Join inforcer for the launch of Copilot Manager, our new module designed to help you monitor Copilot adoption, identify Shadow AI usage, and deliver ongoing AI governance services at scale.
Join inforcer for the launch of Copilot Manager, our new module designed to help you monitor Copilot adoption, identify Shadow AI usage, and deliver ongoing AI governance services at scale.
Jack Cooke
Afternoon, ladies and gentlemen. Hope everyone is well today. We thought we'd kick the webinar off and give it a couple of minutes while we wait for some of the stragglers to come in. Thank you to everyone who's joined on time — we'll get kicked off in a minute or two, once everyone manages to make their way into the webinar. The attendance is still jumping up pretty quickly, so once we see that level off a little bit, we'll get everyone in.
Just a reminder as we go through the session today: there's a Q&A feature on the platform, so if you want to ask any questions throughout, feel free to drop them in there, and one of us will be moderating it at all times. If Freddy's talking, I'll be moderating, and vice versa. We'll either jump in if it's appropriate at that point, or we'll have a little break at the end of each section to address any questions. We should also have another 5 to 10 minutes at the back end of the webinar for some Q&A, so we'll allot the timings that way. It should all work out very nicely.
It looks like some people can't hear us — that might be a user error on that one. At least people can hear me, which is a good thing; it's whether or not they can understand me in my Northern Irish accent that's usually the bigger issue. If we can just get a thumbs up that everyone can understand me, that's a slightly more key point for myself. A bunch of thumbs up — there we go. A laughing face, that's what I like to see. I was about to ask how many thumbs down we can get, but I don't think that's an emoji we can react with. I even got some fellow Northern Irish in the chat — love to see that.
I think we're starting to see this plateau off a little bit. Do we want to get kicked off now then, Freddy? Sound good?
Frederick Brendzius-Drennan
Yeah, sure thing.
Jack Cooke
Perfect. Well, ladies and gentlemen, thank you very much for joining us all today. The title here is "How to productize Copilot adoption and shadow AI monitoring." If you want to jump to the next slide, Freddy — there are three of us on here today. You've got Freddy and Tom, who'll introduce themselves, and myself.
We're going to run through a bit of a webinar. Freddy's going to take us through what we've brought out around Copilot management and the shadow AI piece — why we've done that, what we're seeing in the market, and why that's important. I'm then going to jump in and look at two ways we're seeing MSPs productize this. One is a very simple, straightforward approach any MSP should be able to pick up and take to market tomorrow if you want to — and we've actually built a bunch of resources to help you do that, which is really cool — and then a bit of the wider potential AI road map you might want to be looking at with your customers. We've also got Tom on the call, who's out there actively doing this as an MSP, and we're going to have a 20-minute fireside chat with Tom at the end to get some insight from someone who's out there productizing these AI services.
As mentioned, my name is Jack Cooke. I'm a Senior Director of Global Partner Programs here at inforcer. I'm working on a couple of different things, but a lot of my background has been in the MSP vendor space for nearly a decade now, and I've spent the last three years working very closely with MSPs across the world on their go-to-market strategy, helping them bring products and offerings to market. Freddy, I'll hand over to you to introduce yourself.
Frederick Brendzius-Drennan
Hey everyone, thanks Jack. I'm on the product team here at inforcer. Just like Jack, I've been in the industry for just over 10 years. I'm always excited to work on different MSP industry challenges, and AI is such an exciting topic, so I'm looking forward to engaging with you on these topics today. Tom?
Tom
Hi, I'm Tom. I work for Infinity Group, and I've been in the MSP space for about 15 years, the vast majority of that with Infinity Group. We've been very early adopters of inforcer, so we're quite a long way down the road with this journey.
Jack Cooke
Perfect. Well, thanks to everyone joining us on this side of the webinar, and thanks to everyone else joining us. We'll hand over to Freddy now to take us through a bit of the Copilot piece — what's new and why we've done it.
Frederick Brendzius-Drennan
Thanks, Jack, and thanks, Tom. Let's get started. I've got a few slides to go through. The key thing for me is to take a step back and think about where we are in the world of AI — stuff is moving so fast. But I also want to get through it, because I want to leave as much time as possible for the most important bit, which is talking to you, Tom, a little later on in the fireside chat.
First, let's reflect on where we're at in terms of the MSP landscape. I've been in this space for just over 10 years now, and while a lot is changing right now — and changing very quickly — if we look back, the only constant has been change in this industry. Back in the mid-2000s, there was the move from break-fix to managed services. Around the time of Covid, the split between being an MSP providing IT support and providing security services as a pure play began to break down; now, in essence, everyone does some kind of MSSP work, arguably. And then the last couple of years have really seen the rise of the Microsoft-first MSP — Microsoft has continued to mature M365 and make it much more plausible for an MSP to provide pretty much all of your services using their tech stack — and, of course, the rise of cloud-first MSPs, where perhaps you're not even deploying anything on-prem anymore.
