Skip to main content

CloudCapsule Manage Is Here: Fix the Gap Where You Found It

Nick Ross5 min read

TL;DR

  • CloudCapsule Manage adds remediation on top of CloudCapsule's multi-tenant reporting, so MSPs find and fix M365 security gaps from the same screen.
  • Quick Fixes are pre-assessed for end-user impact, turning failing controls into applied fixes in minutes without change management meetings.
  • Policy Deployments gives every technician the same library of 100+ pre-built, pre-tested remediations, removing the variance manual deployment creates.
  • The Policy Library imports a policy from any downstream tenant and redeploys it anywhere, so a best-configured client becomes the template for the rest.
  • Capsules show live multi-tenant deployment status for outcome bundles like Defender for Business or the CIS Intune Benchmark, with no tenant-by-tenant login.

Visibility was always step one. When we built CloudCapsule, we started with the problem MSPs told us about most: security gaps that get discovered mid-ticket, during a breach, or when a client calls about something that should have been caught six months ago. A Conditional Access policy that was never deployed. Legacy authentication still wide open. If you already use CloudCapsule, you know what the fix for that feels like: your entire M365 security posture, across all your tenants, in one place. Real reporting, real data, no tenant-hopping.

As of April 2026, there is a step two. The new Manage tier closes the loop: find the gaps and fix them, from the same place.

CloudCapsule Manage announcement banner

What manual remediation actually costs

Before the product tour, it is worth naming exactly what is broken, because the pain points are specific and they compound.

Remediation takes hours, and it still might not stick. When you find a gap, fixing it manually means research, scripting, testing, and applying, tenant by tenant. For a single control, that can be an hour of work. Across a portfolio of clients, it becomes a permanent backlog. And at the end of it, you often cannot verify that every tenant received the same fix, applied the same way.

Manual processes do not produce consistent results. Ask two of your technicians to deploy the same Conditional Access policy to a new client and you will not get identical configurations. Not because they lack skill, but because manual processes require individual interpretation, and interpretation introduces variance. In security, variance is a gap.

Most tools report that a policy exists, not that it is enforced. There is a meaningful difference between "this policy exists" and "this policy is enforced across every tenant." Most security tools report the former. They cannot tell you whether the configuration you pushed three months ago is still in place, was partially overwritten, or was missed on a handful of tenants entirely. CloudCapsule closes that gap, and Manage lets you act on what you find.

The five capabilities in Manage

Each one is designed around the same principle: you already have the visibility, now here is the action to fix it.

1. Quick Fixes: immediate wins, zero end-user disruption

Quick Fixes are a curated set of identity-focused security improvements you can apply right now. Every fix is mapped to a concrete outcome: a Secure Score improvement, a failing control resolved, a specific attack vector closed. And every single one comes pre-assessed for end-user impact, so you know exactly what you are applying before you touch anything.

Most Quick Fixes are low to no end-user impact. That means no change management meeting, no client notification, no risk of a helpdesk ticket storm. You open CloudCapsule, review the failing controls, check the impact rating, and apply. Quick Fixes are how you go from "we found some things" to "we fixed some things" in minutes.

Quick Fixes view showing failing controls with impact ratings

2. Policy Deployments: 100+ remediations, one source

Quick Fixes handle the immediate wins. For deliberate, deeper configuration work, such as Conditional Access policies, Intune configuration profiles, and systematic hardening, Policy Deployments gives you a library of over 100 pre-built, pre-tested remediations.

The core problem it solves: manual policy deployment is inconsistent by nature, because every technician makes slightly different interpretation calls. Policy Deployments removes the interpretation entirely. Browse by category, select a policy, choose your target tenants, and deploy. The configuration came from a tested library, not memory, not a script copied from two years ago.

The result is a team where everyone deploys the same thing, every time. No variance. No drift.

Policy Deployments library with categorized remediations

3. Policy Library: your best work becomes your standard

If you have already done the hard work of dialing in a sophisticated configuration on a flagship tenant, a mature Conditional Access setup, or a carefully hardened baseline, that work should not live in one place. The Policy Library lets you capture it.

