- Many SMBs pay twice, holding Microsoft 365 licenses that include Defender, Intune, and Entra while also paying for third-party antivirus, remote access, and a password manager.
- Consolidating onto capabilities already in your Microsoft licensing is often a straight cost cut that tightens security at the same time.
- An environment built on the Microsoft 365 you own can be handed to any competent provider, while one built on proprietary tools creates soft lock-in.
- Asking a provider what you'd have to rip out if you left reveals whether they build on tools you keep, with a short list being a good sign and a long one a warning.
Earlier this year, a multi-location aviation ground-services company asked us to review an IT proposal. In the process, it surfaced a buying question most companies never think to ask: when you eventually part ways with an IT provider, what do you have to tear out?
It sounds like a small thing. It's actually one of the most useful questions you can ask a prospective partner.
A lot of SMBs are paying twice
The first thing we often find is duplicate spend. A company holds Microsoft 365 licenses (Business Premium, or an enterprise plan) that already include serious security and management tools, Defender for antivirus, Intune for device management, Entra for identity, and at the same time pays a separate bill for a third-party antivirus, a separate remote-access tool, and a separate password manager. You're renting capabilities you already own.
Consolidating onto what's in your Microsoft licensing is often a straight cost cut, and it tightens security at the same time.
Portability is a real buying criterion
Here's the deeper point. An environment built on the Microsoft 365 you already own can be handed to any competent provider. An environment built on a provider's own proprietary tools cannot, and that creates soft lock-in: leaving means ripping out their stack and rebuilding on something else.
The clarifying question to ask any current or prospective IT provider: "If we part ways in a year, what do we have to rip out?" The answer tells you whether they're building your footprint on tools you keep, or renting you theirs. A short list is a good sign. A long one is a warning.
What good looks like
A strong partner positions as a coach that builds your internal capability, not an outsourcer you depend on forever. The environment they leave behind should be one you could run, hand off, or audit without their permission. That posture also tends to come with the low-disruption, high-impact hardening that's worth doing anyway: tuning Defender past its defaults, app-based multi-factor authentication, retiring forced password rotation, and turning on data-loss-prevention rules.
If you're evaluating an IT provider, or wondering whether your current one has quietly built you into a corner, that one question is a great place to start. We're happy to help you read a proposal with portability in mind. Let's talk it through.