How to Introduce a SaaS Management Solution to Your MSP Stack

The average 100-person company has 126 SaaS applications and 40% of the apps in an MSP client’s environment are likely shadow IT (Gartner). That creates an interesting challenge for MSPs and their clients.

SaaS platforms are a key enabler for modern businesses, and frankly, we’re better off as a result. SaaS solutions enable businesses to focus less on infrastructure and more on outcomes. However, they also create new security, governance, and cost management challenges. SaaS management solutions are the standard for businesses to address these challenges, but these challenges remain an unsolved problem for many MSP clients. 

Driven by client demand, SaaS management is becoming table stakes for MSPs. That means MSP leaders need to understand how to strategically integrate these tools into their overall offering to meet clients’ needs while also improving the bottom line. 

Getting MSP SaaS management right requires a mix of tools, strategy, tactics, and customer alignment. Like any growing technology problem, it’s essential to understand the nuance so you can focus on value creation.

In this article, I’ll explore how MSPs can roll out a SaaS management solution and integrate it with their offerings to create recurring revenue and win/win outcomes with their clients.

How to integrate a SaaS management solution into the employee onboarding lifecycle

Integrating a SaaS management solution into your client’s environment gives you deep visibility into the actual state of SaaS usage inside the business.

Let’s look at the most effective way to integrate a SaaS management solution using Auvik SaaS Management (ASM) as an example.

Phase 1: Deploy the agent and configure the IDP

You could create a SaaS inventory in several ways, from manually maintaining spreadsheets to apps that infer SaaS usage from email inboxes to reviewing DNS logs. However, nothing beats directly collecting data from devices, identity providers (IDPs), and browsers. 

That’s where SaaS agents and IDP integrations come in. A SaaS agent is an on-device agent that typically integrates with pre-existing remote monitoring and management (RMM) and Mac OS management tools, such as an MDM. In other words, endpoints are likely already running a tool the SaaS agent can integrate with. 

IDP integrations tie SaaS discovery into identity providers like Azure Active Directory or Google Workspace. Integrating with an IDP is quick and enables you to gain visibility into what apps and services different users are using their work accounts to access.

💡Pro tip: Use SaaS discovery to hook new clients. SaaS discovery with ASM is quick enough that you can show new clients meaningful value in a short amount of time. Consider using it as a practical way to demonstrate value to potential customers. 

Phase 2: Review SaaS discovery findings

While you’ll likely start seeing results in minutes, it’s crucial to give SaaS discovery enough time to build a robust inventory, and best practice is to review SaaS discovery findings 2 weeks after deployment. At that point, you’ll have sufficient data to review SaaS usage and potentially risky employee behaviors (e.g., password sharing) with your client.

💡Key takeaway: Save labor costs while improving results. Typically, these findings would be the result of manual work like surveys or error-prone approaches like reviewing DNS logs. Leveraging a SaaS management platform like Auvik reduces MSP labor costs while improving accuracy and compiling the data in initiative reports and dashboards.

Phase 3: Strategically review findings and recommendations with your client

Now, it’s time for you to be your client’s trusted advisor. Work with them to understand the findings and make recommendations to address challenges collaboratively. One of the biggest mistakes MSPs can make with a SaaS management solution is to skip the “with your client” part of this tip. The client must be part of the process. 

Worded differently, focus less on asking “what?” and more on asking “why?”

Your findings will likely be full of interesting apps and services you and your client may not have known about. Focus conversations on why employees are using these apps so you can drive to the proper business outcomes. 

For example, treat shadow IT as a change management challenge and collaborate on solutions. Sure, maybe you need to eliminate an app, but that won’t always be the case. Typically, shadow IT users are trying to solve a business problem, and you should drill down to figure out why they decided to use the app in the first place.

4 Ways to make SaaS management a continuous process

SaaS management isn’t a point-in-time activity. It’s a continuous practice.

Your SaaS monitoring platform solution will continue capturing and analyzing SaaS use for you, but it’s up to you to take action in order to see ongoing value. Make SaaS management part of your MSP’s standard operating procedures (SOPs) to reinforce its importance and ensure consistency across both clients and sites.

