Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Multi-tenant SaaS management for MSPs: what changes for identity teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Multi-tenant SaaS management gives MSPs a single way to oversee onboarding, access reviews, provisioning, offboarding, and alerts across multiple client environments, according to Josys. The governance gain is real, but the control model still depends on disciplined lifecycle processes, tenant separation, and role-based admin access.

NHIMG editorial — based on content published by Josys: Why Multi-Tenant SaaS Management Is the Future of MSP Operations

Questions worth separating out

Q: How should MSPs govern access across multiple SaaS tenants?

A: MSPs should treat each tenant as a distinct governance boundary, even when one platform manages them all.

Q: What breaks when tenant isolation is weak in multi-tenant SaaS management?

A: Weak tenant isolation turns convenience into shared risk.

Q: Why does multi-tenant SaaS management matter for identity lifecycle governance?

A: Because MSPs are doing lifecycle work at scale across many customers at once.

Practitioner guidance

  • Define client-scoped admin roles Map technician permissions to specific client environments and tasks, then restrict cross-client actions unless they are explicitly required for support or audit work.
  • Standardise offboarding workflows Require every client environment to use the same revocation and deprovisioning steps so access removal is consistent when contracts change or services end.
  • Separate tenant-level audit trails Keep logs, alerts, and access records attributable to each client so investigations and compliance reviews can reconstruct activity without ambiguity.

What's in the full article

Josys's full blog post covers the operational detail this post intentionally leaves for the source:

  • Multi-tenant client directory capabilities for managing users, apps, and usage summaries across accounts.
  • Global dashboard and notification workflows that help MSP technicians monitor renewals and provisioning tasks.
  • Role-based admin controls for MSP staff that map privileges to client responsibilities.
  • Platform-specific examples of how Josys positions multi-tenant SaaS management for MSP operations.

👉 Read Josys's analysis of multi-tenant SaaS management for MSP operations →

Multi-tenant SaaS management for MSPs: what changes for identity teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Multi-tenant SaaS management is really delegated identity governance at MSP scale. The article describes a platform model for managing users, apps, alerts, and renewals across many clients from one console. That is not just operational simplification, because MSPs are exercising administrative authority across multiple trust boundaries at once. The practitioner conclusion is that SaaS management platforms should be evaluated as governance control points, not just efficiency tools.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

A question worth separating out:

Q: How can security teams tell whether MSP admin access is overprivileged?

A: Look for technicians who can act across more clients than their role requires, especially when access is not time-bound or task-bound. Overprivilege shows up as broad edit rights, weak separation of duties, and approval paths that do not match the actual support function. If the access model is easier to use than to justify, it is probably too broad.

👉 Read our full editorial: Multi-tenant SaaS management is reshaping MSP identity governance



   
ReplyQuote
Share: