Back to Insights
Procurement Strategy9 min read

The Tenant Ownership Trap: The Hidden Risk of MSP-Resold Licenses

Convenience has a cost. When you let your MSP buy your software licenses, you often unknowingly hand them the keys to your digital kingdom—creating a "hostage" scenario during future contract disputes.

It starts innocently enough. Your Managed Service Provider (MSP) offers to consolidate your billing. "We can put your Microsoft 365, SentinelOne, and backup licenses all on one invoice," they say. "It's cleaner for your finance team, and we get a volume discount we can pass on to you."

From an accounts payable perspective, this makes perfect sense. From a risk management perspective, it is often a critical error. By allowing the MSP to be the "Reseller of Record," you are structurally positioning them as the owner of your tenant. In the Microsoft ecosystem specifically, this relationship is known as the Cloud Solution Provider (CSP) model, and it grants the partner significant control over your environment—control that can be weaponized if the relationship sours.

The "Golden Handcuffs" of Reselling

When an MSP resells you a license, they are the customer of the software vendor; you are merely the end-user. If you stop paying the MSP (perhaps due to a legitimate service dispute), they have the legal right to suspend your licenses. Microsoft will not intervene, because to Microsoft, you are not the customer.

Visualizing the Exit Friction

The true cost of this arrangement only becomes apparent when you try to leave. Offboarding from an MSP who owns your licenses is exponentially more difficult than offboarding from one who simply manages licenses you own directly. The chart below quantifies this friction.

Chart comparing offboarding friction. Direct ownership has low risk (score 1-3), while MSP resold has high risk (score 8-10) due to NCE lock-in and admin access control.
Figure 1: The "Tenant Ownership Trap" creates artificial barriers to exit, reducing your leverage in contract negotiations.

As shown above, the friction points are severe. Under Microsoft's New Commerce Experience (NCE), licenses are often locked in for 12-month terms that cannot be transferred to a new provider mid-term. If you fire your MSP in month 3 of an annual contract, you are legally obligated to pay them for the remaining 9 months, even if you have already moved to a new provider. You effectively pay double for your software to escape the relationship.

The "Global Admin" Hostage Situation

Beyond financial lock-in, there is the issue of administrative control. In many "Resold" arrangements, the MSP sets themselves up as the sole Global Administrator of the tenant to "prevent the client from breaking things."

This creates a single point of failure. We have audited numerous offboarding scenarios where a hostile MSP simply refused to hand over Global Admin credentials until a disputed final invoice was paid. Because the MSP is the registered partner on the account, the software vendor (Microsoft, Google, etc.) will often refuse to reset the password for the client, citing privacy policies. The client is effectively locked out of their own email and file systems.

The Proprietary Stack Problem

The risk extends beyond productivity suites to security tools. MSPs often deploy "proprietary stacks"—bundles of antivirus (e.g., SentinelOne, CrowdStrike) and backup tools licensed under the MSP's master account.

When you leave, you cannot take these licenses with you. You must:

  • Uninstall the MSP's antivirus agents (which often requires a tamper-protection password only the MSP has).
  • Purchase new direct licenses.
  • Reinstall the new agents on every device.

This "rip and replace" process creates a dangerous security gap during the transition, where endpoints may be unprotected for hours or days.

How to Structure "Direct-Billed" Relationships

To avoid the Tenant Ownership Trap, we recommend a "Direct-Billed, Partner-Managed" model. Here is how to structure it:

1. Own the Tenant

Ensure the Microsoft/Google tenant is registered to your company name and email, not the MSP's. You should have a "Break Glass" Global Admin account that the MSP does not control.

2. Direct Billing for Core Infrastructure

Pay Microsoft, Google, and AWS directly via credit card or invoice. Grant the MSP "Delegated Admin Privileges" (DAP/GDAP) to manage the environment, but keep the financial relationship direct with the vendor.

3. Demand "Transferable" Security Tools

For tools that must be resold (like some RMM or EDR agents), include a clause in your contract that requires the MSP to assist in a "graceful uninstall" or license transfer upon termination, with penalties for non-compliance.

Your software licenses are the deed to your digital house. You can hire a property manager (MSP) to fix the plumbing and paint the walls, but you should never put their name on the title. Maintain direct ownership, and you maintain the power to walk away.

This article is part of our series on IT Procurement Strategy, helping you navigate the legal and financial risks of vendor contracts.