← Back to Blog

GOVERNANCE · April 15, 2026 · 11 min read

The MSP recurring-revenue playbook: Copilot governance retainers

app.migrationfox.com/governance/monitoring
Composite Score Trend
contoso.onmicrosoft.com · monthly cadence
TRENDING UP
Apr 1
1.2
Apr 15
1.5
May 1
1.8
Jun 1
2.3
Jul 1
2.7
Aug 1
3.3
New findings
14
Resolved
28
Regressions
3
This month · new Must-Do findings
SPO-004 3 new Anyone links on sensitivity-labeled libraries
TEAM-007 2 new teams created without owners
IAM-002 1 new Global Admin added outside PIM
Anonymised trend · 900-user tenant on monthly retainer since Oct 2025 · engagement ongoing

One-shot audits leave money on the table

If you are an MSP selling Copilot Readiness audits, you already know the shape of the engagement. Scope the tenant, run the scan, deliver the PDF, invoice the project, move on. The client feels informed for about three weeks. Then a partner sends a deck via Anyone link, a new team gets created without an owner, a departed user’s OneDrive sticks around with 40 GB of indexed content, and a fresh batch of external guests lands in a Teams channel that touches HR documents. By the time Copilot rolls out to the pilot group, the readiness posture in the PDF you delivered no longer reflects reality.

For the client, that is a governance problem. For the MSP, that is a missed revenue opportunity. A Copilot tenant is not a static artifact — it is a stream of changes, and every drift event is a billable check-in. The MSPs growing fastest in the M365 governance space have all converged on the same pattern: convert the one-shot audit into a monthly retainer, charge for the recurring posture review, and let the tooling do the heavy lifting between calls.

This post is the playbook. How to price it, what to check each month, what the client receives, and how to deliver it without burning a senior consultant’s day on every tenant.

How to tier the retainer

The mental model is the same one the managed-security and managed-backup categories proved a decade ago: a recurring control deserves recurring revenue. You sell the outcome (the tenant stays Copilot-ready every month), not the activity (we run a scan). Three tiers tend to map cleanly to tenant size and risk profile — price the dollar value against your local market and the rest of your services stack.

TierTenant shapeCadence + touch points
SMBUp to 250 users, single geography, light external sharingMonthly scan, quarterly 30-min review call, email escalation on new Must-Do findings
Mid-market250–2,500 users, multi-department, active Copilot pilotMonthly scan, monthly 60-min review call, ad-hoc remediation guidance
Regulated / enterprise2,500+ users, financial / health / public sectorWeekly scan, monthly executive review, named-analyst escalation, audit-ready evidence pack

Two principles to internalize before you write a proposal:

Bundle the first scan into the onboarding fee so the recurring number stays clean on the invoice. The retainer covers the steady-state operating posture; one-off remediation projects (large oversharing cleanup, label rollout, Conditional Access redesign) are billed separately on time-and-materials.

What to check each month

The whole point of a recurring engagement is that you are not re-doing the audit from scratch. You are watching a small list of things that change month-over-month. These are the categories worth surfacing on every cycle:

Everything on that list shares one property: it is a change since the last cycle, not a static state. That is what makes a monthly check-in different from re-running the original audit.

What to send the client

The deliverable is a 1-pager. Not a 60-page PDF, not a dashboard link the client never opens. A single page they can forward to the CIO without anybody having to read it twice. The five sections worth including:

  1. Score trend. The 1.0–4.0 composite score over the last six months. One sparkline. Up-and-to-the-right is the headline; flat-or-declining is the conversation starter.
  2. What changed since last month. Three numbers: new findings, resolved findings, persistent findings. No more than that on the front page.
  3. Top 3 must-fix items. The three highest-impact new Must-Do findings from this cycle, each with the affected resource, the risk in one sentence, and the recommended remediation owner. If there are zero new Must-Do findings, say so explicitly — that is the most valuable line on the page.
  4. Wins. Two or three findings that closed since the last cycle. This is the line that justifies the invoice.
  5. One ask. A single decision you need from the client this month. Ownership for an unowned team, sign-off on a label rollout, budget for a cleanup sprint. A retainer that never asks for anything looks like it isn’t doing anything.

Send it the same day the scan completes. The clients who renew at year two are the ones whose CIO can recite their own score trend from memory; that only happens if the 1-pager arrives on a predictable cadence.

How MigrationFox makes this practical

The retainer model only works if the scan, the diff, and the alert pipeline all run themselves. Otherwise the gross margin collapses the moment you sign your fifth tenant. The continuous monitoring module at /governance/monitoring is the operating layer for the playbook above.

