July 2023

The Partner Opportunity For Microsoft Security

A Total Economic Impact™ Partner Opportunity Analysis

Microsoft logo

A Forrester Total Economic Impact™ Study Commissioned By Microsoft, July 2023

Table Of Contents

Download PDF

The partner opportunity to deliver services and solutions related to Microsoft security grew significantly in the past year for enterprise customers (14%) and SMB customers (37%). This growth was driven by greater customer demand because of the increased complexity and frequency of cyberattacks, Microsoft’s investments in its security-related offerings, and the maturation of partners’ offerings. Partners that invested in their internal capabilities and Microsoft relationships reported higher revenues and profitability.

The increased opportunity for security-related partners is being driven by several factors. First, the post-pandemic move to hybrid work for knowledge workers is still evolving, which requires new security paradigms. Second, there is an ever-increasing rise in the frequency and complexity of cyberthreats, and high-profile ransomware attacks are constantly in the news. Third, the meteoric rise of AI and the risk of deep-fake cyberattacks has companies looking for additional protections. Fourth, macroeconomic concerns are causing companies to look at where they can rationalize IT spending while still maintaining necessary security postures. Last and most specific to the Microsoft ecosystem, the increased adoption of Microsoft security solutions such as those in the Microsoft 365 E5 suite are increasing the related total addressable market (TAM).

icon

Enterprise customer expected revenue opportunity (with attach rates applied):

$41.05 per user per month


icon

SMB customer expected revenue opportunity (with attach rates applied):

$14.90 per user per month

Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study to examine how partners can benefit from investing in and expanding their Microsoft security practices for both small and medium-sized businesses (SMBs) and enterprise customers.i “Microsoft security” is a broad term that encompasses all products and services across six product families: Microsoft Defender, Microsoft Sentinel, Microsoft Entra, Microsoft Intune, Microsoft Purview, and Microsoft Priva.

In this study, Forrester uses the term “security” as shorthand for one or more of the following solution areas built around the six product families:

  • Microsoft 365 Security. This workload covers activating and managing everything security- related in Microsoft 365, including security operations center (SOC)/security information and event management (SIEM).
  • Multicould Security. This workload includes securing Azure and other public clouds’ infrastructures, apps, and data.
  • Compliance. Microsoft compliance capabilities includeDataSecurity(Information Protection and Risk Management) and Governance and Privacy.
  • Identity. Identity and Access Management (IdAM) includes providing core digital identities to knowledge and frontline workers as well as to third parties, Microsoft Entra ID (formerly Azure Active Directory), Zero Trust initiatives, and capabilities such as single sign-on (SSO) and MFA.
  • XDR. XDR is primarily a managed services opportunity and a natural extension from endpoint detection and response (EDR). XDR includes endpoints, identities, data, and applications both on-premises and in the cloud. XDR is new to this year’s Modern Work partner study.

This year’s study focuses on what has changed for security partners in FY23 and where things are likely heading in FY24. This includes: 1) what customers are looking for from Microsoft partners; 2) how partners are making money; and 3) the best practices and investments that create success.

For this year’s study, Forrester interviewed 14 partners with practices in one or more of the aforementioned solution areas. It also pulls in the partners’ security-related data from another TEI study focused on the partner opportunities around Windows 365 and Microsoft Modern Work ii,iii These interviews build on more than 50 previous years’ interviews with Microsoft partners and customers.

Forrester created partner-opportunity models for both enterprise and SMB customers based on what leading partners achieved in FY23 and what they expect to achieve in FY24. These models quantify the opportunities for deployment, advisory and adoption services, solutions development, and managed services. Accounting for attach rates, Forrester found that the expected-revenue opportunity for a new enterprise customer is up by 14% year-over-year (YoY), and that the SMB revenue opportunity is up by 37% YoY.iv

While partners have built highly profitable businesses around various engagement models, they noted they generally realize larger TAMs and higher margins as they move from deployment to providing managed services and building custom IPs. This can be conceptualized as a good-better-best scenario.