And then the last couple of years — which is where the really exciting stuff starts happening — around the rise of AI. It's fair to say everyone's still figuring it out. When we look at the past year, a lot of MSPs have been getting to grips with this, so topics like Copilot readiness have really come to the fore. Now we're looking at: how do we productionize this, how do we operationalize this? There are terms like "managed intelligence provider" — how do we move in that direction where providing Copilot and AI just becomes business as usual, just another tool in your toolkit to solve problems and drive value for your customers?
Set against this are some broader industry trends, and there are three I always like to call out. The first is the most important because it relates to security: how much security has changed in the last few years. Gone is the whole concept of traditional perimeter security; now it's all about defense in depth, with identity being really central to that — because of the rise of remote working and M365, Microsoft realistically owns that space with Entra. The second point is compliance. Compliance used to be more of a tick-box exercise in some instances — it depends on the regulations, the industry, and so on — but nowadays there's a lot more compliance and regulation than there used to be, and people are much more aware of what good looks like and which frameworks they should be aiming for as an outcome. MSPs have to meet that need. The third, as I mentioned, is that everyone's using AI — whether they should be or not. We're all frankly trying to figure out what to do, and the whole situation keeps shifting very quickly. If some of you tuned into Microsoft Build yesterday, Satya Nadella revealed a bunch of new updates in the Microsoft ecosystem around AI. Things don't seem to be slowing down, and your customers will demand a lot from you in terms of providing AI as a managed service.
In terms of demands, there are a couple of ways we can look at it. We've looked at a lot of data internally and validated it with our partners around how much demand for AI, on the SMB side, is top-down driven — board-level and C-suite priorities. Businesses, both SMB and enterprise, see AI as a really key way to drive productivity at the individual level, but also to reinvent how they work as a business — becoming more AI-native. And of course there's bottom-up demand as well, which I'll talk about again and again during this session. Concepts like shadow AI really come into play here: this is also a grassroots desire and push, where most end users can see some kind of benefit in using AI day-to-day just to help them get their work done.
The fact remains that, especially on the bottom-up side, people are going to be using AI whether you like it or not. Quite frankly, I think the numbers on this slide are probably out of date — it's probably close to 100%, but maybe I live more in a tech bubble. And maybe some people are using AI whether they realize it or not. There are quite literally tens of thousands of AI tools out there. There are lots of instances online of people putting things into these AI apps that maybe they shouldn't — sensitive data, proprietary information. There's a huge amount of risk around this, and of course it might be against company policy as well. It's a situation many businesses don't realize the threat of, and they might not be educated about why it's a problem.
I talked a little about expectations and how they're constantly shifting. When we think about Microsoft, for example, they've been doing a lot of marketing and awareness campaigns around what the future of work looks like. These are just a few examples: the concept of the "frontier firm," where they've outlined how businesses can go up the maturity curve — from deploying things like Copilot and Copilot agents to their users, through to building autonomous agent capabilities — lots of ideas of how businesses can become more effective and scalable moving forward. A couple of examples I always mention are things like Copilot and Cowork — the screenshot in the bottom right — where there are really significant innovations, in this instance Microsoft collaborating and partnering with Anthropic and using their Claude technology, delivering really significant productivity gains and fantastic ways to solve business problems for your customers. The key thing is that SMBs are increasingly aware of these concepts, and they'll be coming to you to say, "What's this concept of a frontier firm, and how can you get me there as my MSP?"
If we look in the media — which I think can sometimes be quite negative about many of these things — we can see there are a lot of AI projects that just remain in POC, proof of concept, for any number of reasons. We're going to talk through a couple of ways we can tackle this, but for me the key takeaway is that, as an MSP, this is such a great opportunity to be that trusted adviser and to really focus on the problems they aim to solve. AI shouldn't be used for the sake of it; it should be used in targeted ways to provide a measurable business outcome, and it's a great opportunity to take your customers on that journey.
And quite simply, the competition is not waiting for us either. Some of you on this call today are really mature and sprinting through all of this; some of you maybe aren't providing any kind of AI as part of your managed services. The key thing is that the competition can do what they want, and we see how many MSPs are really moving in this direction. Arguably, if you don't respond to this demand now, you risk losing business to one of your peer MSPs, or your customers will go to an AI specialist to solve this problem — and that poses risks to your line of business as well.
For me, where this really comes down to is a couple of concepts, and I'll talk about how we've delivered capabilities as part of our road map to start solving these problems. A lot of this first and foremost comes down to data around how people are using AI. As I mentioned, everyone is using AI, and in many ways that's a threat and in many ways it's an opportunity. When we think about it as a threat landscape or threat vector: people could use a personal version of something like ChatGPT or DeepSeek and be compromising sensitive information. Those apps may not be secure; they may not be right for that business; and we see a proliferation of tens of thousands of these apps available in many different marketplaces. This is obviously not going to be suitable for most businesses, and if something goes wrong, just ask yourself who's going to get the blame. That's the threat angle, and I think this is something Jack and Tom will dig into a little later.
