How MSPs can apply security baselines without requiring premium licensing

Guest blog courtesy of Augmentt.

One of the most common objections MSPs hear when proposing security improvements is also one of the most frustrating: 'We'd need to upgrade our licensing for that.' It happens frequently enough that many MSPs have come to accept it as a hard constraint: some security capabilities just require premium licensing, and SMB clients won't pay for it.

The good news is that this assumption is largely wrong. With the right tooling and a clear framework, MSPs can deliver meaningful, defensible security baselines across Microsoft 365 environments regardless of whether clients are on Business Basic, Business Standard, or Business Premium.

What premium licensing actually unlocks

It's worth being precise about what premium licensing genuinely enables versus what's often assumed to require it. Microsoft 365 Business Premium (and enterprise E3/E5 tiers) unlock capabilities like Conditional Access policies, Defender for Business, Entra ID P1/P2 features, and Intune device management. These are legitimately powerful and worth having where budgets allow.

But the absence of premium licensing doesn't mean an environment has no security controls available. It means you're working with a different — not an empty — toolset. Security Defaults, per-user MFA, mailbox audit logging, anti-phishing policies, safe links, and safe attachments are all available at lower license tiers and meaningfully reduce risk when properly configured.

Building a tiered baseline framework

The most practical approach for MSPs is a tiered baseline model: a set of security configurations that apply universally regardless of licensing, and additional configurations that layer on for clients with premium tiers. This approach lets you deliver consistent baseline protection across your entire client base while offering premium clients an enhanced posture.

A universal baseline — applicable to all license tiers — should include:

For clients with Business Premium or E3/E5, the baseline extends to include Conditional Access policies replacing Security Defaults, Defender for Business threat protection, Intune device compliance, and Privileged Identity Management for admin access.

The challenge of applying baselines at scale

Defining a baseline is the straightforward part. Applying it consistently across 50 or 100 tenants — and keeping it applied as environments change — is where most MSPs struggle. Manual application means logging into each tenant, running through a checklist, and hoping nothing was missed or misconfigured.

The more tenants you manage, the more this approach breaks down. Configuration drift sets in, licensing tiers vary across clients, and technicians inevitably apply settings inconsistently when working through a manual checklist under time pressure.

Augmentt's baseline deployment tools are designed specifically to solve this problem. MSPs can define their tiered baseline templates once — configuring the settings appropriate to each license tier — and deploy them across all tenants from a central console. The platform also continuously monitors for drift and can automatically remediate deviations without manual intervention.

Framing this for clients

Beyond the technical benefits, a clear baseline framework changes the conversation with clients. Instead of telling clients their security is limited by their licensing, you can tell them that they're covered by your baseline security standard and offer them a clear path to enhanced protection when they're ready.

This positions you as a proactive security partner rather than a vendor constrained by whatever Microsoft happens to include in each license tier. Clients on lower tiers don't feel left behind, and clients considering upgrades understand specifically what they'd gain.

The practical takeaway for MSPs: premium licensing expands your security toolkit significantly, but it shouldn't be a prerequisite for delivering baseline protection. A well-designed tiered framework, enforced through automation, levels up your entire client base, regardless of what's on their Microsoft invoice.