The $18,000 Argument for Moving Clients Off Business Standard
TL;DR
- NCE annual renewals lock clients into last year's licensing decision, which makes the renewal window the one natural moment each year to reassess Business Standard.
- Basic MFA without Conditional Access does not stop adversary-in-the-middle phishing, because a stolen session token works without any further MFA challenge.
- Business owners buy risk reduction, continuity, and client trust, not Conditional Access, Intune, and Defender feature lists.
- Many Business Standard clients already pay for third-party endpoint, email, and mobile tools that Business Premium consolidates into one license.
- Renewal season is also the right moment to prepare clients for Copilot, because AI amplifies whatever data posture already exists.
Auto-renewal is a licensing decision, just one nobody consciously makes. When an annual NCE agreement rolls over, the client is re-committing to whatever call they made a year ago, whether or not it still matches how the business works, how employees access data, or how much the threat landscape has moved underneath them.
That makes the renewal window one of the few moments each year when an MSP can pause the default, reassess, and steer the client somewhere better. For the many small and mid-sized businesses still on Microsoft 365 Business Standard, "somewhere better" is usually Business Premium, and this post is the playbook for that conversation: where Standard actually breaks, how to frame the upgrade in business outcomes, the five pillars to structure the discussion, and answers to the objections you will hear every single time.
What a token-theft phish does to a Business Standard tenant
Meet Brightline Architects, a 22-person architecture firm running everything in Microsoft 365. Their setup looks like half the SMB market:
- Microsoft 365 Business Standard
- Basic MFA enabled
- No Conditional Access
- No device trust
- Employees working from personal laptops
Like many SMBs, they assumed MFA meant they were secure.
One day an employee received an email that looked like it came from SharePoint: "Updated project files available." They clicked the link, landed on what appeared to be a Microsoft login page, entered their password, approved the MFA prompt. Everything looked normal.
It was not Microsoft. It was an attacker's proxy site, and that single approval handed over the user's session token: full access to the mailbox, Teams conversations, and SharePoint files, with no second sign-in and no further MFA challenge.
The attacker did not act immediately. They monitored conversations, studied communication patterns, and waited. Four days later they replied inside an existing email thread with a vendor, posing as the compromised project manager, and requested updated wire instructions. The vendor complied. $18,000 went straight to the attacker's account, from a legitimate mailbox, inside a real conversation thread. No red flags, no warnings.
Here is the arithmetic nobody shows SMBs: Brightline was saving about $200 per month by staying on Business Standard. That decision cost them $18,000 in a single incident.
Business owners do not buy features
Most MSPs pitch Business Premium as a feature list: Conditional Access, Intune, Defender, DLP. Business owners do not buy any of those. They buy risk reduction, continuity, alignment, and client trust.
So the renewal conversation should run on business outcomes, not security jargon. We frame every Standard to Premium discussion around five pillars, each with the questions that get the client talking.
Pillar 1: Work from anywhere without losing the data
The reality: employees work from home, on job sites, while traveling, and on personal devices. On Business Standard, those users can reach corporate data from unmanaged, unpatched personal devices anywhere in the world. The Business Premium outcome: employees work anywhere without the company losing control of its data.
Questions to ask: Do employees use personal devices for work? What happens if a laptop or phone is lost? Do you want flexible work without sacrificing security?

Pillar 2: Ownership of data that survives offboarding
The reality: data moves constantly between people, devices, and external collaborators. On Business Standard, files can be downloaded locally, copied to USB drives, or shared externally with little visibility or enforcement. The Business Premium outcome: the business retains ownership of its data, even when people leave.
Questions to ask: Who should access sensitive data? What happens to data when an employee exits? How important is client trust to your brand?


Pillar 3: Protection at the inbox, where the money moves
The reality: most financial fraud starts in email. Business Standard's basic filtering offers little against impersonation, reply-chain attacks, or realistic phishing. The Business Premium outcome: financial and identity-based attacks are blocked before users ever see them.
Questions to ask: How confident are you that a fake invoice would be caught? Would impersonation of leadership cause damage? Do you want layered protection if someone clicks a bad link?

Pillar 4: Containment and recovery without heroics
The reality: incidents happen. Malware, ransomware, compromised devices. Business Standard has no automated containment, no rollback, no rapid recovery. The Business Premium outcome: threats are isolated automatically and recovery happens fast, often without human intervention.
Questions to ask: What does downtime cost your business? How quickly do you need to recover? Would automated response reduce impact?

