Introduction: why this report matters now
A fresh Help Net Security write-up highlights new survey data on how managed service providers (MSPs) are coping with Microsoft 365 at scale. The research—conducted by Syncro—confirms that operational complexity, incomplete backup coverage, and reactive baseline management continue to generate avoidable risk across multi-tenant Microsoft 365 estates. For MSPs, the findings double as a prioritization map for 2026 planning: simplify tooling, close the Microsoft 365/Entra ID backup gap, and automate baseline governance across tenants.
In brief: key findings at a glance
- Microsoft 365 concentration: ~60% of MSPs say Microsoft 365 powers 80%+ of their client base.
- Data loss due to backup gaps: 29% of MSPs experienced preventable client data loss that dedicated Microsoft 365 backup would likely have avoided.
- Operational complexity: 40% cite fragmented tools and manual workflows as the top challenge in Microsoft 365 management.
- Reactive baseline management: 28% review or update Microsoft 365 security baselines only after incidents.
- Technician burden: A significant portion of technician time is consumed by identity/access tasks and low-level security maintenance, limiting strategic improvements.
Context: Microsoft 365 as the MSP backbone
Microsoft 365 has become the de facto productivity layer for SMBs and mid-market organizations; MSPs now treat it as critical infrastructure. High tenant density per provider, mixed licensing tiers, and continuous Microsoft feature churn create a moving target for control hygiene. The survey quantifies this reality and shows that MSPs still rely on multiple consoles and bespoke scripts to enforce policies—conditions that magnify configuration drift and misconfigurations across tenants.
At the same time, vendors are racing to integrate backup and Entra ID awareness into unified MSP platforms to reduce tool sprawl—a trend emphasized by Syncro’s recent platform updates and the accompanying press materials. While product announcements aren’t survey findings per se, they reflect market direction: consolidate controls, build automation around baselines, and treat identity + data as one resilience domain.
Technical analysis: where the gaps actually are
1) Fragmented tooling → drift and inconsistent policy enforcement
MSPs juggling RMM, PSA, Microsoft admin centers, PowerShell scripts, and third-party security point tools face cross-tenant inconsistency. Fragmentation slows baseline deployment, complicates detection of deviations from CIS/Microsoft recommended settings, and increases the mean time to remediate misconfigurations. The survey respondents ranked this complexity as their top pain.
What that looks like technically
- Multiple policy surfaces (Entra ID, Intune, Exchange Online, SharePoint/OneDrive, Teams, Defender for Office 365) require consistent baselining and change detection.
- Manual scripts lack stateful compliance tracking, so regressions go unnoticed until incidents.
- Per-tenant “exceptions” accumulate, undermining standardization and increasing audit overhead.
2) Backup coverage gaps across Microsoft 365 and Entra ID
A core finding is the 29% preventable data loss due to insufficient or inconsistent Microsoft 365 backup. Notably, the report stresses that identity resilience (Entra ID objects, groups, roles) must be considered alongside data backup; restoring files without workable identities—or vice versa—produces “Schrödinger’s recovery” where access or content is missing.
Common technical pitfalls
- Assuming Microsoft’s native retention equals third-party backup (it doesn’t; retention ≠ true backup).
- Overlooking Entra ID objects in recovery planning, leading to orphaned data or broken access paths after an outage.
- Inconsistent scope (e.g., Teams chats, Planner, shared mailboxes, external shared files) and RPO/RTO misalignment.
3) Reactive baseline management
28% of MSPs revisit security baselines only after an incident, implying that baseline governance is treated as a project, not a control. The result is policy decay across tenants as Microsoft updates recommendations and features. Automated baseline rollouts and drift detection are essential to maintain parity with current guidance and licensing realities.
Practical consequences: risk scenarios and real-world impact
- Business email compromise (BEC) via lax baseline enforcement (legacy auth enabled, weak MFA posture) → tenant-wide blast radius in multi-tenant MSP contexts.
- Ransomware/extortion where OneDrive/SharePoint versioning and retention are insufficient, and no independent backup exists.
- Identity outages (accidental deletions, sync errors, admin role misuse) rendering intact data unreachable during continuity events.
- Audit and compliance pain: fragmented evidence makes SOC 2/ISO 27001 audits longer and pricier; lack of standardized baselines across tenants drives exceptions.
These scenarios—cited throughout the HNS article and Syncro’s survey summary—are exacerbated by tool sprawl and manual workflows.
Operational recommendations: what MSPs should do next
- Unify control planes and standardize
Adopt a platform and process architecture that centralizes Microsoft 365 configuration, assessment, and reporting across tenants. Define a golden baseline (per license tier) and apply it programmatically with drift detection and change control. - Close the backup gap across data and identity
Treat Microsoft 365 content and Entra ID objects as a joint recovery domain. Ensure immutable, independent backups with tested restore workflows (including granular restores for mail, Teams, SharePoint, and identity artifacts). Validate RPO/RTO with tabletop exercises. - Make baselines living controls
Automate monthly (or quarterly) baseline re-evaluation: compare current tenant state to reference baselines, remediate drift, and produce client-facing reports to document improvements. Tie findings to ticketing/SLA to avoid “best-effort” drift. - Rebalance technician time
Shift low-value, repetitive identity and compliance checks to automation; free senior technicians to harden mail hygiene (DKIM/DMARC), conditional access, privileged identity management (PIM), and external sharing guardrails. - Measure what matters
Track per-tenant KPIs: MFA coverage, legacy auth disabled %, Secure Score/Trends, baseline conformance rate, backup success/restore drill pass rates, time-to-baseline for new tenants, and exception aging.
Differences / comparisons with other cases
Prior industry guidance has long warned that Microsoft retention is not backup and that identity is part of business continuity. What is notable here is the quantification: nearly a third of MSPs report preventable data loss tied to missing/incomplete Microsoft 365 backup, and over a quarter manage baselines reactively. Those rates suggest the gap between best practice and field reality remains sizeable, even as vendors promote “all-in-one” approaches.
Summary: key takeaways for leadership and ops
- Microsoft 365 is the core of MSP client operations; mismanaging it compounds risk across your book of business.
- Consolidation + automation beats tool sprawl; make baseline governance continuous, not episodic.
- Back up both data and Entra ID; run restore drills that prove access and content integrity end-to-end.
Sources / bibliography
- Help Net Security — “Inside the messy reality of Microsoft 365 management” (Oct 20, 2025). (Help Net Security)
- Syncro media release — “Nearly 30% of MSPs Report Preventable Microsoft 365 Data Loss Due to Backup Gaps” (Oct 16, 2025). (Syncro)
- Syncro product/market context — “Syncro Launches Integrated Cloud Backup and Restore for Microsoft 365 and Entra ID” (Sep 16, 2025). (Syncro)
