Four Security Assessments a Week: How SourcePass Turned Microsoft Specialization Into a Sales Engine
TL;DR
- A Microsoft Center of Excellence is an operating model that pairs advisory and fulfillment with professional services, staffed by specialists rather than generalist help desk techs.
- As of August 2025, Nathan Taylor's team at SourcePass runs 4 to 5 standardized 45-minute security posture reviews per week as a lead generation motion.
- The highest-impact tenant gaps remain the basics: incomplete MFA coverage, dormant accounts, missing DMARC, underconfigured Defender for Office 365, and disabled BitLocker.
- Most compromise paths still run through identity via phishing, OAuth abuse, and token theft, not exotic endpoint exploits.
- Assessments convert when findings are framed as outcomes and followed by two paths: a quick-wins project and a recurring posture program.
What separates an MSP that manages Microsoft 365 from one that commands it? We put that question to Nathan Taylor (opens in new tab), who has helped hundreds, if not thousands, of organizations get more from Microsoft 365 while measurably reducing risk. His answer is a structure: the Microsoft Center of Excellence (CoE) he runs at SourcePass (opens in new tab), and the standardized assessment rhythm that feeds it. This conversation covers how the CoE model works, the security gaps Nathan sees across tenants again and again, and why the fundamentals, not the exotic controls, create the fastest business impact.

The cadence first: 4 to 5 posture reviews every week
The most concrete thing Nathan shared is a number. His team runs 4 to 5 security posture reviews per week using a standardized rhythm with CloudCapsule. The distilled playbook:
- Book 45 minutes, not 30. Use a calendar link and state the deliverable upfront.
- Secure the connection live. CloudCapsule lets you share a link the customer consents to on the phone, no credential harvesting. Have them approve the OAuth at the start, which keeps you within their change-control boundaries.
- Record and transcribe. Teams meeting recap and notes auto-capture action items and follow-ups.
- Scan top-down:
- Security Score (directional only, mind the Defender bias)
- Cyber insurance readiness (call out missing training and backups)
- Framework lens (CIS basics, highlight quick wins)
- Identity (admins, MFA coverage, risky users)
- Mail security (SPF/DKIM/DMARC, Defender for Office 365 hardening)
- Devices (Intune, Defender, BitLocker, cleanup)
- Policies (Conditional Access, legacy protocols)
- Frame actions as outcomes. "Reduce account-takeover risk by hardening MFA and removing legacy methods," not "do these 11 settings."
- Send the evidence. Export the findings right after the call. The report becomes the client's internal talking points to leadership.
- Propose two paths: a quick-wins time-and-materials project (DMARC, MFA uplift, Defender for Office 365 hardening) and a monthly program that shows trend improvements over time.
One thing Nathan is firm about: never shame. Empathy closes deals; fear, uncertainty, and doubt stall them. Flag true urgency, like risky users, suspicious OAuth grants, or active token abuse, with clarity and without theatrics.
What the assessments keep finding: the basics, broken
Before any conversation about Purview, DLP, or advanced AI controls, Nathan stresses one thing: get the fundamentals right. The same low-effort, high-impact gaps surface in tenant after tenant:
- MFA coverage and strength. Missing, incomplete, or legacy methods (SMS, email). Limited FIDO2 adoption. Conditional Access not universal.
- Dormant accounts and devices. Stale users and endpoints persist for months or years, inflating both attack surface and license waste.
- Email authentication. SPF/DKIM/DMARC misconfigurations, with DMARC often missing entirely, exposing domains to spoofing and deliverability problems.
- Defender for Office 365. Powerful, but frequently underconfigured. Microsoft adds controls regularly and environments do not keep up.
- Device protection. Intune enrollment gaps, Defender for Endpoint not fully rolled out, and BitLocker still disabled because of old myths.
The pragmatic stance behind the list: stop chasing exotic zero-day defenses while table-stakes controls sit undeployed. Most compromise paths still run through identity, via phishing, OAuth abuse, and token theft, not through an obscure endpoint exploit.