In the sections below, we’ll look at several different tactics you can adopt to help you make SaaS management a continuous process—and recurring revenue stream—for your MSP.

1. Integrate SaaS management with your QBRs

For an MSP, quarterly business reviews (QBRs) provide an excellent opportunity to review the current state of SaaS usage with your customers. 

Here are some tips to help you effectively integrate SaaS management into your QBRs:

Emphasize top 10 shadow IT

Shadow IT is everywhere these days. In fact, according to Gartner, 40% of apps in your client’s environment are likely shadow IT. Work with your client to understand why employees are using these apps and what options you have to move them towards a compliant SaaS inventory. 

Review what’s new

Three months is a long time in IT. SaaS usage data will change from QBR to QBR. Review what’s new and highlight interesting changes. For example, are employees using a new service that was rolled out last quarter? If not, you can ask probing questions to figure out why. 

Make a plan to address unapproved apps

Once you’ve identified apps and services that aren’t compliant with inventory policies, come up with a plan to address the issue. With the “why” in mind, work with your client to either get the app approved and managed, switch users to an already approved app that addresses the same use case, or eliminate the unapproved service.

Check your progress

Make sure you create a complete feedback loop as you create SaaS management plans with your client. That means circling back on the progress you’ve made to address business challenges from previous sessions. This tip provides a dual benefit: it makes sure you’re executing on your plans and helps demonstrate value to your clients.

2. Build accurate employee onboard/offboard checklists

Onboarding and offboarding workflows are often manual, error-prone processes based on a spreadsheet or similar document. SaaS management solutions can streamline onboarding and offboarding, speed up the time it takes to make a new employee productive, and reduce the amount of MSP labor required to conduct onboarding/offboarding activities. 

Let’s look at some specific ways SaaS management solutions can improve your clients’ onboarding and offboarding workflows.

Transform tribal knowledge into team knowledge 

Tribal knowledge that wasn’t transferred when an employee left is one of the biggest productivity killers when their replacement is onboarded. Seasoned employees use tools their manager and teammates might not know about (e.g., to create a report), so when they leave, no one can replicate what they did because no one knows what tool they used. 

Speed up offboarding and reduce security risk (hint: SSO isn’t enough)

You might think that single sign-on (SSO) solves the offboarding problem for you, but according to Insurance Journal, 94% of logins use username/password authentication. Ex-employees retaining access to business apps creates real security and data privacy concerns. 

To address this challenge, MSPs should take a two-pronged approach to offboarding:

1. Have a complete SaaS inventory so you can offboard ex-employees completely 
2. Collaborate with your client to shift apps using username/password authentication apps to SSO

Additionally, if ex-employees aren’t promptly removed from business apps, you have a significant security risk and data privacy challenge on your hands, 

Speed up new employee time to productivity 

New employees typically take about 12 months to reach their full performance potential (Gallup). Part of the time it takes to get productive is simply learning the new tools of the trade. If you’ve ever worked in a role where you stumbled into a new tool or process only once you needed it, you can understand why. 

As an MSP, you can help your client address this business challenge by ensuring new hires know exactly what tools they need on day one. Additionally, once you understand your clients’ onboarding challenges, you may even be able to provide additional white-glove services training new hires on more complex business apps. 

Reduce MSP labor costs

Maintaining onboarding and offboarding checklists manually is tedious. With the proliferation of SaaS services in modern businesses, it’s also impractical to expect MSP techs to maintain an updated list for all your clients. Leveraging a SaaS management tool to do the heavy lifting for SaaS inventory and reports can reduce manual labor while improving client outcomes.  

3. Improve security and compliance

Pick any of your favorite security frameworks or standards, and there’s a good chance it calls for a software inventory. This is true for ISO/IEC 19770, NIST 800-53 (in R5 CM8), PCI DSS (sections 12.5.1 and 6.3.2), ISO 27001, and the CIS Critical Security Controls (CIS Controls).