Consulting Team: Isabel Carey, Cassandra Halloran, Jonathan Lipsitz

TEI FRAMEWORK AND METHODOLOGY

From the information provided in the interviews with partners of various sizes from around the globe, Forrester constructed a Total Economic Impact™ framework for those partners considering building and growing one or more security practice areas.

The objective of this framework is to identify the revenue streams, investments, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the holistic opportunity for partners building and growing a Microsoft security practice.

  • icon
    DUE DILIGENCE

    Interviewed Microsoft stakeholders and Forrester analysts to gather data relative to the Microsoft security partner opportunity.

  • icon
    INTERVIEWS

    Interviewed 14 representatives of partner organizations with one or more existing Microsoft 365 Security, Multicloud Security, Compliance,Identity,or XDR practices to obtain data with respect to revenue opportunities, investments, and best practices.

  • icon
    FINANCIAL MODEL FRAMEWORK

    Constructed a financial model representative of the interviews using the TEI methodology. The model normalizes all results as a per-user-per- month opportunity during a 36-month customer journey.

  • icon
    CASE STUDY

    Created a case study that explains the benefits and investments a partner can expect when building one or more security practices. The case study also explores the best practices partners have identified,which have made them successful.

DISCLOSURES

Readers should be aware of the following:

This study is commissioned by Microsoft and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.

Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in a Microsoft practice.

Microsoft reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.

Microsoft provided the partner names for the interviews but did not participate in the interviews.

NEXT SECTIONMarket Trends

The Customer Perspective

Forrester Analytics Global Business Technographics® surveys include responses from thousands of technology purchasers and decision- makers from around the world. Survey insights highlight macro trends that drive organizations’ decisions concerning security and compliance solution adoption and partner selection. In the 2022 Forrester Analytics Global Business Technographics Priorities Survey, 27% of business and technology professionals said that their organization’s top IT priority is to improve security and privacy.v Nearly 36% of security decision-makers with decision- making power at the manager level or higher shared that their organization will spend IT budget on security (e.g., software, infrastructure, services, personnel, etc.).vi

Software-as-a-service (SaaS) adoption also continues to be a major driver of security services adoption. In a 2022 Forrester survey of 3,536 software decision-makers, 28% said data security and protection against cybercrime was their organization’s biggest concern with using SaaS solutions.vii Additionally, a 2022 Forrester Analytics Business Technographics Security Survey of 2,883 security decision-makers found that 13.98% of respondents said the largest portion of their organization’s security budget went to cloud securityviii

The survey also revealed why organizations are looking to outsource security services. Security decision-makers outlined the following top priorities: improving quality of protection (32%), alleviating resource/staffing pressures (31%), and improving regulatory compliance (30%).ix When it comes to selecting a security partner, the top criteria were expertise in new technologies (23%); knowledge/experience with the organization’s industry (22%); business process, technology,software platform expertise (22%); and credibility as proven by successful completion of past projects with the respondent’s organization (22%).

Security technology decision-makers also noted their organizations’ top security priorities for the following 12 months. Microsoft solutions and the related partner opportunities align with most of the top 10 priorities.

IT Security Priorities
Improving application security capabilities and services 28%
Using built-in security capabilities from Microsoft, Google, AWS, etc. 22%
Improving threat intelligence capabilities to proactively identify security threats targeted to my organization or industry 22%
Improving Access Management tools and policies for employees and partners 21%
Developing strategy for industrial control system (ICS) or operational technology (OT) environments 20%
Improving device security and services to support anywhere work 19%
Improving data security capabilities, such as identification and classification 19%
Improving endpoint security capabilities and services 18%
Improving security operations ef f ectiveness 18%
Improving vulnerability risk management capabilities and process 18%

Base: 2,355 security technology decision-makers
Source: Forrester Analytics Business Technographics Security Survey, 2022

Lastly, the reasons security decision-makers said they purchased identity and access management technologies for their organizations during the previous 12 months represent a large opportunity for partners to deploy and manage solutions. The top four drivers were regulatory compliance (38%), cloud migration requiring new identity and access management (IdAM) solutions (32%), lack of skilled recourses to automate security tasks (27%), and reduced administrative and overhead costs (26%).x

“We are seeing wider and deeper adoption of E5. Before, clients wanted to stay with their point solutions. Now, they are more comfortable going all in on Microsoft security, and they understand they will get a lot more value.”