Import any policy directly from one of your downstream tenants, bring it into your library as a reusable template, and redeploy it to any tenant in your environment. Your best-configured client becomes the template for every other client. You are not recreating your best work from memory every time you onboard; you are replicating it exactly. No golden tenant needed to pull in templates.

Importing a tenant policy into the reusable Policy Library

4. Capsules: deploy to business outcomes, not policy lists

Your clients do not think in policies. They think in outcomes: "We need Defender for Business deployed." "We need to hit CIS compliance." "We need a security baseline in place before this new client goes live." Capsules are built around those outcomes.

A Capsule is a pre-bundled package of controls mapped to a specific business function or security baseline. CloudCapsule ships ready-to-go Capsules for things like Microsoft Defender for Business end-to-end deployment and the CIS Intune Benchmark. You can also build your own: bundle your MSP's standard controls into a single deployable package and push it across your entire customer base.

What makes Capsules genuinely different is multi-tenant deployment visibility. You get a live status grid: which clients have a Capsule fully deployed, which are partial, which are missing it entirely. All at once, no tenant-by-tenant login. That grid changes a client conversation from "we're working on it" to "here's the status."

Capsule catalog with outcome-based control bundles
Live multi-tenant Capsule deployment status grid

5. Explorer: find gaps before they find you

We started with the problem of gaps found by accident. Explorer is what replaces that.

Explorer gives you a birds-eye view of policy status across every one of your clients, live, in one place. Not a report you generate quarterly; a live view of where you have coverage and where you do not. And because it is built on CloudCapsule's underlying data, you are not looking at a surface-level score. You are looking at actual policy enforcement status.

Identify a gap, say a Conditional Access policy active on 18 tenants but missing from 4, in seconds. Then act on it immediately: Explorer connects directly to Policy Deployments and Quick Fixes, so insight and remediation live in the same workflow. No context switching, no ticket. Found it, fixed it.

The gap that would have surfaced as a surprised client call six months from now? You just found it proactively.

Explorer showing live policy coverage across all clients

Explorer also identifies when policies have reverted:

Explorer flagging policies that reverted after deployment

Before and after, side by side

The shift Manage represents is not a feature upgrade. It is a change in what is possible for MSPs running M365 security at scale.

Before CloudCapsule ManageAfter CloudCapsule Manage
Gaps found by accidentGaps surfaced proactively via Explorer
Remediation takes hours per tenantQuick Fixes applied in under a minute
Two techs, two different results100+ tested remediations, one standard
Best config lives in one tenantPolicy Library makes it portable everywhere
Compliance = a quarterly reportCapsule deployment status, live across all clients
"We think we're covered""Here's proof we're covered"
CloudCapsule Manage dashboard overview

Security management should feel like command, not catch-up

Not like you are one tenant away from a surprise. Not like you are always reacting. Not like the consistency of your security coverage depends on who was on shift the day a new client was onboarded.

CloudCapsule Manage is how MSPs move from reactive to proactive, from inconsistent to standardized, from hoping they are covered to knowing they are, with the data to prove it. The visibility was always step one. This is step two.

Frequently asked questions

What is the difference between Quick Fixes and Policy Deployments?

Quick Fixes are curated, identity-focused improvements with pre-assessed end-user impact, built for immediate wins. Policy Deployments is the library of 100+ pre-built remediations for deliberate configuration work like Conditional Access policies and Intune profiles, deployed to any set of tenants from one source.

Do Capsules require a golden tenant?

No. CloudCapsule ships ready-made Capsules such as Defender for Business end-to-end deployment and the CIS Intune Benchmark, and you can bundle your own standard controls into a custom Capsule. The Policy Library also imports templates directly from any downstream tenant, no golden tenant needed.

Can CloudCapsule detect when a deployed policy changes later?

Yes. Explorer shows live policy enforcement status across every client and identifies when policies have reverted, so drift surfaces proactively instead of in a surprised client call months later.

Ready to take command of your M365 environment?

See Quick Fixes, Capsules, and Explorer running against real tenants. A 30-minute walkthrough is enough to know whether Manage fits your stack.

Book a free demo
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading