GOVERNANCE · April 15, 2026 · 11 min read
The MSP recurring-revenue playbook: Copilot governance retainers
One-shot audits leave money on the table
If you are an MSP selling Copilot Readiness audits, you already know the shape of the engagement. Scope the tenant, run the scan, deliver the PDF, invoice the project, move on. The client feels informed for about three weeks. Then a partner sends a deck via Anyone link, a new team gets created without an owner, a departed user’s OneDrive sticks around with 40 GB of indexed content, and a fresh batch of external guests lands in a Teams channel that touches HR documents. By the time Copilot rolls out to the pilot group, the readiness posture in the PDF you delivered no longer reflects reality.
For the client, that is a governance problem. For the MSP, that is a missed revenue opportunity. A Copilot tenant is not a static artifact — it is a stream of changes, and every drift event is a billable check-in. The MSPs growing fastest in the M365 governance space have all converged on the same pattern: convert the one-shot audit into a monthly retainer, charge for the recurring posture review, and let the tooling do the heavy lifting between calls.
This post is the playbook. How to price it, what to check each month, what the client receives, and how to deliver it without burning a senior consultant’s day on every tenant.
How to tier the retainer
The mental model is the same one the managed-security and managed-backup categories proved a decade ago: a recurring control deserves recurring revenue. You sell the outcome (the tenant stays Copilot-ready every month), not the activity (we run a scan). Three tiers tend to map cleanly to tenant size and risk profile — price the dollar value against your local market and the rest of your services stack.
| Tier | Tenant shape | Cadence + touch points |
|---|---|---|
| SMB | Up to 250 users, single geography, light external sharing | Monthly scan, quarterly 30-min review call, email escalation on new Must-Do findings |
| Mid-market | 250–2,500 users, multi-department, active Copilot pilot | Monthly scan, monthly 60-min review call, ad-hoc remediation guidance |
| Regulated / enterprise | 2,500+ users, financial / health / public sector | Weekly scan, monthly executive review, named-analyst escalation, audit-ready evidence pack |
Two principles to internalize before you write a proposal:
- The scan is automated; the human time is the product. Triage, the review call, and the occasional remediation conversation are where the engagement earns its fee. Margin scales with how much of the find-and-prioritize work the tooling does for you between calls.
- Capacity per consultant is bounded by review-call hours, not scan time. Stack tenants by reviewing in the same week, automate the month-over-month diff, and reserve voice time for changes that actually matter.
Bundle the first scan into the onboarding fee so the recurring number stays clean on the invoice. The retainer covers the steady-state operating posture; one-off remediation projects (large oversharing cleanup, label rollout, Conditional Access redesign) are billed separately on time-and-materials.
What to check each month
The whole point of a recurring engagement is that you are not re-doing the audit from scratch. You are watching a small list of things that change month-over-month. These are the categories worth surfacing on every cycle:
- New Anyone-links on sensitive content. The single most common Copilot-blocking event. A user shares a deck the fastest way they know how, the link gets indexed, Copilot grounds an answer on the file for someone who should never have seen it. Watch for new links on libraries that carry a sensitivity label or sit inside an HR / Legal / Finance site collection.
- New external guests. Guests added to Teams channels, SharePoint sites, or Microsoft 365 Groups since last month. Cross-check against the destination’s sensitivity tier.
- New sensitivity-label gaps. New libraries created without inheriting a label. New sites whose default label was overridden. Net-new unlabeled volume that Copilot will treat as fair game.
- New high-permission users. Net-new Global Admins, SharePoint Admins, Exchange Admins, or Compliance Admins added outside PIM. Net-new privileged role assignments that bypass eligible-only controls.
- DLP and Conditional Access policy drift. Policies disabled, scoped down, or moved from Enforce to Audit. New MFA exemptions. New trusted-location entries. Any policy whose target population shrank since last month.