The Partner Perspective

Partners shared their views on the high-level trends that are driving opportunities and what they believe will be even more important during the next year. These include:

  • The move to hero SKUs is fueling growth. Partners are seeing many more migrations to the hero SKUs Microsoft M365 E5 (E5) for enterprise customers and Microsoft 365 Business Premium (Business Premium). This is consistent with what Forrester heard in interviews for previous TEI studies.xi The increased number of security, compliance, and identity features increases partners’ TAMs. Partners expect this trend to accelerate in FY24 and that it necessitates them to invest in competencies to meet customer demand.
  • Microsoft’s investments are paying off for partners. Partners benefit from Microsoft’s continued investment in its portfolio of security solutions and that it increasingly meets and exceeds their requirements. Additionally, they said Microsoft is making solutions more easily available, such as including Microsoft Defender for Business in Microsoft 365 Business Premium. Lastly, partners are taking greater advantage of Microsoft programs such as the End Customer Investment Funds (ECIF) program and funded workshops that are designed to drive customer adoption and increase partner opportunities.
  • Partners are expanding into other existing workloads and new ones such as XDR. Partners said Microsoft 365 E5 makes it easier for them to expand into adjacent areas (e.g., a traditional security partner moving into Microsoft Purview Information Protection). Microsoft Modern Work partners can also more easily establish security practices and have a credible offering. That said, there continue to be specialized areas (e.g., legal discovery) that only partners with highly skilled teams and offerings can fulfil. Fully managed services such as managed XDR and managed SOC are of increasing interest to customers and partners, and some are making the large investments required to expand managed security service provider (MSSP) offerings and to succeed.
  • Macroeconomic factors continue to affect what customers want and increase partner opportunities. The post-pandemic rush to remote work and the evolving hybrid work models continue to drive opportunities, especially in compliance and advisory/governance. The shortage of IT professionals and IT security professionals is increasing organizations’ demands for partner services, especially managed services. This is even more pronounced in the SMB space where it is even harder to attract, train, and retain IT security resources. Additionally, economic uncertainties have CFOs asking why their organizations are double paying for security solutions that are already part of Microsoft 365 E5. This is driving greater adoption of Microsoft security features that previously may have gone unused.
  • The SMB opportunity is expanding rapidly. In many ways, the previously described trends are driving opportunities more with SMBs than with enterprises. Some partners that previously only worked with enterprise customers are starting to expand their services into the SMB space. To be successful, they are investing in automation and leveraging Microsoft tools such as Lighthouse to be profitable. This is also the first year that partners told Forrester their firms are delivering Multicloud Security and Compliance services to SMBs, although this is still predominantly at the upper end of the SMB headcount range.
  • The frontline worker opportunity is still out there. Partners say there is continued customer interest in extending security to frontline workers and that this can add 10% to the overall value of a deal. That said, most partners are still figuring out how to tap this opportunity in ways that are price-compelling to their customers and profitable for the partner.
“Microsoft-funded workshops and ECIF both work really well for closing deals and new and existing customers.”
“Our XDR growth is only constrained by our ability to do sales and marketing. There is no lack of customer interest or budget.”
“The economic uncertainty has changed what customers are asking for. They know they are not good at technology and want to outsource it.”
In the sub-300 market, Business Premium is the hero SKU. We are seeing a lot more MSSP opportunities in SMB and mid- market than in enterprise.”
“We have services specifically for frontline workers. They get similar security to knowledge workers, but at a lower cost. They require less effort for us to support.”
NEXT SECTIONThe Partner Opportunity For Enterprise Customers

Year-On-Year Growth (Expected revenue)

figure

Enterprise Opportunity Overview

The trends discussed earlier resulted in increased revenues across all workloads in FY23, both in terms of total revenue potential (i.e., what partners are of fering) and the expected revenue associated with the likely bundles of services and products customers are buying (attach rates applied). The expected revenue opportunity grew by 14% for an enterprise customer on a three-year journey. The two solution areas with the largest expected revenue opportunities are Microsoft 365 Security and Identity, and the new XDR workload is already at 5%.