And of course there's the opportunity: if you have that kind of data — and we know pretty much everyone is using AI, a lot of it shadow AI — for some reason people don't want to own up to it. So wouldn't it be great to have some data around this? Because if you do, it's a great sales indicator: it validates that people are using AI to solve some problem, and it's also an opportunity for more traditional security and compliance use cases. You can sell a solution to help mitigate or prevent the threat of shadow AI from occurring.
Just to break this down into a bit of a journey: a lot of this has been around readiness — getting customers ready for Copilot, for example, a combination of security and technical readiness, data governance, and adoption impact, which I'll talk about more in a second. Once you've started deploying Copilot to your customers, how do you know it's working for them? How do you know it's driving the ROI they're expecting, and how do you help them succeed with their AI investment? Then there are the more mature use cases, which we won't touch on too much today, around building custom agents — leveraging technology like Copilot Studio, Power Platform, and Microsoft Foundry to effectively build custom software to solve specific use cases for one or more customers.
So I'll go through a couple of capabilities we've delivered recently to help partners on their AI journey. The first is Copilot readiness, which is effectively an assessment you can provide for your customers. It does a couple of things: it analyzes their M365 tenant and highlights the top potential users of Copilot, and we analyze their usage — who they are within that business — to suggest use cases, top departments, and top users who might benefit the most. We also assess different parameters based on things like security and technical readiness and data governance — we look at things like their SharePoint configuration — to give you a starting point for a project plan or a sales proposal that you can offer that customer to help them get started on their Copilot journey, and most importantly to pick you as the partner of choice to make that happen.
A couple of other areas we've delivered on recently — I'll skip through this fast because I'll just demo it — are shadow AI detection, part of the Copilot Manager beta we launched recently, as well as Copilot adoption. Shadow AI detection is an integration with Defender's cloud discovery — this is included as part of Microsoft Business Premium — and first and foremost it's a dashboard that provides visibility of shadow AI use in a tenant. We've also got reporting, so you can provide customer-facing reports around the use of shadow AI, and I'll show that in the demo. Secondly, Copilot adoption: once you've deployed Copilot to a customer, you need to follow through — help ensure it's deployed properly, that it's being used, that licensing is configured correctly, and understand how well they're adopting it. Is it going to be a renewal risk? Do they need more help with enablement or training, or anything else to help them make the most of their AI investment?
Now we get to my favourite part, which is a quick demo. I'm just going to bring up a browser and take you through it. There are a few different elements to Copilot Manager. The first part is what I'm on now, the tenants list — which isn't very exciting. This is a multi-tenant view, but I've only got one tenant. The first thing I'll touch on: imagine if, as a salesperson, you had the ability to do a whitespace analysis across all your customers to understand who's using the most shadow AI, who's using the most risky shadow AI apps, and who's using the most Copilot — all the useful things for new business deals, upselling, or cross-selling. With this view, you've now got that. You can literally sort this list and find out which customer is using the most risky shadow AI, for example, and get in contact with them. It's a great talking point.
We can drill in to see more specific information. I'll start with shadow AI. As I mentioned, this is a dashboard, so we can see things like who's using shadow AI, how many apps have been seen, and the number of sessions. We also snapshot this data, so we can see trends over time — again, really great for telling a story, which is always important in these situations. Then we provide really in-depth data at the user level as well as the application level, and this is where we bring data together from a few different places in Microsoft, including Entra — so things like job title and department. You can really help a customer understand who might be using the most risky apps, or which departments might be at most risk, and craft a narrative around where those risks may lie in the organization and how you may be able to help them mitigate or control them.
The second part of this is Copilot adoption. As I mentioned, this is for when you've started deploying Copilot to your customers. It answers a number of questions, such as: you've bought them licenses — are they correctly assigned? Is there any wasted spend? What does their adoption and maturity look like? We look at all the data from Microsoft around which parts of Copilot are being used, and we can see that per user, so we can group them into, say, advanced, intermediate, or developing users. It really gives you an understanding of what kind of help they need to get the most out of Copilot, and we also show trends around which Copilot features are being used. Something we've seen is that quite often some organizations only use a few features — say, Teams recap. This gives you great data to consult your customers on how to get the most return on investment from their AI spend. And just like in shadow AI detection, we provide this visibility at the user level, so you can see how engaged they are with Copilot and which features they're using — again helping you craft a narrative and tell a story, and most importantly have data to back up your arguments.
Cool — Jack, that's my demo, that's my favourite part done. Over to you now to talk about how we operationalize this.
Jack Cooke
We did have a question come in while you were on that, Freddy, which is pretty relevant, from Stephen. He's saying: "You mentioned shadow AI works off the Business Premium offering, but cloud apps usually requires an E5 or the Defender add-on for Premium. Can I just ask exactly what the minimum licensing requirements are?"