A SaaS management solution helps you effectively address a fundamental component of maintaining a strong security posture (SaaS inventory) and enables you to address other security and compliance issues such as disabling dormant accounts (CIS Control 5.3), logging sensitive data access (CIS Control 3.14), and ensuring the use of supported web browsers and email clients (CIS Control 9.1).

As you dive further into security posture improvements you can drive with your clients, consider these tips:

Quantify which apps are controlled by SSO

SSO makes your life as an MSP easier. In the ideal state, you should be able to cut off a user’s access simply by deactivating a single user identity. In practice, the real world is a lot messier. Start with quantifying what apps do and do not use SSO, then work with your client to move towards SSO where practical. 

Identify and address the use of shared passwords

After efficient patch management, eliminating the use of shared passwords is one of the biggest “bang for your buck” security improvements an MSP can provide. Credential compromise is a very common way for threat actors to breach a network, and reducing the use of shared passwords can reduce your risk. SaaS management solutions can detect the use of shared accounts and help you work with your client to address them. 

Ensure personal apps are not hosting business data

Sensitive data being distributed across multiple SaaS platforms is challenging enough from a compliance and security perspective. Personal apps that lack governance make the challenge even tougher. SaaS management tools can help you quantify the personal apps in use and develop a strategy to reduce this security risk. When you review your SaaS inventory, keep an eye out for apps like Google Drive, Dropbox, and Onedrive that well-intentioned employees may use as a shadow IT fileserver. 

Help your clients meet cyber insurance requirements

Shifting risk with an insurance policy is a valid risk management strategy, and cybersecurity risk is no different. Obtaining cyber insurance and getting a claim approved is getting more complex. Effective software asset management, including SaaS management, can help you and your clients meet cyber insurance requirements. 

4. Run quarterly vCIO/vCISO/TAM sessions to review app stack alignment

vCIO, vCISO, and technology alignment manager (TAM) consultations are excellent ways to uncover win/win opportunities for your MSP and your clients. SaaS management solutions can directly inform those sessions and find new sales opportunities for you that solve problems for your clients. 

For example, suppose an environment is using three different sales reporting tools. In that case, you can rationalize them, reduce their subscription costs, and make the remaining platform a solution you manage for them. You can slice the data differently and look at how many licenses are regularly used by employees.

According to Gartner, up to a quarter of provisioned licenses are not regularly used. If that’s the case with your clients, you can help them meaningfully reduce wasted spending. Strategically, these conversations can then directly complement creating a well-defined SaaS spend management strategy.

Similarly, you can flag risky shadow IT apps and either eliminate or harden them to align with security policies (for MSSPs this can help you improve your position as a trusted security advisor). 

Additionally, take the opportunity to get tactical and drill into the specific steps involved in business workflows like customer onboarding for your own tooling and employee onboarding for your clients’ new hires.

SaaS management solutions have become MSP table stakes

SaaS management is transitioning from a nice-to-have to a must-have for modern businesses. For MSPs responsible for solving their client’s technology problems, a quality SaaS management solution can give you a competitive advantage, if you use it right. 

From a human perspective, collaboration is the key to effective MSP SaaS management. Partnering with your client to solve business problems can make their life easier and improve your bottom line. 

From a tooling perspective, Auvik SaaS Management is purpose-built to help MSPs address SaaS management use cases across multiple clients. It provides robust SaaS discovery, reporting, and onboarding/offboarding tools to help you address all the different use cases we’ve described here. It even directly addresses CIS Controls like 2.1 (Establish and Maintain a Software Inventory), 2.3 (Address Unauthorized Software), 3.14 (Log Sensitive Data Access), and more.

It also helps you make a real impact on your bottom line through reduced labor costs and increased revenue. To see what I mean, consider the example scenario below.

For more tactics that can help you create a profitable SaaS management offering at your MSP, check out our Auvik SaaS Management Guide for MSPs.

The guide will also give you a link to download our free SaaS calculator spreadsheet so you can run the numbers for your business. If you’d like to take ASM for a spin yourself, sign up for a free trial.