Forrester also broke down the expected revenue opportunity across four service areas: deployment, advisory, solutions development, and managed services.

  • Deployment opportunities grew by 15%. The increase in deployment opportunities was largely driven by the increased number of customers who moved to Microsoft 365 E5. After completing Microsoft 365 Security deployments, many move to Compliance, which makes it the workload with the largest new-deployment growth. Multicloud security deployments continue to grow as customers move more of their IT estates to Azure and other public clouds.
  • Advisory services grew by 18%. Advisory services continue to be important as the complexity of threats and the solutions that defend against them increase. Advisory includes up-front strategy and planning work as well as adoption and change management (ACM) services. Many partners said that they require customers to buy some level of advisory services as part of the effort to make customers more secure. This is especially true for MSSPs because their profitability is predicated on customers feeling secure.
  • Solutions development grew by 9%. Solutions development includes the resalable IP that partners create (either as standalone solutions for sale or used to make deployments and managed services more efficient), custom- solutions development, and advanced integration work. The largest driver of custom integration work is in the SIEM and XDR areas in order to ingest signals from as many systems as possible — from both Microsoft and other vendors. Partners are still interested in reselling IP because of the potentially high profit margins, and around one-fifth of the interviewees said their organization has achieved meaningful success so far.

  • Managed services grew by 15%. Partners expressed the most interest in managed services because of the desire for predictable and recurring revenues, potentially high margins when delivered at scale and how they increase company valuations.

    Partners are using Microsoft Sentinel as a platform upon which to build and deliver managed services. Managed XDR has emerged as a large opportunity and a natural extension for partners that already have managed SOC offerings. Some partners are building managed- compliance offerings that parallel their managed- services offerings.

Attached-Revenue Opportunity Mix

figure

Enterprise Customer Revenue Opportunity By Solution Area

Solution Area Total revenue per user per month Blended attach rate Expected revenue per user per month Expected YOY growth
Microsoft 365 Security $41.55 32% $13.10 7%
Multicloud Security $23.05 35% $8.15 9%
Compliance $19.20 30% $5.80 20%
Identity $21.05 58% $12.25 6%
XDR $11.25 16% $1.75 N/A
Total $116.10 35% $41.05 14%

Enterprise Customer Revenue Opportunity By Partner Service

Partner service Total revenue per user per month Blended attach rate Expected revenue per user per month Expected YOY growth
Deployment $17.05 56% $9.60 15%
Advisory $6.15 49% $3.00 18%
Solutions development $40.40 31% $12.40 9%
Managed services $52.50 31% $16.05 15%
Total $116.10 35% $41.05 14%
“The deployment of all the Microsoft 365 Security components can easily take up to two years and run into the millions of dollars. Advisory is a big piece, and then there is the managed services opportunity.”

Microsoft 365 Security

Microsoft 365 Security is about activating and managing Microsoft 365 workloads securely. The opportunities for partners have increased proportionally with the additional capabilities that Microsoft has added to the E5 SKU and the increase in upgrades from E3 to E5.

  • Deployment services primarily consist of activating everything in E5 that wasn’t in E3. Many of these opportunities begin with Microsoft- funded workshops and ECIF funding. Partners are also seeing more competitive takeaway opportunities, which is in line with Microsoft’s “do more with less” marketing campaigns. Partners are also helping customers build out their SIEM and SOC capabilities using Microsoft Sentinel and other Microsoft tools.
  • Advisory services are becoming more important and typically represent a 25% uplift of deployment revenues. There is greater need for up-front strategy and planning due to the increased complexity of threats and the breadth of the Microsoft 365 Security portfolio, and that is why these services are attaching at a rate of 75%. There is also a newer and larger end-user training opportunity to help make customers more secure. This includes programs such as phishing- awareness campaigns.
  • The custom development piece of solutions development can be as much as a 30% uplift on other deployment services Solution development includes the resalable IP that partners create, which complements what Microsoft has built. This IP is often related to improved manageability, signal ingestion, monitoring, and alerting. Partners are also doing custom integration work as part of the effort to help their customers build out their Sentinel- based SIEMs.
  • Managed services opportunities continue to grow as organizations struggle with in-house staffing. Partners described a wide range of services, including L1 through L3 support, endpoint management, ongoing management and updating of all the E5 solution components, automated patching, and evergreen services to keep them up to date on all their Microsoft solutions. There has also been an increase in managed SIEM and SOC, and some partners are offering red-team penetration testing.