Frederick Brendzius-Drennan
Yeah, great question. What I've shown you today only requires Business Premium. There's a difference between Defender for Cloud Apps and Cloud App Discovery. Defender for Cloud Apps does require E5 or one of the security and compliance add-ons. If you're using Business Premium, you get Cloud App Discovery, which is effectively the read-only portion — you can see the use of shadow AI, but you can't deploy things like policy. So, just to clarify: to use our shadow AI detection, you just need Business Premium.
Jack Cooke
Perfect. That's a much more comprehensive answer than I would have given, which is "Business Premium." So thank you very much for that, Freddy.
While we're on that, before I pull up my side, it'd be good to get a feel from everyone. I can safely say, after working for nearly a decade in the vendor-MSP side of things, that inforcer is a company developing and adding new features to the platform unlike anything I've ever seen — the rate of development is truly phenomenal, and that's a massive credit to Freddy and the team and what they're doing behind the scenes. It'd be good to get insight from people. This has been live in the platform for maybe just over a month now. Freddy, was everyone aware of what's fully capable with this, or was that really good insight? Was that helpful? How much of the information Freddy just showed were people already aware of? If we could get a bit of insight into that in the chat, that would be super helpful.
Has my screen popped up there, Freddy? Can you see "as a service" come up?
Frederick Brendzius-Drennan
It has indeed.
Jack Cooke
Perfect — got a thumbs up from Freddy. One of the key things I'm going to touch on here, and I want to be very clear from the get-go: no one has all the answers here. I speak to MSPs across the world on a daily basis, and I'm yet to speak to an MSP that said, "Yeah, I know exactly how to take this to market, I know what the future holds, I know exactly how to productize this." No one has all the answers. It's more about: can we help get the journey started, where can people start, and what information can they start using? That's one of the big pieces of feedback I get from a lot of MSPs: "I'm not 100% sure where to start," or "even if I feel confident starting, I'm not entirely sure my clients are ready for it," or "I've got clients coming to me wanting me to do it, and I'm not confident their environment is ready."
So how can we start leading these conversations and taking not necessarily AI as a service, but AI services, to our customers — to position ourselves, as Freddy said, as that thought leader as an MSP? We don't want our customers going and searching elsewhere. There was a study last year that showed one of the main reasons a lot of customers left their existing MSP was that their new MSP was offering a service their current MSP wasn't. We don't want people to fall into that boat.
So what we've done here is work with MSPs around the world to talk about a couple of different ways we can put an offering together that will allow every MSP to start talking to their customers about this — tomorrow, next week, in the coming weeks — and start leading your customers on that AI journey. The really simple three-stage play we came up with was heavily around the shadow AI piece Freddy just talked about: an acceptable use of AI policy; then, because a policy is only great if you can monitor against it, being able to monitor that with shadow AI detection; and then phase three, if you want to go that far, being able to remediate with Defender for Cloud Apps. That would be — to Stephen's earlier question — the upgraded, paid-for version of Defender for Cloud Apps, which you don't have to go to a full E5 license for; you can pay for it separately.
To break that down a bit more: we've spent the last 10 or 15 years working really hard with our clients to help them understand why cyber security is important. Just as the majority of businesses have wrapped their head around that, we're now moving on to AI, compliance, and governance and everything that comes with it — and it's this next uphill battle again to explain that to our customers. I think this is why the shadow AI piece has resonated so heavily: it falls in that middle ground. It's somewhat cyber-security related and somewhat AI related, so it's a really easy way to start talking about it — because there is going to be data leakage happening. As Freddy shared, there are statistics showing something like 80% of employees are using an AI tool at work, and the difference is going to be whether that's a sanctioned AI tool in a protected, paid-for environment, or whether they're bringing their own AI tool to work and potentially leaking customer or sensitive company data out into the world. That's something most businesses can wrap their head around as a good starting point. Also worth noting — some statistics I saw the other day when doing a bit of research — bear in mind we're just coming into June now, there have been something like 8,000 new SMB-focused AI companies that started up in 2026 alone. There's a ton of companies targeting this space, so being able to talk to your customers about it becomes really important.
Step one, really simple: an acceptable use of AI policy. If your customer has one, fantastic — we can move straight on to step two. If not, you can work with them to create one. Some businesses may already be doing this; if you're not, that's fine — we've actually built an acceptable use of AI policy draft you can use, as well as an acceptable use of AI policy statement of work for what building one with your customer might look like and what's involved. That makes it really easy to take on step one and start having those conversations.
Step two: an acceptable use policy is only good if we can monitor against it. Otherwise, we're just taking everyone in the business's word for it that they're not doing what they shouldn't, or not using AI tools to make their life easier. As we all know, people tend to take the path of least resistance, so, unfortunately, they'll quite regularly start using tools. Being able to monitor against it gives us the visibility to go back to the business and intelligently inform them — not only who's maybe breaking the rules, but also to say, "It looks like most of your sales team are using this AI tool. Maybe that's something we want to look at and investigate — is that something we want to bring into your acceptable use policy? If it's making their lives easier and making them more proficient, maybe we should look at it differently for your business." Again, that allows you to be more of that trusted partner, not just the IT company.