Scheduled monthly re-runs

The default cadence is monthly — first of the month, 02:00 tenant time. You can switch it to weekly during an active Copilot pilot or to quarterly for steady-state tenants. The re-run uses the same credential set as the original assessment, needs no manual trigger, and completes in the same time the original scan did (typically 5–30 minutes depending on tenant size). Each re-run produces a new scored report across all six modules, a diff against the previous run, a changelog entry on the tenant’s monitoring timeline, and an email summary to the subscribed recipient list.

Trend charts

Every scheduled re-run stores its aggregate module scores plus its per-finding fingerprints. The monitoring dashboard plots the six-module scores over time. The default view is 12 months with one data point per run. Overlay event markers ("Copilot pilot launched 2026-02-14", "M&A intake completed 2026-03-08") so the trend is readable in context — when the SharePoint governance score drops 0.4 in a single run, the event marker directly above it is usually the explanation. This is the first chart the client sees on the 1-pager.

Diffs of new, resolved, and persistent findings

This is the workhorse. Every scan produces a set of findings, each with a stable fingerprint that survives across runs (the fingerprint is a hash of finding-type + affected-resource + specific-attribute, so the same finding on the same site looks like the same finding). Compare run N with run N-1 and every finding falls into one of three buckets:

Run-over-run diff · Aug 1 vs Jul 1
RESOLVED 28 findings closed since last scan
NEW 14 findings appeared this month +
PERSIST 23 Must-Do unchanged for 90+ days !

Email alerts on new Must-Do findings

The email summary is two things. At the top: “Scan complete, overall score 3.4 (up from 3.3), 12 new findings, 8 resolved, 87 persistent.” Below that: a focused list of new Must-Do-Before-Copilot findings only — a new Anyone link on a library labeled Confidential, a new team with no owner, a new external guest granted access to a site containing HR documents, a new Conditional Access gap that opens MFA exemption. The intent is simple: nobody needs to read a full PDF every month to know whether the tenant got worse. The email either says “zero new Must-Do findings, posture stable” or it lists the new ones explicitly. Only the second case needs a human response — and that human response is the conversation the retainer pays for.

For tenants under active compliance scrutiny (financial services, healthcare, public sector), the weekly cadence plus the new-finding email is the closest thing the Copilot governance space has to a SOC feed for grounding-data risk. Run it as the always-on surface; let the monthly review call be the deliberate touch point.

Setting up a tenant for the retainer

  1. Open /governance/monitoring. If you have already run a Copilot Readiness Assessment on this tenant, it shows up as the “baseline run.”
  2. Pick a cadence. Weekly, monthly, quarterly — matched to the tier the client is on.
  3. Pick a run time. The default is 02:00 in the tenant’s primary time zone.
  4. Add the recipient list for email alerts — typically your MSP’s shared inbox plus the tenant admin. Hold the executive summary for the 1-pager you author.
  5. Optionally set event markers for trend annotation (“Pilot group added”, “Phase 2 rollout”) so the chart reads in context when you screenshot it for the deliverable.
  6. Turn on the schedule. The first auto-re-run fires at the next scheduled slot. Baseline diff is against the original assessment.
  7. Repeat per tenant. The dashboard shows all monitored tenants in one view so a senior consultant can triage 20 tenants in the same morning.

What a real trend looks like under the retainer

Anonymised data from a 900-user tenant on a monthly retainer since October 2025. Initial overall score: 2.8. Through the first seven months of monitored cycles and active remediation, with the engagement continuing:

MonthOverallNew findingsResolvedMust-Do persistent
Oct 2025 (baseline)2.841
Nov 20252.981237
Dec 20253.0111533
Jan 20263.161821
Feb 20263.371117
Mar 20263.45913
Apr 20263.56811

Trend chart updates monthly with the live retainer cadence; the seven-month window above is the snapshot at the time this article was last refreshed. Customers reading later: the engagement is still active.

The shape is the useful artifact. Overall score is creeping up, persistent Must-Do count is going down, new-finding rate is roughly stable (the tenant is generating new issues at a normal pace; remediation is simply faster than creation). Absent the monthly data, none of this would be visible — the client would just have a feeling that things were getting better, and you would have nothing to renew on.

Known limits

Related reading

Get started

The Copilot Readiness assessment is the baseline you sell first — CA$399 per pack standalone, or CA$1,599 for the bundle that includes the commercial redistribution license MSPs need to sell the report to their own clients. Stand up your first monitored tenant at app.migrationfox.com/register. The first baseline scan is free; monitoring layers the recurring run, the diffs, and the alerts on top.

Turn one-shot audits into monthly MRR

Scheduled scans, trend charts, diffs, email alerts — the operating layer for a Copilot governance retainer.

Start Free →