Microsoft 365 Security Opportunity

figure
“Cloud security is growing faster than the other partners of security. There are so many Azure capabilities that we can add value to.”

Multicould Security

Multicloud Security includes the services and solutions partners offer around Azure and other public clouds that run Microsoft solutions. More security partners reported expanding into this workload because of the increased adoption of public clouds. Additionally, they said the breadth of Azure and other public cloud solutions may create many more opportunities to secure networks, data, applications, VMs, etc.

  • Deployment services begin with applying security to cloud migrations that are often large. Multicloud projects typically begin with a proof of concept (POC) and the follow-up deployment work can cost 10 to 20 times the POC price. Examples of cloud-related deployments that result in security work include server migrations, application migrations, and general efforts around standing up and configuring cloud security solutions. While most partners overwhelmingly focus on Azure, they also support customers on the other major public clouds. If the cloud involved is Azure, driving Azure consumption can result in partner financial renumeratio n.
  • Moving a customer securely to the cloud involves considerable advisory work. Partners said that deployment-related advisory services typically represent a 25% uplift on other deployment services. There is also more strategic work that takes place around planning a secure migration and defining a governance structure, as well as an opportunity for training in- house security organizations.
  • Partners see a large opportunity in creating their own solutions for securing cloud operations. Partner solutions are sometimes offered for sale, often through the Azure Marketplace and sometimes bundled into migration and managed services to improve margins. Partners said that the revenue potential around complex integrations and custom development work are higher when the customer has a hybrid or multicloud approach compared to an all-Azure opportunity.
  • Forty percent of the expected multicloud revenue opportunity is in managed services. Partners are creating more managed services to help their customers securely move to and operate in the cloud. This is largely driven by the trends discussed earlier, such as a shortage of IT professionals. Some partners are pricing their managed services based on a percentage of a customer’s annual cloud consumption spend, and they said the multicloud managed services opportunity can be as large as the Microsoft 365 Security managed services opportunity.

Multicloud Security Opportunity

figure
“We have created offerings around three Purview solutions – DLP, records management, and eDiscovery. Our message is that data is king, and customers need to protect their data.”

Compliance

Compliance saw the largest growth of all workloads in terms of both total and expected opportunity. Several factors contributed to the growth of workloads, including Microsoft’s continued investment in the Purview and Priva product families, customers increasingly looking at compliance as a follow-up to their security deployments, and more partners moving into compliance areas adjacent to security and creating new offerings. Specialized compliance partners continue to dominate areas that require deep expertise (e.g., legal discovery).

  • Deployment saw the largest expected revenue growth (44%) as customers begin their compliance journeys. Most journeys begin with areas adjacent to IT security, such as information protection and data loss prevention. There are also large opportunities around data migration related tagging and compliance, as well as e- discovery. Partners reported that 75% of their security customers are willing to have serious conversations around compliance and that there are very high conversion rates coming out of workshops.
  • Advisory services are typically worth an additional 25% on top of deployment revenues. Partners said that there are large advisory opportunities as customers begin to systematize compliance and as part of the move to Microsoft Purview and Priva. Governance is a big piece of the up-front work, and there is a need for employee training on policies and how to use the tools. One partner built out a change- management team focused solely on compliance and that it does a lot of work around data labeling.
  • Partners are building and selling solutions that make compliance management easier and more automated. Solution areas include information protection governance automation tools, e-discovery tools, and a range of connectors for integrated data and regulatory compliance. For some partners, these solutions are enablers of their managed services.
  • More traditional security partners are attempting to recreate their managed services success in the compliance space. For most partners, these managed services are new and focused on data-security-adjacent areas such as DLP and data identification and classification. Some partners are adding compliance monitoring and alerting to their existing SIEM offerings, and specialty partners continue to receive large retainer contracts to help customers manage compliance and respond to compliance events.