Pillar 5: One license instead of a vendor pile
The reality: most SMBs already pay for multiple third-party tools to compensate for Standard's gaps. That means more vendors, more complexity, and higher operational cost. The Business Premium outcome: security, device management, and data protection consolidated into one license.
Questions to ask: Are you paying for tools that overlap? Would fewer vendors simplify operations? Is predictable monthly cost important?

Raise the objections before the client does
The biggest mistake in renewal conversations is waiting for objections to surface. Bring them up early, acknowledge them openly, and frame them for the business owner before pricing or features enter the room. These six come up almost every time.
"We're too small to be targeted."
The opposite is often true. Smaller organizations are easier to compromise, run fewer controls, and detect attacks later. Attackers do not manually pick targets anymore; most attacks are automated scans hunting for weak access controls, unmanaged devices, and basic email protection. The goal is not fear. It is resetting the assumption that small equals safe.
"We don't want to pay $11 more per user."
A fair concern, especially in the current economic climate. Reframe from monthly licensing cost to overall exposure and efficiency. Many Business Standard organizations already pay separately for endpoint protection, email security, and mobile management to plug the license's gaps. The real questions: are we actually saving money, or spreading risk and cost across disconnected tools? That puts total cost of ownership on the table instead of the per-user delta.
"We already have MFA. Why do we need more?"
MFA matters, but it only protects the login moment. Without Conditional Access, MFA still allows sign-ins from any country, access from personal unmanaged devices, and risky sessions that continue uninterrupted. The Brightline story above is what that looks like in practice. This is not about replacing MFA. It is about advancing beyond it to match how attacks work now.
"We don't have sensitive data. We're not healthcare or finance."
This one equates sensitive with regulated. Most businesses hold payroll files, customer invoices, employee records, pricing models, and internal financials. If someone outside the organization should not have it, it is sensitive, regardless of regulation. Business Premium brings structure to data that is traditionally very unstructured in SMB environments.
"We've never had a breach. Standard has worked fine."
The most common and most dangerous assumption. The absence of an incident is not the absence of risk. Threats evolve constantly while Business Standard has stayed largely the same for years. Frame it as a reality check rather than a warning: Business Premium reflects Microsoft's current security baseline for modern work, not because Standard is broken, but because the environment changed around it.
"I thought you were already securing this for us."
The most important one to handle correctly. Affirm trust first, then explain the limitation:
We absolutely secure your environment to the fullest extent your current licensing allows. Microsoft 365 Business Standard simply does not include the controls needed to defend against today's threats.
That keeps the MSP positioned as an advisor rather than someone who missed something. The home security analogy helps: we monitor everything that is installed, but if the package does not include motion sensors or reinforced doors, we cannot turn them on.
The Copilot angle: same conversation, same quarter
Clients are already asking how to start using AI safely, and the renewal window is the natural moment to clean up data access, implement proper controls, and prepare for Microsoft Copilot. AI amplifies whatever data posture already exists; Business Premium makes that posture intentional instead of accidental.
At Ignite, Microsoft released a new Copilot SKU for SMB along with a first-year discount promo running this quarter. The details are in Microsoft 365 Copilot for Business: What You Need to Know.


In our view, pitching the combo in one upgrade is the opportune move: the security work and the AI adoption are the same project wearing two names.
Frequently asked questions
Does MFA make Business Standard safe enough?
No. MFA protects the login moment, not the session, the device, or the data after access is granted. Without Conditional Access, MFA still permits sign-ins from any country, access from unmanaged personal devices, and risky sessions that continue uninterrupted.
How do you answer a client who says they are too small to be targeted?
Attackers do not manually pick targets anymore. Most attacks are automated scans for gaps like weak access controls, unmanaged devices, and basic email protection, and smaller organizations are easier to compromise, run fewer controls, and detect intrusions later.
What if the client says you were already securing them?
Affirm trust first, then state the limitation plainly: you secure the environment to the fullest extent the current licensing allows, and Business Standard does not include the controls needed against today's threats. The home security analogy lands well: you monitor everything installed, but you cannot turn on motion sensors the package does not include.
Walk into the renewal with evidence, not a pitch
CloudCapsule scans each client tenant against 250+ controls in 60 seconds and shows exactly which gaps Business Standard leaves open. The upgrade conversation goes differently when the report is on the table.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