Phase three, should you want to go that far, is being able to remediate it — coming in and saying, "We've got a policy, we know what you should be using, we know what people are using; now let's block the tools they shouldn't be using." If you want to stay in the Windows environment, you can use something like the Defender for Cloud Apps license and upgrade to that; if not, there are other tools out there that can help.
The great thing about these three phases is that you can charge for them in a multitude of ways. Phase one — creating an acceptable use of AI policy — can be project work, and you can charge a project fee. I've also been speaking to partners charging a monthly service around an acceptable use of AI policy, because they're reviewing it on a monthly or quarterly basis with their customers — updating the risk register, keeping everything up to date — so it's a service and they charge X amount per business to keep doing it. That's a great way to make both project fees and MRR. Phase two, the shadow AI monitoring, you can charge per user or per business — and one of the amazing things about these new features is that we're not charging you anything additional for them; they're all wrapped into the product, so you can start charging your customers straight away on a per-user or per-tenant basis and start making some really good money. Phase three really is probably locked into a per-user focus, because if you're upgrading for the Defender for Cloud Apps license it will be per user, so you'd want to charge your customers that plus a fee for managing it on top.
Again, three really simple steps that just about any MSP can start having these conversations with next week — and rather than waiting for your customers to come to you to talk about AI, you can be the one leading that conversation, so you're not caught on the back foot. It's going to give you visibility, control, and value. One of the key things we've touched on a lot at inforcer — we sort of see inforcer as the RMM for the tenant, a term that's been used an awful lot. Most MSPs don't charge for the RMM tool; you just get it out there because it gives you visibility and control, and then you build your managed services on top of it, whether that's your security offerings or whatever. Think about inforcer in a very similar way — you want to get it out there because you want that visibility and control, and then you can start adding value with shadow AI detection, the acceptable use policy, Copilot management (which we'll come on to in a second), baseline policy backup — so many ways you can start stacking services on top and creating value for your customers and recurring revenue for yourselves.
As I mentioned, we don't want to just leave this to you and say, "Best of luck, go crack on." We want to make it as easy as possible, so we've built a bunch of resources, working very closely with MSPs already working in this space. We've built an acceptable use of AI policy you'll be able to download — all of this should be downloadable from our platform. I was speaking with our marketing team just before this call; it hasn't quite made it in there just before this session, but it should be in there before the end of the week. So on the inforcer.docs page you'll be able to go in and download most of this content directly. There's an acceptable use of AI policy, a statement of work for what building that policy looks like, a really nice one-pager you can drop off to your customers with some of the details Freddy mentioned on why this is important and what's happening in the landscape, an AI governance risk register so you can track what AI tools are being used, a client-facing presentation, about 10 quick questions for your sales team to memorize and start asking their customers to understand what to look for and whether there's a trigger for this, and some really nice cold and warm email templates you can start sending out to customers and prospects to try to trigger a bit of new business in this space. It's some really great content the team has built alongside MSPs to make this transition easier. As we mentioned, no one's got all the answers — it's about trying to help on that journey as much as possible.
And with it being a journey, MSPs are at very different stages of this. Not everyone has all the answers, so it's about trying to create a nice little road map for your customers on that journey. For some people the shadow AI piece will be enough; others will want to take it to the next level. Being able to create a clear road map is one of the key bits of feedback from MSPs being really successful with AI tools at the minute. They're creating a very clear "you are here as a business, as a customer of mine; we want to get you up here; here are the steps along the way."
Here's a brief overview. You can start any conversation with that Copilot readiness assessment — and while it's a Copilot readiness assessment, it can also be used as a more general AI readiness assessment. Freddy's already talked through some of the key benefits, so I won't revisit it, but it's a really easy way to start. We've got partners out there charging north of £2,000 per assessment at the minute — bear in mind this takes the platform close to 30 seconds to build for you — and then charging again for the project work to remediate some of the steps required. So it's a really great way to start, and a really great way to potentially start making some money.
Steps two and three revisit that acceptable use of AI policy — understanding what a business needs to be using and how it should be using it — and then, as an MSP, particularly an inforcer MSP where Microsoft is your bread and butter, being able to push them towards standardizing on Copilot as an organization. If we'd had this conversation a month or two ago, it might have been a very different one, but some of the massive advancements Microsoft and Copilot have made in the last couple of months have made that much more feasible, particularly with Cowork and what it's able to do. It's a much more intriguing and appealing conversation for most of your customers now. And with Copilot adoption and management within inforcer, it's really easy to start doing that, because you can now look per department, per team, per employee — understand who's using it, how they're using their licenses, what apps they're using it in. Is your finance team not using it in Excel, or your sales team not using it in PowerPoint? Maybe you want to jump in and do a workshop to give them additional feature understanding. There are tons of different ways to start to productize this and make it make sense. We've spoken to a lot of MSPs charging this almost like an insurance policy — saying, "You're paying £30 a month for Copilot; why wouldn't you pay £33 a month and make sure everyone's actually using it and you're getting those efficiency gains out of it?" Again, just another way to think about it. And then finally you've got that standardization and ongoing improvement piece.