- Unowned teams and orphaned OneDrives. Teams whose only owner was offboarded. OneDrives belonging to deleted users that still hold indexed content.
- Persistent Must-Do findings. Items present on the last three or four scans that nobody has touched. These are the conversations that justify the retainer — they are the items that turn into incidents if Copilot answers from them.
Everything on that list shares one property: it is a change since the last cycle, not a static state. That is what makes a monthly check-in different from re-running the original audit.
What to send the client
The deliverable is a 1-pager. Not a 60-page PDF, not a dashboard link the client never opens. A single page they can forward to the CIO without anybody having to read it twice. The five sections worth including:
- Score trend. The 1.0–4.0 composite score over the last six months. One sparkline. Up-and-to-the-right is the headline; flat-or-declining is the conversation starter.
- What changed since last month. Three numbers: new findings, resolved findings, persistent findings. No more than that on the front page.
- Top 3 must-fix items. The three highest-impact new Must-Do findings from this cycle, each with the affected resource, the risk in one sentence, and the recommended remediation owner. If there are zero new Must-Do findings, say so explicitly — that is the most valuable line on the page.
- Wins. Two or three findings that closed since the last cycle. This is the line that justifies the invoice.
- One ask. A single decision you need from the client this month. Ownership for an unowned team, sign-off on a label rollout, budget for a cleanup sprint. A retainer that never asks for anything looks like it isn’t doing anything.
Send it the same day the scan completes. The clients who renew at year two are the ones whose CIO can recite their own score trend from memory; that only happens if the 1-pager arrives on a predictable cadence.
How MigrationFox makes this practical
The retainer model only works if the scan, the diff, and the alert pipeline all run themselves. Otherwise the gross margin collapses the moment you sign your fifth tenant. The continuous monitoring module at /governance/monitoring is the operating layer for the playbook above.
Scheduled monthly re-runs
The default cadence is monthly — first of the month, 02:00 tenant time. You can switch it to weekly during an active Copilot pilot or to quarterly for steady-state tenants. The re-run uses the same credential set as the original assessment, needs no manual trigger, and completes in the same time the original scan did (typically 5–30 minutes depending on tenant size). Each re-run produces a new scored report across all six modules, a diff against the previous run, a changelog entry on the tenant’s monitoring timeline, and an email summary to the subscribed recipient list.
Trend charts
Every scheduled re-run stores its aggregate module scores plus its per-finding fingerprints. The monitoring dashboard plots the six-module scores over time. The default view is 12 months with one data point per run. Overlay event markers ("Copilot pilot launched 2026-02-14", "M&A intake completed 2026-03-08") so the trend is readable in context — when the SharePoint governance score drops 0.4 in a single run, the event marker directly above it is usually the explanation. This is the first chart the client sees on the 1-pager.
Diffs of new, resolved, and persistent findings
This is the workhorse. Every scan produces a set of findings, each with a stable fingerprint that survives across runs (the fingerprint is a hash of finding-type + affected-resource + specific-attribute, so the same finding on the same site looks like the same finding). Compare run N with run N-1 and every finding falls into one of three buckets:
- New. Present in the current run, absent in the previous one. Something changed in the tenant that created this finding. Worth investigating now while the change is fresh.
- Resolved. Present in the previous run, absent in the current one. Either the finding was fixed (good), or the affected resource no longer exists (verify). The resolved list is the progress you can show the client — the “Wins” section of the 1-pager writes itself.
- Persistent. Present in both. Nothing has been done. These are the items eating the tenant score over time. Surfacing “23 persistent Must-Do findings unchanged for 90+ days” is a client conversation that would never happen from a single-run report.