Compliance Opportunity

figure
“Zero Trust is a great way to talk to prospects and customers about security and drive behavioral change.”

Identity

IdAM is both a distinct workload and a foundational component of the other workloads (Microsoft 365 Security, Multicloud Security, Compliance, and XDR). As such, partners increasingly think of it in terms of these other opportunities. The Zero Trust narrative is also important for partners and Microsoft in creating multiyear identity journeys that cover solutions such as MFA, SSO, and passwordless authentication. As part of these journeys, partners reported an increase in competitive takeaways in solution areas like SSO.

  • Identity-related deployments can be multiyear journeys that cost millions of dollars. Partners continue to see new identity deployment opportunities and they increasingly include competitive takeouts in areas like SSO and MFA as customers look to remove redundant IT spend. One interviewee shared an example that their organization is on a six-month SSO migration that involves nearly 400 applications and costs $300,000.
  • Advisory services are very important because identity impacts every user. Partners said advisory services typically add up to 30% on top of the deployment revenues. These services include up-front user experience designs as well as user training.
  • Partners are selling their own solutions for more comprehensive identity security monitoring. These solutions cover both cloud and on-premises identity monitoring and integrate all telemetry into a SOC. Partners are also doing custom integration work to deliver on the Zero Trust security approach.
  • Identity-related managed services are often tied to broader user support contracts. Because identity is foundational to all users, managed services in this area are often bundled into more comprehensive L1 through L3 support contracts. Partners also have evergreen managed services offerings to ensure the identity infrastructure continues to run properly because integrations regularly need to be tweaked when vendors make changes to applications.

Identity Opportunity

figure
“Every customer wants incident response, so we are building a full cybersecurity portfolio to meet that demand.”

XDR

XDR is primarily a managed services opportunity, and Forrester added it as a separate solution area in this year’s analysis because more partners spoke about offerings and view XDR as a way to differentiate since they believe the managed SOC landscape has become saturated for enterprise customers. One driver of customer demand is the increasingly common cyberinsurance policy demand that companies must have an incident response provider.

For the most part, partners are leveraging Microsoft Sentinel f or their XDR capabilities, and they said that ingestion of signals from Azure and other clouds is especially important and that it requires a serious investment to build and deliver an XDR managed service offering. So, only a subset of MSSP partners of fer XDR. Some of these partners are white labeling their services for other Microsoft partners to sell, and this creates opportunities for these other partners to make money and deliver more value to their customers.

  • Deployment work typically costs 20% of the first-year XDR managed services annual recurring revenue (ARR). Because XDR is about managed services, partners try to make up-front deployment work as easy and inexpensive as possible. Partners are completing a lot of XDR-related workshops, and these are often funded by Microsoft. Fifteen percent of workshops have transitioned to full deployments, and partners expect this win rate to increase significantly in FY24 as their offerings mature and their customers recognize the value.
  • Advisory services add 30% to the deployment costs. Advisory work consists of defining the managed services model and interactions between the partner and customer and baselining the customer’s current security posture. There is also IT and end-user training required in order to make the customer as secure as possible. This reduces the partner’s ongoing detection and response work, which thereby increases profitability.
  • Incident response charges beyond the retainer are counted as solutions development because of the custom nature of the work. Partners’ goals are to not have to do any incident response by providing strong, proactive protection and detection. Although incident response work can be lucrative, partners described it as stressful to the response team and something they want to avoid. They said that typically, only 10% of their customers need incident response work at a level that exceeds the retainer fee, and the cost is around 20% of the managed services ARR.

  • Managed services fees consist of the services contract and incident response retainer. Managed services fees vary widely based on the types and volume of telemetry being ingested. Ideally, partners bring in identity, device, data, and application telemetry from both on-premises and clouds. Partners stressed that a proper XDR offering needs to cover more than the Microsoft estate and that managing all these integrations is costly.

    One partner said that through automation and putting strong, across-the-board protections in place for a customer, managed XDR margins can be 75% or higher because there is not much manual work that needs to be done. With regard to an incident-response retainer, partners view it as the way to pay for bench resources in order to meet SLAs, but not as a profit center of its own.