All of that is really capable, really easy to be revisited on, and there are tons of different ways you can charge it out. I appreciate that I fired through that. If you've got any questions, feel free to reach out to me or drop them in the chat and we can pick them up. But I'm conscious we've got Tom on here, and I want to make sure we crack on and start working through some of his time, because he's really going to be the one with all the insight — he's out there doing this in the real world. Tom, good to see you, man. How are you getting on?
Tom
Yeah, all right. Very busy.
Jack Cooke
Well, glad you're able to carve out some time to join us — we very much appreciate it. Do you maybe want to start by telling us, first, has there been anything in this webinar so far that has really stood out to you, and second, tell us a little about yourself and your business and how you're operating as an MSP?
Tom
Yeah, sure. It's quite nice to see that we seem to be doing it right, because what we've cooked up is broadly similar to what you've described. We don't do all of it exactly the same, but a lot of it is very similar.
In terms of who we are as an MSP, we've existed for around 25 years as a managed service provider. We were very much a traditional break-fix service provider, very small. When I started with Infinity in 2010 or '11, there were about 10 or 11 employees; there are now just under 200 of us. We're focused these days fundamentally on the Microsoft stack, so we work across Microsoft 365, Microsoft Azure, and Dynamics 365. Roughly 50% of our business is engaged in Microsoft 365 and Azure, and the other 50% almost exclusively within the Dynamics space.
As we've grown, we've shed a lot of our traditional MSP tooling. Back when we were focused on break-fix, a lot of our recurring revenue was focused on things like antivirus products — Sophos, Webroot, whatever people use — and other resalable tools that you could just put into an environment, wind up, set off, and leave going. As you called out, around the time of Covid — I think we were a bit before that, in about 2017 or 2018 — we started to centralize all of our services around Microsoft 365, particularly when the Microsoft 365 licenses were launched. So Microsoft 365 E3, E5, Business Premium — we started to centralize more of our products and service offerings around those license sets to maximize the feature usage within them, and started to eliminate servers and on-prem deployments in our customer environments. There was a long stretch of time where we were just doing migration after migration after migration, and that kind of work has fallen away as more of the businesses we encounter are already homed in Microsoft 365. There's the odd Google migration, but we don't encounter those traditional on-prem-to-cloud transitions anymore.
Then, when Microsoft injected Defender for Endpoint into the license SKUs, it created a new opportunity to start simplifying our vendor stack as well. So we got rid of third-party antivirus tool sets and third-party mail filtering and those kinds of things, and centralized as much as we could within Microsoft 365.
But the next challenge we encountered after that was that everyone's different. All of our clients have wildly different configurations in Microsoft 365, and most of them are still wildly unaware of the security challenges they face — they just think, "We're too small or too insignificant for anybody to want to target us." So we had a very large challenge: challenge number one being making them care, and challenge number two being how we get everybody up to being the same, at least to a default level. There's a point at which everything branches out into being unique to the individual business's vertical, size, or specific requirements — but up to a point, they all need to be exactly the same. That was a challenge we were trying to overcome using JSON templates and all kinds of other crazy solutions. We'd hoped Microsoft 365 Lighthouse would solve that problem, which it spectacularly failed to do. And we encountered inforcer when there were, I don't know, three or four people, I think, who were magically trying to solve exactly the same problem we were.
So we now have that solution for how we get all of our customers up to the same baseline, and that forms the foundation of our key, core managed service that all of our clients sit on. They onboard with us, and then their tenant is just normalized to the right point we need it to be at. That eliminates risk for us and for them — we're not going to be firefighting account breaches and things like that across their estate. Our service team knows how to support them, because they know which policies are supposed to be on and which are supposed to be configured in a specific way; they can monitor their compliance. It simplifies their job, because they're only chasing problems above the baseline, as opposed to trying to find out what's wrong below it. Everybody uses the same antivirus, and we've got centralized alerting for all of those concepts because we've got API-embedded alerts within Defender — it just makes everything so much easier for us.
The next stage beyond that had always been to have the Purview conversation with customers around information security. But there had never been a trigger to get over that "I don't care" problem we encounter a lot with clients — "You just want to charge me for some work I don't think I need." And then, enter AI, stage left — it creates the talking point you need to have those Purview conversations, because suddenly you can visualize and explain the risks so much more clearly.
A great example: I was having a conversation with some of our clients, sat in a room with them, and one of their directors walked in with one of those little social-media-advertised listening devices stuck to the back of his laptop. He said, "It's great, because it listens into all of my meetings, takes all my notes, and summarizes them for me — it's brilliant." And it's like, yeah, but where does it go? Do you know where that data is going and who's listening in on all of your secret meetings? And this was a company that had security clearance, because they work with the MOD. So therein is the problem, and the lack of understanding.
