/ Optimize Your MSP Relationship · Part 2 of 4
Which MSP Do You Have? A Field Guide to the Stack You're Paying For
How to identify your provider's franchise and right-size the relationship — what to keep, what to renegotiate, and what to move off their plate.
Most companies can name their MSP. Almost none can name their MSP's operating system — the PSA and RMM platform the provider bought, whose templates dictate how your tickets are worked, how your endpoints are managed, and how your invoice is constructed.
That matters, because MSPs are franchise players. They don't design their service model; they license it from ConnectWise, Kaseya, NinjaOne, Datto, or N-able, and run the playbook that comes in the box. Once you know which franchise you're dealing with, you know most of what there is to know: the workflows, the incentives, the bundled tools you're paying retail for, and the ceiling on what your provider can ever change.
The good news is that the diagnosis requires no consultant and no meeting. The evidence is sitting in three places you already control: your laptops, your invoice, and your inbox. This is the field guide.
Step one: read the laptop
Open Task Manager on any company machine (or Activity Monitor on a Mac), look at running processes and installed programs, and your MSP's entire architecture confesses itself. These are the tells:
| What you see on the machine | What your MSP bought |
|---|---|
LTSvc, LabTech, or a LabTech folder | ConnectWise Automate (RMM) — the old LabTech, acquired 2015 |
ScreenConnect Client followed by a long fingerprint string | ConnectWise ScreenConnect — their remote-control tool |
Kaseya Agent, AgentMon.exe, or a kworking folder | Kaseya VSA — the RMM at the center of the 2021 supply-chain ransomware incident |
CagService, Datto RMM, or Aem Agent | Datto RMM (now Kaseya-owned, acquired 2022) |
NinjaRMMAgent or NinjaOne Agent | NinjaOne |
Advanced Monitoring Agent or Windows Agent under an N-able path | N-able N-sight or N-central — the former SolarWinds MSP |
SAAZOD or Continuum agents | ConnectWise RMM lineage (Continuum, acquired 2019) |
Splashtop Streamer, TeamViewer Host, AnyDesk set to start with Windows | Persistent remote access, usually bundled with one of the RMMs above |
SentinelAgent, HuntressAgent, Blackpoint, ThreatLocker | The security stack your MSP resells per endpoint, typically at 2–4x their cost |
Two findings should stop you cold.
Finding one: you're running the agent zoo. Four, five, six always-on agents — RMM, remote control, EDR, DNS filter, backup, "documentation" — each phoning home to a different vendor, each a line item somewhere in your per-seat price, each an attack surface. The Kaseya VSA breach worked precisely because the RMM agent is, functionally, a benevolent rootkit: whoever controls the console controls every machine it touches. You are trusting your entire fleet to your MSP's password hygiene on a platform you've never heard of.
Finding two: you're paying twice. If your machines show a third-party RMM agent and third-party antivirus and your Microsoft 365 licensing is Business Premium, E3, or E5, you are paying retail for capabilities you already own. Business Premium — the license most MSPs themselves recommend — includes Intune (device management and patching), Defender for Business (EDR), Entra ID P1 (identity and conditional access), and Autopilot (zero-touch provisioning). The redundant agent layer isn't protecting you; it's justifying the invoice.
Step two: read the invoice
Pull your last monthly invoice and your agreement. You're looking for the shape of the franchise, and it's always the same shape:
The per-user or per-endpoint bundle — "$125–$185/user/month, all-inclusive" — is the industry's standard construction because the PSA prices agreements that way out of the box. Ask what's inside the bundle and you'll get the stack list: RMM agent, AV/EDR, email filtering, backup, "24/7 monitoring," and help desk. Now do the arithmetic. The tools cost your MSP $8–20 per seat wholesale. Microsoft covers half the list natively. What you're actually buying, at $100+ of margin, is access to a ticket queue.
The tell-tale line items: "management agent," "security stack," "BDR appliance rental," "vCIO services." Each maps to a franchise SKU. A Datto BCDR box in your closet backing up servers that could be — or already are — in Azure or M365 is a monthly rental for a 2014 problem.
