TL;DR: MSPs managing many client environments still rely on spreadsheets and manual tracking, which Josys says creates visibility gaps, onboarding/offboarding delays, and wasted SaaS spend across multi-tenant operations. The real shift is not convenience but governance: client access, license use, and deprovisioning need one control plane, not disconnected workflows.
NHIMG editorial — based on content published by Josys: Redefining Operational Efficiency for MSPs
Questions worth separating out
Q: How should MSPs govern SaaS access across multiple client environments?
A: MSPs should govern SaaS access with a single lifecycle model that covers provisioning, usage monitoring, and revocation across every tenant.
Q: Why do spreadsheets create risk in MSP identity operations?
A: Spreadsheets create risk because they cannot reliably track current access, usage, and deprovisioning state across many tenants.
Q: What breaks when offboarding is handled manually in MSP workflows?
A: Manual offboarding breaks the link between employment or contract changes and actual revocation.
Practitioner guidance
- Standardise tenant lifecycle workflows Define joiner, mover, and leaver steps for each client environment so onboarding and revocation follow the same governance pattern rather than ad hoc manual handling.
- Build a consolidated entitlement inventory Maintain one operational view of SaaS licenses, active accounts, and application usage so unused access and dormant entitlements can be identified quickly.
- Treat shadow IT as an access review issue When unmanaged apps appear, review the identities, permissions, and data exposure attached to them before allowing them to remain in client environments.
What's in the full article
Josys' full blog post covers the operational detail this post intentionally leaves for the source:
- How the platform structures SaaS visibility across client environments and usage data
- How provisioning and offboarding are automated when integrated with an identity provider
- How permission management and shadow IT detection are presented inside the workflow
- How MSPs are expected to use the platform to optimise license spend and client ROI
👉 Read Josys' blog post on operational efficiency for MSP SaaS management →
MSP SaaS governance: what unified lifecycle control changes?
Explore further
MSP SaaS management is an identity governance problem before it is an operations problem. The article frames efficiency as the headline benefit, but the underlying issue is lifecycle control across many client identities and entitlements. When provisioning, offboarding, and usage tracking are split across tools, governance becomes reactive and evidence quality degrades. The practical conclusion is that MSPs need operational workflows that are built around access state, not around administrative convenience.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: How can MSPs reduce shadow IT exposure without slowing operations?
A: MSPs should pair app discovery with access review so unmanaged software is evaluated for identity, permission, and data risk before it is tolerated. That approach preserves speed because it focuses review on the hidden access surface, not on every application equally. The objective is to bring unknown apps into governance, not just to count them.
👉 Read our full editorial: MSP SaaS governance needs unified lifecycle control, not spreadsheets