That leaves us with a gap to fill, which led us to create a series of additional products — you touched on these concepts. We actually start by going through a workshop process we call AI awareness. That's simply to discuss with the client what AI is, what they think AI is, what it actually is in their business world, and get them to start understanding what they should and shouldn't be doing, where they need to open their eyes to what their users probably are doing, and then how to flip that around to turn it into something that's going to deliver productivity securely. So they can start thinking more constructively about business processes — the repetitive things that irritate them — and maybe start building a list of low-hanging fruit they want to check off in terms of what they want AI to tackle. Having done that, it gets their minds thinking about where they want to go with it. We recommend getting things into their acceptable usage policy — having an AI policy in place so they can start spreading the word to their users about what's expected of them — and in some cases we'll put some straightforward blocks in if they want to simply shut the door on certain AI tools to drive everybody towards using Copilot.
Then we move on to doing a readiness assessment, where we utilize the functionality in inforcer to give them a report. We go a bit deeper and do an assessment of their permissions in SharePoint, and we look at where their data is distributed to see the gravity of the project to actually enable Copilot across all of their data sets and get their data properly secured. Following on from that, we have a standardized Purview foundation deployment to get their Purview functionality up and running, built around the Business Premium functionality, so they can step up from that if they want to inject additional licensing into the tenant. But at the very least, we get them to a point where they'll be ready to start bringing Copilot licensing in in a staged manner. We wouldn't just say, "Blat it out over everybody," because that'll just cause even more chaos. We suggest they form an advocacy group internally and start doing some idea-sharing, and we offer prompt sessions and things like that. That helps them get running with a small group, and then that group can grow out as the maturity of the business around its AI understanding grows.
Outside of that, we offer services on a one-off basis for looking at agentic building and Microsoft Fabric and those kinds of things — but that then falls over the waterfall into our Dynamics practice and our data and AI space.
Jack Cooke
You made this super easy — a bunch of questions, but you just managed to work your way through most of them there. That's been massively helpful and insightful. One point from the last couple of points you made: you've obviously based and standardized an awful lot of this around Business Premium. We had a conversation the other day about the fact that standardization is required for MSPs to be scalable to an extent. We didn't actually cover this the other day, but I'd be interested to understand — will you take on a customer that isn't prepared to use Business Premium? If they say they need to stay at Business Basic or something like that, where do you stand on that? I know that's something a lot of MSPs grapple with.
Tom
Not really, no. Because if they want us to carry all the risk of having to piece their business back together every time it gets smashed up, that's not really worth the effort from our side. From a service perspective, they become very unprofitable very quickly, and they're not the kind of customer we're looking for. We're looking for customers that want to grow and evolve. If they just want to stick down to a price point, and all they're concerned about is what it's going to cost them upfront in terms of licensing, and they're not interested in productivity gains, then — I think the industry says they probably won't continue to exist that far into the future, because they'll just be eaten up by the businesses that are adopting and embracing the future.
Jack Cooke
That's a really interesting way for a lot of MSPs to position that, because it's something we get a lot — some of my customers just don't want to move to Premium; they want to stay on Basic or Standard. But positioning it that way, as the future...
Tom
It's very much a risk-based conversation. To a degree they're some of the easiest conversations to have, because if you start looking at it from an impact point of view — well, what's an outage of X number of days actually going to cost you? — then it almost speaks for itself, because the jump from Business Standard to Business Premium is not that great. I get that if you're talking about a business of 200 or 300 users, then yes, it is; but I've yet to encounter a business of that size that still insists on remaining on Business Standard. In fact, there are very few we encounter that aren't already on Business Premium — they're just not taking advantage of the tooling within the licenses. They've got Business Premium licensing, but their current MSP is still giving them some third-party antivirus that's not integrated, some third-party mail filtering tool that's not integrated — and all of those things mean that, while they're paying for the Business Premium license, they're actually not getting any value from it. So from our perspective, we can say: shed all of those costs and invest all of that over here in growing your Copilot and Purview licensing, because it ends up almost being cost-neutral.
Frederick Brendzius-Drennan
Tom, one of the points you made was around quantifying the impact — "what if this happens" — and that's obviously before they make any kind of investment. One of the questions in the Q&A, from Alex, is around the after. Especially in the realm of AI, how do you have that conversation around proving ROI when you roll out Copilot to a customer? It's quite difficult to make something quantitative and not just "people feel more productive." How do you approach that?
Tom
We tend to approach it at the moment through helping the customers form their own advocacy groups and track their own productivity, rather than trying to take on that workload ourselves. It's better for them. One of the things I always find is that some businesses just want to shed the weight of it onto a service provider, and they can't realistically do that in its entirety, because compliance is still — we can help them with compliance, but we don't carry the can if something goes wrong; they do. If they have a GDPR breach, or if they're regulated by the FCA or some other regulatory body, they're the ones responsible for their compliance. So they need to care about it. The same applies to productivity: they pay the salaries, so they want to know how productive their people are. Through the advocacy groups, and through studying, monitoring, and understanding AI within their business, they can understand how much time people are saving through their engagement with AI. So if they're saying, "We've got a team of five people here, and each one is now saving somewhere in the region of two to three hours per week just as a result of their early adoption with Copilot" — then what happens if we start moving into the agentic space and really investing time in building things for them, and the amount of time we can get back? So it's all about opening their eyes, rather than just trying to pave the road in front of them.