What a Center of Excellence actually is
A Microsoft CoE is more than branding. It is a focused operating model that combines advisory and fulfillment with professional services, staffed by a team with specialty skillsets across the Microsoft stack.
- Narrow scope, deep expertise. Nathan's division at SourcePass concentrates on Microsoft licensing and professional services. By staying out of generalized help desk work, the team builds sharper skills and faster outcomes.
- Co-managed engagement. Most clients already have IT teams. The CoE augments them with specialized Microsoft capabilities: identity, security, endpoint management, data protection, licensing optimization.
- Outcome over tools. The shift from "we standardize on Vendor X" to "we deliver business outcomes on Microsoft" is well underway. Buyers now arrive with informed asks, naming Defender, Sentinel, Purview, and Copilot, and they expect partners to execute.
The bottom line, in Nathan's framing: focus creates intimacy at scale. A CoE model positions you as the specialist who can translate Microsoft's breadth into business results.
The buyer changed. Has your pitch?
Three market shifts make the CoE model timely as of August 2025:
- More technical decision-makers. You are no longer selling only to business owners and controllers. Today's buyers often understand Microsoft options and arrive with specific requests.
- Risk is the language. Cyber insurance, M&A due diligence, board scrutiny, and AI initiatives all push the conversation toward shared risk management, not just products and projects. That quickly becomes: "I know I am paying for Microsoft Business Premium or E5. Is it configured correctly?"
- AI is an accelerant. Customers use AI to research Microsoft faster than ever. If you cannot keep up (and few can, alone), you need systems and enablement to stay credible.
From one good meeting to a scalable practice
The assessment flow only becomes a business when it is repeatable by people who are not Nathan:
- Codify the runbook. Checklist the flow, the prompts, the follow-ups, and the quoting patterns, your "standard 80%."
- Pair the skill sets. If one person cannot sell and go deep technically, pair an account manager with a senior engineer until you develop hybrid talent.
- Sell the subscription motion. Quarterly posture reviews, change tracking, and an improvement scorecard. Leaders love visible progress.
The sales motions the CoE unlocks
- Lead generation: a free 45-minute review with a tangible leave-behind and the two paths, quick-wins T&M and a quarterly posture program.
- TCO story: consolidate third-party tools with Business Premium or the E5 Security add-on; show net savings against the increased service fee.
- Risk framing: map gaps to cyber insurance controls and board expectations; quantify impact as likelihood times impact times time-to-remediate.
- Proof quickly: before-and-after graphs covering phish blocked, MFA coverage, DMARC alignment, and device compliance.
The takeaway
A Microsoft CoE turns the Microsoft stack into a measurable, repeatable capability. Standardize the right way to build, secure, and adopt, then enable everyone else in the practice to deliver it at scale. The 45-minute assessment is the front door; the discipline behind it is the business.
Frequently asked questions
What is a Microsoft Center of Excellence at an MSP?
A focused operating model that combines Microsoft advisory and fulfillment with professional services, built around a team with specialty skillsets across identity, security, endpoint management, data protection, and licensing optimization, deliberately kept out of generalized help desk work.
How long should a security posture review meeting be?
Book 45 minutes, not 30. State the deliverable upfront, have the customer approve the assessment connection live on the call, and send the exported findings immediately afterward.
Should MSPs lead assessments with advanced tooling like Purview and DLP?
No. The fastest business impact comes from fundamentals: MFA strength, dormant account cleanup, SPF/DKIM/DMARC, Defender for Office 365 configuration, and device protection. Advanced controls come after table stakes are deployed.
Run the same 45-minute review SourcePass runs
CloudCapsule scans 250+ Microsoft 365 controls in about 60 seconds, maps them to CIS and cyber insurance requirements, and exports client-ready evidence you can send the moment the call ends.
Book a demo
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