The agreement language: auto-renewal (often 12 months, 60–90 day notice window), per-seat true-ups that go up but never down, and offboarding clauses that charge you to receive your own documentation and passwords. Mark the renewal date on your calendar right now. Missing that window is how companies stay with providers they've already decided to leave.
Step three: read the tickets
Ask your MSP for a ticket export — last 90 days, with categories, timestamps, and resolution notes. This is your data; a provider that resists exporting it has told you something important. Then ask three questions of it:
What percentage of tickets are password resets, account lockouts, and access requests? In most environments it's 20–40%. Every one of those is a ticket that self-service password reset — a checkbox in Entra you likely already license — would have eliminated. Your MSP has had years to turn that checkbox on. Ask why the tickets still exist. The honest answer is that ticket volume is how the contract justifies itself at renewal.
What's the gap between response time and resolution time? The SLA your agreement celebrates is response — a human acknowledging the ticket within 15 minutes. Resolution is what you actually need, and it's usually hours to days, because L1 acknowledged it, asked a clarifying question, and put it back in the queue. Response-time SLAs are the franchise's signature metric because they're the only one the model can hit without fixing anything.
Which issues recur? Sort by category and look for the same VPN problem, the same printer, the same onboarding failure appearing month after month. Recurring tickets mean nobody is paid to find root cause. In the per-seat model, nobody is.
Step four: check who holds your keys
This is the diagnosis most companies skip and regret. Answer these before any renewal conversation:
Who are the Global Admins in your Microsoft tenant — and are any of them accounts you don't control? Does your MSP access your tenant through proper delegated permissions (GDAP) with scoped roles, or does an engineer simply hold standing admin credentials? Who owns your domain registrar login, your firewall admin password, your backup encryption keys? Is your documentation in the MSP's IT Glue instance — a Kaseya product, in their tenant, exported only on their timeline?
If the answers make you uncomfortable, that discomfort has a name: vendor lock-in wearing a safety costume. A provider confident in its value hands you the keys and wins the renewal anyway.
What you can do this month, no vendor required
None of this requires changing providers yet. It requires turning on what you own, so the renewal conversation starts from a position of knowledge rather than dependence.
Enable self-service password reset in Entra ID. One setting, one afternoon of user communication, and the largest single ticket category starts evaporating.
Audit your M365 licensing against the MSP bundle. List every third-party tool on your invoice next to its native Microsoft equivalent — Intune vs. the RMM agent, Defender vs. the resold EDR, Autopatch vs. "patch management as a service." Every overlap is a negotiation point.
Turn on Windows Autopatch (or Intune update rings) for a pilot group. Watch patch compliance happen as policy instead of as a monthly report someone charges you to produce.
Reclaim your keys. Inventory admin access, convert standing credentials to delegated access, get a copy of your documentation out of the provider's tenant and into yours.
Put the renewal date and notice window on the executive calendar. Optionality is leverage, and the franchise agreement is engineered to quietly remove yours once a year.
What the diagnosis usually shows
Run the four checks and a pattern emerges in most mid-sized environments: an agent stack duplicating the Microsoft platform, a bundle priced against 2015's problems, a ticket queue dominated by categories that native tooling eliminates, response SLAs standing in for outcomes, and keys held by the vendor. That's not a bad MSP. That's the franchise operating exactly as it was designed to — for the franchisor.
Knowing which franchise you have doesn't hand you a decision. It hands you the map. Once you can see what you're actually buying, what you already own, and where your MSP genuinely earns its fee, the relationship becomes yours to right-size: keep them for the projects, the escalations, the vendor-management and industry expertise they're good at; renegotiate the line items that duplicate what your Microsoft tenant already does; and move the commoditized endpoint layer — and the productive payroll hours it drains when it goes wrong — off their plate to an operator whose model is built for it. How you realize the saving from there is your call to make.
Two of the findings above run deep enough to deserve articles of their own. The first is security: every agent in the zoo is another privileged access channel into your environment, and the franchise platforms themselves have become a target attackers reach for. The second is ownership: the MSP's tools are the stack, and the stack leaves when the MSP does. Those are the next two parts of this series.