Jack Cooke
That's a really good point, and a lot of it, from what I've seen, goes back to: what problem are they looking to solve? If you start using Copilot, anyone can find a use case for it, but their problem might be, "We need our salespeople to win more deals" — so you can focus on how to use Copilot, prompt-athons like you mentioned, to increase their win rates. That could be a KPI you can measure against and talk through.
Tom
A great example within our business is that Copilot writes all of our proposals. There is some additional stuff in here because we're on the Microsoft Frontier program, so we've got early access to some features that aren't generally available within Copilot. But by recording your customer engagement calls and having firmly templated methodologies for how you produce schedules of work and proposals, Copilot's very capable of lifting information out of a recorded Teams call and transposing that into a templated document very easily. It can go through and work out all of the pricing and everything else — those are massive time savers, but you have to identify those issues first. The easiest way to do that is to have conversations with people and say, "What is it you hate doing the most?" Anyone who works in pre-sales will say, "I hate doing proposals, because I get writer's block."
Jack Cooke
I think that's a good example where it's a new solution to old problems. Every business wants to grow faster and lose fewer customers, so it's the same old problems — you just have to talk them through properly. Something as simple as that cuts a four-hour job down to five minutes, and it's about getting people to really start thinking about it in that way — but in a friendly way, because you don't want them eyeing up a team and thinking, "How could I shrink that?" It's not about that; it's about releasing those people to do more things. You're upping productivity by releasing their time so they can do more within the same period, as opposed to just chopping people off the end of the line.
I'm aware we're coming up on time. We've got a couple of questions here I'd like to throw out. We're also getting a lot of questions and comments around the ROI piece, so I think that's maybe a separate webinar we look at doing — covering different ways you can track and monitor that ROI, and ways you can present it back to your customers.
One question here, from Chris, is quite a good one. He's saying that, with Copilot not having been great in some of the early days, he's had a lot of customers who've disengaged and looked to move towards something like Claude. Even though there's the subprocessor element of Anthropic in Copilot, they're kind of saying, "Why don't we just work entirely out of Claude and use an MCP-based 365 integration?" Have you got any recommendations for organizations in that area? Freddy, I know you spoke to our own company very recently about some of the benefits of using Copilot natively versus using Claude with some of the integrations Copilot has into Microsoft.
Frederick Brendzius-Drennan
Tom, I'll let you go first.
Tom
It's just an interesting conversation, isn't it? One of the key benefits with Copilot is that, particularly when it's licensed, it's obviously homed inside your tenant and has access to all of the resources and data that exist within your tenant, so its knowledge can be business-specific — whereas Claude can't; you've got to feed it everything you want it to understand. When it comes to that scenario I was just describing, around the way we deal with our own sales proposals, we'd have to spend an awfully long time making a third-party AI do that, whereas Copilot can do it very easily, fairly straightforwardly, almost out of the box. Claude's a very good tool, but I'd say it's something you use in conjunction with, as opposed to instead of.
Jack Cooke
That makes a lot of sense, and a lot of the time it comes down to what problem you're looking to solve — there are going to be different use cases. Claude Code is fantastic if you've got customers who are engineers, for example, but again, if they rely on data within M365, which they probably do, then Copilot has a killer feature there.
Frederick Brendzius-Drennan
Sorry, Jack—
Jack Cooke
No, look, I'm just cautious of time. I think you're absolutely spot on with that. There are some questions there we haven't had a chance to answer, but I promise you we will get answers out to everyone through your PSM team or something like that.
Tom, just before I let you go: if you were to give one bit of advice to anybody on this call — if they were to take one step in the next week, or the coming weeks or months, to start getting a bit more involved in this journey — is there a nugget of advice or guidance you can provide?
Tom
Point number one is that, as the MSP, the trusted advisor, we have a duty of care to raise the risks of AI with our customers. It's not a difficult conversation to have, and I would start gathering more information about clients — you can use the tools available within inforcer to understand what their shadow AI usage looks like. Having those risk-based conversations is critical, because that's where the results come from.
Jack Cooke
Well, Tom, thank you so much for your time. Freddy, phenomenal as always. Ladies and gentlemen who were able to join us this afternoon, thank you so much for taking some time — hopefully that's been helpful and insightful. I know listening to Tom talk about what he's been doing has been incredibly helpful. So thank you so much, and we'll pull the webinar to a close there. Thank you all for your time.
Frederick Brendzius-Drennan
Cool. See you, Tom. See you, Jack.
Tom
Thanks, everybody. Cheers.
Jack Cooke
Thanks.