Your small and medium-sized business (SMB) clients may assume Microsoft handles all aspects of security and protection in Microsoft 365. They might not be aware that the Microsoft Shared Responsibility Model applies. In this case, MSPs should explain their responsibilities, dispel misconceptions, and equip them with practical steps to secure their data and configurations.
Without clear conversations, these misunderstandings will lead to compliance gaps, data loss risks, and misplaced accountability. By orienting clients about their role in protecting their data, you’ll build trust and drive adoption of best practices like multi-factor authentication (MFA), backups, and access reviews.
This guide explains how to clearly communicate to clients their role in the Microsoft 365 Shared Responsibility Model. We will go through several methods aimed at helping clients fully understand their roles and responsibilities.
Methods to explain the Microsoft 365 Shared Responsibility Model to clients
Microsoft is solely responsible for securing the platform in Microsoft 365, while businesses are responsible for protecting their own data, users, and configurations. These methods will give you simple, easy-to-follow methods to explain the Shared Responsibility Model so clients can understand their role and take action.
📌 Prerequisites:
- You must have full knowledge of Microsoft 365 service-level agreements and security documentation.
- You need to be familiar with the following compliance standards:
- ISO 27001 – This is the global standard for Information Security Management Systems (ISMS).
- HIPAA – This is the Health Insurance Portability and Accountability Act that sets standards for protecting sensitive patient health information.
- GDPR – The General Data Protection Regulation (GDPR) is the EU’s comprehensive data privacy and security law. It regulates how organizations collect, process, and transfer the personal data of EU residents.
- SOC 2 – This refers to System and Organization Controls 2. It is a framework that sets standards for how service organizations manage and protect customer data.
- Client-friendly educational materials like slides, FAQs, or one-pagers written in plain, non-technical language.
Optional: Scripting skills for checking multifactor authentication or security baselines
Method 1: Use clear analogies to explain the Microsoft Shared Responsibility Model
A straightforward analogy will help you explain the Microsoft Shared Responsibility Model in plain, client-facing language. This will help you separate what Microsoft handles from what the client must do.
📌 Use Cases:
- This method makes complex concepts understandable for non-technical stakeholders.
- It eliminates the assumption that Microsoft protects and does everything by default.
📌 Prerequisites:
- You first need to have a clear understanding of Microsoft’s role in infrastructure, uptime, and data center security.
- This requires you to explain the client’s role, including data backup and recovery, user identity and access, security configurations, and compliance setup.
Here’s an example of a client-facing analogy that clearly explains shared responsibility in relatable terms:
“Microsoft 365 is like renting an apartment. Microsoft secures the building, utilities, and locks. However, you’re responsible for what you put inside, how you lock your door, and whether you insure your valuables.”
This simplifies the distinction between platform responsibility and the client. It communicates how Microsoft 365 is responsible for the infrastructure, utilities, reliability, and service availability. Meanwhile, it explains how clients remain responsible for backup and data recovery, user controls, and security setup.
Method 2: Break down the responsibilities by domain
Breaking down roles and capabilities helps clients understand what Microsoft handles and their responsibilities.
📌 Use Cases:
- It gives clients a quick and easy reference for who is accountable in different areas.
- This helps MSPs guide conversations toward specific client actions like backups or MFA.
📌 Prerequisites:
- You need to be familiar with Microsoft’s service commitments.
- You will need to understand client roles and tasks, like backups, user access control, and compliance.
| Microsoft’s Role | Client’s Role |
| Uptime, redundancy, infrastructure | Office 365 backup and restore of Mailbox, Files, and Teams data |
| Physical data center security | Configuring MFA, retention, and compliance policies |
| Base authentication systems | Managing user identities, access, and sharing |
Method 3: Address misconceptions about the Microsoft Shared Responsibility Model
Clients sometimes come with incorrect assumptions about what Microsoft covers. Tackling these misconceptions builds trust and clears the way for practical conversations about client-owned responsibilities.
📌 Use Cases:
- This method helps clear misconceptions before they lead to data loss or compliance gaps.
- This positions MSPs as trusted advisors who can explain limits clearly.
- It sets the stage for recommending solutions like backup and recovery, MFA, and retention policies.
📌 Prerequisites:
- You need to fully understand and grasp Microsoft 365 policies, limitations, and service-level agreements.
- Familiarity with standard compliance requirements is necessary.
Common misconceptions to clarify
- “Recycle Bin = backup”: Explain that retention limits are short-term and bins do not provide full backups.
- “Microsoft guarantees data recovery”: Clarify that Microsoft guarantees uptime, not recovery from accidental deletion or ransomware.
- “Compliance is built-in”: Show that default settings rarely align with industry-specific regulations.
By addressing these myths directly, you help clients understand the real scope of their responsibility and why proactive measures are essential.
Method 4: Provide a Microsoft 365 Shared Responsibility Model checklist
When clients understand their responsibilities, giving them a simple checklist they can follow helps. This will turn the model into clear, actionable steps instead of being abstract ideas.
📌 Use Cases:
- This method translates the model into immediate actions clients can take.
- It gives MSPs a framework to review during onboarding or Quarterly Business Reviews, or QBRs.
- It reinforces accountability by showing where clients need to act regularly.
📌 Prerequisites:
- You need familiarity with Microsoft 365’s security and compliance settings.
- You should be able to demonstrate or validate each action (e.g., MFA coverage, backup status).