Email alerts on new Must-Do findings
The email summary is two things. At the top: “Scan complete, overall score 3.4 (up from 3.3), 12 new findings, 8 resolved, 87 persistent.” Below that: a focused list of new Must-Do-Before-Copilot findings only — a new Anyone link on a library labeled Confidential, a new team with no owner, a new external guest granted access to a site containing HR documents, a new Conditional Access gap that opens MFA exemption. The intent is simple: nobody needs to read a full PDF every month to know whether the tenant got worse. The email either says “zero new Must-Do findings, posture stable” or it lists the new ones explicitly. Only the second case needs a human response — and that human response is the conversation the retainer pays for.
For tenants under active compliance scrutiny (financial services, healthcare, public sector), the weekly cadence plus the new-finding email is the closest thing the Copilot governance space has to a SOC feed for grounding-data risk. Run it as the always-on surface; let the monthly review call be the deliberate touch point.
Setting up a tenant for the retainer
- Open
/governance/monitoring. If you have already run a Copilot Readiness Assessment on this tenant, it shows up as the “baseline run.” - Pick a cadence. Weekly, monthly, quarterly — matched to the tier the client is on.
- Pick a run time. The default is 02:00 in the tenant’s primary time zone.
- Add the recipient list for email alerts — typically your MSP’s shared inbox plus the tenant admin. Hold the executive summary for the 1-pager you author.
- Optionally set event markers for trend annotation (“Pilot group added”, “Phase 2 rollout”) so the chart reads in context when you screenshot it for the deliverable.
- Turn on the schedule. The first auto-re-run fires at the next scheduled slot. Baseline diff is against the original assessment.
- Repeat per tenant. The dashboard shows all monitored tenants in one view so a senior consultant can triage 20 tenants in the same morning.
What a real trend looks like under the retainer
Anonymised data from a 900-user tenant on a monthly retainer since October 2025. Initial overall score: 2.8. Through the first seven months of monitored cycles and active remediation, with the engagement continuing:
| Month | Overall | New findings | Resolved | Must-Do persistent |
|---|---|---|---|---|
| Oct 2025 (baseline) | 2.8 | — | — | 41 |
| Nov 2025 | 2.9 | 8 | 12 | 37 |
| Dec 2025 | 3.0 | 11 | 15 | 33 |
| Jan 2026 | 3.1 | 6 | 18 | 21 |
| Feb 2026 | 3.3 | 7 | 11 | 17 |
| Mar 2026 | 3.4 | 5 | 9 | 13 |
| Apr 2026 | 3.5 | 6 | 8 | 11 |
Trend chart updates monthly with the live retainer cadence; the seven-month window above is the snapshot at the time this article was last refreshed. Customers reading later: the engagement is still active.
The shape is the useful artifact. Overall score is creeping up, persistent Must-Do count is going down, new-finding rate is roughly stable (the tenant is generating new issues at a normal pace; remediation is simply faster than creation). Absent the monthly data, none of this would be visible — the client would just have a feeling that things were getting better, and you would have nothing to renew on.
Known limits
- Fingerprints are stable for finding types where the affected-resource identity is stable. If a finding depends on a transient attribute (e.g., a specific session token), it cannot be reliably diffed. These are flagged as “not tracked for diff” in the findings list.
- The trend chart needs at least three data points to display a meaningful line. The first 1-pager you send a new client leans on the diff, not the chart.
- Email alerts batch one email per scan. Per-finding real-time paging would require push integration with a SIEM, which is on the roadmap.
- Module scoring methodology is versioned. If a module’s scoring changes, the trend line shows a version-bump marker at the affected point so prior scores are not misinterpreted as drift.
Related reading
- Copilot Readiness Assessment: the baseline scan
- What’s new in Copilot Readiness v2
- SharePoint & OneDrive oversharing audit
Get started
The Copilot Readiness assessment is the baseline you sell first — CA$399 per pack standalone, or CA$1,599 for the bundle that includes the commercial redistribution license MSPs need to sell the report to their own clients. Stand up your first monitored tenant at app.migrationfox.com/register. The first baseline scan is free; monitoring layers the recurring run, the diffs, and the alerts on top.