking your own.

The contract clauses that matter

A handshake is not a succession plan. The Master Services Agreement needs to spell out a small list of things. If it does not, ask for an amendment. If the provider refuses, you have your answer about whether they want to be replaceable.

Account ownership clause. All customer-side cloud accounts (M365, Workspace, domain registrar, DNS, security, backup, MDM, signatures, password manager) are the property of the customer. The provider holds delegated access at the customer’s discretion.

Handover SLA. Defined business days within which the provider hands back full ownership of every account on the list above. Five days for a small estate, ten for a larger one. “Best efforts” is not a number.

Data export rights. Customer right to export, at any time, mailbox data, file repositories, identity data (users, groups, OUs, CA policies), DNS zone files, security console configuration and audit logs. No fee, no notice period beyond what the platform requires.

Pricing-change notice. Minimum 60 or 90 days before any change to managed-service fees or licence margin. This gives you time to negotiate or move before a doubled rate hits the next invoice.

End-of-contract data return. Format, deadline, destruction certification for anything held on provider infrastructure (password vaults, runbooks, internal wikis with tenant details).

Documentation deliverables. Provider maintains a runbook: tenant IDs, admin inventory, CA or Workspace policies, DNS zone export, integrations, scripts, backup configuration. Without it, the next provider spends a month rediscovering what the old one knew.

Master third-party accounts. Any vendor account opened on the customer’s behalf (Bitdefender reseller portal master, Exclaimer tenant, MDM console) sits in the customer’s name with the customer as billing-and-ownership entity.

Subcontracting and assignment. The provider cannot transfer the contract (including to an acquirer) without written consent.

These clauses are not unusual. Not hostile. We sign contracts containing all of them every month. A provider that refuses is telling you something.

How to test your succession readiness

We call it the 30-day fire drill. Pretend your IT provider went silent yesterday: no email, no answer, nobody picks up. For each item, can you do it right now, with credentials you hold, in under ten minutes?

  1. Log into your domain registrar and view the WHOIS record.
  2. Log into your DNS console and edit a TXT record.
  3. Log into your M365 tenant as a Global Administrator using a credential that does not belong to your IT provider.
  4. Log into your Workspace admin console as a Super Admin using a credential that does not belong to your IT provider.
  5. Reset a user’s password.
  6. View Conditional Access (M365) or context-aware access (Workspace) policies and confirm a break-glass account is excluded from all of them.
  7. Log into your Bitdefender, Hexnode, Intune, Exclaimer and backup consoles using a master account in the business’s name.
  8. Find where you would sever the Partner Centre or reseller relationship (do not actually sever it during a drill).
  9. Pull a full export of one user’s mailbox and Drive without involving the provider.
  10. Find the handover SLA clause in your contract within 60 seconds.

Ten out of ten and you’re in good shape. Most SMBs score four or five the first time. The fix is rarely a new product. It is a couple of afternoons of cleanup: setting up break-glass accounts, transferring the master Cloudflare account, opening a Bitdefender reseller account in your own name with the provider added as a sub-user.

Run it every six months. Ownership drifts. Someone leaves, a vendor changes its console, the provider absorbs an old account into a new portal. Drift is normal. Catching it is what the drill is for.

What about owner-succession (selling the business)?

If you are selling in the next two years, the buyer’s tech due diligence will ask: “show me the ownership and admin records for every cloud platform the business runs on.”

A buyer who knows what they are doing will ask for:

  • Tenant IDs and registered owner names for M365 and Workspace.
  • Domain registrant records.
  • DNS account and zone-file export.
  • Reseller, partner and master-account records for every platform.
  • Every individual with admin access at any tier, flagged as internal, provider or ex-employee.
  • The provider contract with the clauses above highlighted.

Cannot produce the pack? The deal does not collapse. It gets repriced. Buyers discount for ownership risk because they assume the worst, which usually means budgeting for a tenant migration after close. A clean pack clears the IT line of due diligence in one call. A messy one knocks a percent or two off the headline, which is more than the cost of cleaning it up beforehand.

The cleanup pays back even if you never sell. It is just easier to see the number when there is a buyer in the room.

Where this connects

The umbrella sits on the professional services and services pages. Tenant mechanics for the two big platforms are on the Microsoft 365 and Google Workspace pages.

Get a business-protection audit

Sixty to ninety minutes. We walk your account-ownership map across every platform on the list above, score it against the 30-day fire drill, review your provider contract for the clauses that matter, and hand you a written report that names every gap. If the answer is “you are in good shape,” we say that and bill for the time.

The output is not a sales pitch. It is a pack you can put in the safe alongside your shareholder agreement. Email support@osh.co.za or book a call.

More in this series: Business Protection

  1. Most Break-Glass Accounts Won't Work When They're Actually Needed
  2. You Knew This Vendor Would Hold Your Data Hostage. You Signed Anyway.
  3. Succession Planning for SMBs: How to Not Lose Your Business to Your IT Provider (Current)
  4. Controls You Should Never Give Up as a Business Owner
  5. How to Lock Down Your Reseller From Owning Your Stuff
// filed under it strategy · business protection back to field notes
keep reading

More field notes

all posts →
// it strategy
// it strategy 12 min

Controls You Should Never Give Up as a Business Owner

May 2026 Read →
// it strategy
// it strategy 12 min

How to Lock Down Your Reseller From Owning Your Stuff

May 2026 Read →
// it strategy
// it strategy 7 min

Most Break-Glass Accounts Won't Work When They're Actually Needed

May 2026 Read →

Ready to migrate?

Whether you need a full M365 migration plan or a security audit, our team is ready to architect your cloud future.

Email us directly support@osh.co.za