- You may want a handout or one-pager so clients can keep the checklist for reference.
Be sure to encourage clients to take the following immediate actions:
- Enable and enforce MFA or multifactor authentication for all accounts. This will help secure your endpoints and user accounts, protecting your business data. It adds another layer of protection above your passwords, like an email or an authenticator app.
- Back up Exchange, OneDrive, SharePoint, and Teams data regularly. Microsoft doesn’t provide full backups. Set up a third-party backup solution like NinjaOne to ensure emails, files, and Teams conversations can be recovered easily.
- Configure retention and eDiscovery policies. Customize and tweak retention and eDiscovery policies to meet business and compliance requirements, ensuring data is preserved for audits, legal needs, or regulatory obligations.
- Audit user access and external sharing permissions quarterly. Review who has access to administrator accounts, sensitive data, and how files are being shared. Quarterly audits can help catch oversharing, dormant accounts, or permissions that must be revoked.
Method 5: Show clients some quick validation examples
Clients respond better when they can see their responsibilities in action. You can run a few simple checks during a meeting to show the value of the shared responsibility model.
📌 Use Cases:
- It gives clients immediate visibility into security and compliance gaps.
- This helps MSPs introduce elements like MFA or backup.
📌 Prerequisites:
- You’ll need access to the client’s Microsoft 365 tenant.
- This requires you to explain the result of the quick validation test in plain English.
You can use the script below to run a command that displays which accounts don’t have MFA enabled.
# List users without MFA enabled
Get-MsolUser | Where-Object { $_.StrongAuthenticationMethods.Count -eq 0 } |
Select UserPrincipalName
Sharing results in real time will help clients understand their responsibility for identity and access management.
Method 6: Make the Microsoft Shared Responsibility Model part of ongoing governance
The Microsoft 365 Shared Responsibility Model should not be a one-time thing. It should be regularly visited to ensure clients will stay aligned and secure.
📌 Use Cases:
- This method helps keep clients aware of their responsibilities over time.
- This links security practices to compliance and risk reduction.
📌 Prerequisites:
- You need prepared visuals, charts, or analogies to share during QBRs.
- This requires an understanding of the client’s compliance requirements so you can tie the model to their industry.
Do the following to tie the Microsoft Shared Responsibility Model to clients:
- Revisit it during QBRs. This will keep the topic a priority, so responsibilities will not be forgotten.
- Use visuals like tables, charts, and analogies to keep the concept simple and memorable. This will ensure that non-technical clients can grasp the concepts being discussed.
- Be sure to tie the discussion back to compliance and risk mitigation so clients understand their role in protecting their data and reducing liabilities.
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Oversimplified analogies | Clients may think the model is too basic and miss critical details | Be sure to follow the analogy up with a responsibility table or checklist |
| Unclear responsibility tables | Misunderstandings persist about who is in charge of which responsibility | Double-check your task matrix and compare it with Microsoft documentation |
| Checklists are too large | Clients get overwhelmed and do not take action | Keep your checklist short, actionable, easy to follow, and tied to outcomes and benefits |
| Not following up with clients about their responsibilities | Clients fail to perform what is required in the long term and slip back to false assumptions | Revisit the model regularly during QBRs and meetings. |
Best practices for explaining the Microsoft 365 Shared Responsibility Model table
Here’s a short table summarizing the best practices for helping clients understand the Microsoft Shared Responsibility Model:
| Practice | Value delivered |
| Use analogies | Helps simplify complex technical ideas |
| Break down responsibilities | Prevents false assumptions and enables clients to understand what they need to do |
| Dispel common myths | Helps reduce risky behavior and enforces the correct procedures |
| Provide a checklist | Turns theory into action and gives clients a guide on what to do |
| Show validation examples | This enables you to build credibility with clients |
| Revisit in QBRs | Ensures ongoing alignment and reminds clients of their responsibilities four times a year |
Automation touchpoint for managing a client’s role in the Microsoft Shared Responsibility Model
Automation can make the Shared Responsibility Model easier for you and your clients to manage and revisit. By running regular checks and storing results, MSPs can show clients proof of responsibility coverage and keep QBRs focused on action.
- To make it a talking point, you can automate MFA coverage checks and send reports before QBRs.
- Use your RMM to run scripts to validate retention policies and backup coverage.
- Be sure to store evidence for records and compliance purposes.
NinjaOne integration ideas for handling the Shared Responsibility Model
MSPs using NinjaOne can use its robust Remote Monitoring and Management features to reinforce the Microsoft Shared Responsibility Model during client conversations.
- Automate reporting on endpoint and Microsoft 365 configuration health.
- Host responsibility matrices and checklists in NinjaOne Docs.
- Integrate responsibility discussions into QBR dashboards.
- Link license usage and Microsoft 365 backup status to responsibility conversations.
Help clients understand their role in the Microsoft Shared Responsibility Model
The Microsoft 365 Shared Responsibility Model clearly states that while Microsoft secures the platform, clients are still responsible for protecting their data, users, and compliance settings. Explaining this model to clients helps MSPs correct false assumptions, build trust, and show clients where they need to take action. To achieve a complete understanding, it’s best to use analogies, clear tables, and simple checklists.
Once clients are aware of their responsibilities and perform them, the result is better governance, reduced risk, and high confidence in their Microsoft 365 environment.
Related topics:
