Your clients trust you with their identity estates. IdentityFirst gives you the visibility to find risks they don’t know exist — across every client, every platform, read-only.
The risks sitting in your clients’ identity estates are your operational risk too — and your clients are starting to ask for evidence that you’re managing them.
MSPs manage Active Directory, Entra ID, and cloud IAM on behalf of clients. Stale accounts, Kerberoastable SPNs, and delegation misconfigs exist across your estate — you just haven’t found them yet. When a breach happens, the investigation starts with you.
NCSC and CISA repeatedly cite MSPs as high-value targets. A compromise in one client’s Active Directory can become lateral movement across your management plane if identities are not isolated. Your shared tooling, jump hosts, and RMM accounts are the attack path.
Cyber insurance applications, NIS2 supply chain requirements, and ISO 27001 audits are forcing clients to ask their MSPs for identity security evidence. Be ready before they ask — and turn compliance readiness into a competitive differentiator.
Built for multi-client operation from day one — not bolted on after the fact.
Run independent IdentityMRI™ scans per client, with full data isolation. One platform, many clients. Each tenant is scoped independently with separate credentials and no shared access between client environments.
Board-ready PDF reports with your client’s branding context. Findings named, prioritised, and mapped to the frameworks they care about: Cyber Essentials, ISO 27001, NIS2, and DORA.
Ongoing drift detection means you catch new privileged accounts, Kerberoastable SPNs, and stale accounts within hours of creation — not at next year’s review. Every change to the identity estate is tracked and surfaced automatically.
Use IdentityFirst findings as the basis for remediation work. Demonstrate value delivered: before and after ICR scores, finding counts, and blast radius reduction. Evidence that your managed service is making clients measurably more secure.
Representative examples of findings from real client environments managed by MSPs. These are the risks that exist across your estate right now — invisible without structured assessment.
47 user accounts have not authenticated in over 180 days but remain enabled and retain membership in VPN-Access and Remote-Users security groups. No leaver process has triggered in Active Directory. Any of these accounts can be credential-stuffed to establish a VPN session.
Blast Radius: High — active VPN access with no recent logon baseline to detect anomalous use.
Three Domain Admin accounts are the primary accounts used for day-to-day helpdesk tasks including password resets and ticket resolution. The ticketing system service account is also a member of Domain Admins. Standing Tier-0 access in daily use dramatically expands blast radius for credential theft.
Blast Radius: Critical — Domain Admin compromise provides full AD control from a helpdesk workstation.
svc_backup_agent has an SPN registered (MSSOLSvc/backup-srv01.corp), uses RC4-HMAC encryption, and has not had its password changed in 1,461 days. The account is accessible from all 214 domain-joined endpoints. Its TGS ticket can be extracted offline and cracked without triggering any domain event.
Blast Radius: Critical — svc_backup_agent holds local admin on all backup targets including file servers.
The MSP jump-host service account is a permanent member of Domain Admins with no time limit, no expiry, and no review date recorded. The account password was last set 18 months ago. IdentityFirst flags MSP management identities as first-class findings — they are often the highest-privilege accounts in the environment.
Blast Radius: Critical — permanent Tier-0 MSP account with no governance controls.
89 external guest accounts were provisioned during a previous IT project. 61 have not signed in within 90 days. 12 retain read-write access to active SharePoint sites. No external access review is scheduled. Guest accounts are a persistent blind spot in organisations transitioning from on-premises AD to hybrid Entra ID.
Compliance Gap: NIS2 Article 21, ISO 27001 A.9.2 — unreviewed external access with active data permissions.
IdentityFirst is built to work with how MSPs sell — whether you’re adding a standalone assessment to your portfolio or embedding continuous monitoring into your managed offering.
Offer “Identity Security Assessment” as a standalone service or bundle it into your managed security offering. The board-ready PDF deliverable is a tangible output that justifies premium pricing and demonstrates security expertise clients cannot easily replicate internally.
Use continuous monitoring findings to drive remediation SOWs, AD hardening projects, PAM deployments, and MFA rollouts. Every finding is a scoped piece of work with clear justification. Findings are your pipeline — not a report that disappears into a drawer.
Straight answers to the questions we hear most often from managed service providers.
Yes — IdentityFirst enforces complete data isolation per client. One client’s findings, identities, and assessment data are never visible in another client’s view. Each tenant is scoped independently with separate credentials, separate data stores, and separate access controls. This is not a configuration option — it is enforced at the platform level.
Yes — the PDF report and dashboard can be presented in your brand context. The IdentityMRI™ report is designed for MSPs to deliver directly to clients as a service output. Talk to us about MSP partnership terms and white-label licensing arrangements that fit your business model.
IdentityFirst is designed for multi-tenant operation from the ground up. Each client environment runs as an independent assessment with no shared infrastructure between clients. Contact us to discuss volume pricing and concurrent assessment capacity for your client base size.
Yes — each client assessment uses that client’s own read-only service account. IdentityFirst never reuses credentials across tenants. This is by design: each connector set is scoped to a single client environment and cannot reach another client’s directory. During scoping we specify the exact minimum permissions each client needs to provision.
Yes — IdentityFirst treats MSP service accounts and management identities as first-class findings. If your RMM account is a member of Domain Admins, your management jump host holds unconstrained delegation, or your MSP service account password has not rotated in two years, IdentityFirst will flag it with full blast radius analysis.
MSP accounts are often the highest-risk identities in a client environment precisely because they are rarely reviewed as part of the client’s own access governance processes. IdentityFirst closes that blind spot.
Talk to us about MSP partnership terms, or explore a sample IdentityMRI™ assessment report to see what you’d be delivering to your clients.
Multi-tenant • Read-only • Results in 24 hours • UK-hosted & ICO registered