XDR Opportunity

figure
NEXT SECTIONThe Partner Opportunity For SMB Customers

SMB Opportunity Overview

Most of the trends discussed in the enterprise opportunity section apply to SMB as well, so this section focuses on what is different from enterprise. In previous years, Forrester conducted the SMB security opportunity analysis as part of the Modern Work partner TEI study because the opportunity was almost exclusively around the Microsoft 365 Security and Microsoft identity workloads. The security-related SMB opportunity has grown significantly, with partners describing Multicloud Security and Compliance opportunities at the higher end of the SMB range (organizations with around 200 employees) for the first time. Therefore, the analysis has been expanded and included in this study.

Overall, the SMB opportunity grew by 29% across Microsoft 365 Security and Identity, and including the newly reported Multicloud Security and Compliance solution areas brings the growth rate up to 37%. The XDR workload is excluded from the SMB opportunity model because SMBs’ lesser requirements remain more of a managed SOC play.

Attached-Revenue Opportunity Mix

figure
  • Deployment opportunities grew by 69%. Partners said the increase in deployment opportunities was partly driven by more customers moving to Microsoft 365 Business Premium. There was also the addition of Compliance and Multicloud Security opportunities at the upper end of the SMB range.
  • Adoption services grew by 26%. Adoption- related work is more basic than the bigger advisory work for enterprise customers. For SMB customers, partners are much more prescriptive (e.g., establishing the 120 security settings they must follow) and provide more standardized training content and governance models
  • Solutions development grew by 20%. Partners are creating a lot of new IP that they are either selling to customers or using to streamline their own deployment and managed services capabilities. They said there is little to no need for complicated custom integration work for most SMBs.
  • Managed services grew by 44%. Nearly every partner said managed services continue to be the focus for their organization in order to generate recurring revenues. There is also an increased demand from SMBs to outsource more IT security functions amid the realization that they are increasingly being targeted in cyberattacks and that they cannot maintain an adequately sized and skilled in-house team to manage the necessary solutions and undertake proper detection and response.

Year-On-Year Growth (Expected revenue)

figure

SMB Customer Revenue Opportunity By Solution Area

Solution area Total revenue per user per month Blended attach rate Expected revenue per user per month Expected YOY growth
Microsoft 365 Security $37.25 33% $12.20 28%
Multicloud Security $4.35 10% $0.45 N/A
Compliance $2.65 19% $0.50 N/A
Identity $4.40 40% $1.75 30%
XDR N/A N/A N/A N/A
Total $48.65 31% $14.90 37%

SMB Customer Revenue Opportunity By Partner Service

Partner service Total revenue per user per month Blended attach rate Expected revenue per user per month Expected YOY growth
Deployment $8.95 49% $4.40 69%
Adoption $5.20 38% $1.95 26%
Solutions development $20.55 27% $5.45 20%
Managed services $13.95 22% $3.10 44%
Total $48.65 31% $14.90 37%
“We are seeing a lot more customers by Business Premium for the added security.”

Microsoft 365 Security

Organizations are increasingly moving to Microsoft 365 Business Premium or buying the security add- ons in order to simplify their IT estate and reduce costs. Up-front deployment work typically takes from several days to as much as one month, depending on the size of the organization and features being turned on. Overall win rates are 75%, with workshops driving a lot of the opportunity. Adoptions services for both IT and business users add on 50% to the deployment costs. Partners are also doing solutions development and some integration work as part of the managed SOC opportunity. Partners have a wide range of managed services offerings, including the outsourcing of IT security as part of full IT outsourcing and managed SOC offerings.

Microsoft 365 Security Opportunity

figure
“In the SMB and SMC market, organizations do not have the necessary in-house skills to manage and secure their cloud environments, and they never will.”

Multicould Security

Multicloud Security has emerged as an opportunity at larger SMBs with 150 or more employees. In part, this is being driven by partners recommending their customers move their IT estates to Azure. Deployment work is the security piece of an Azure migration. There are no separate adoption costs because this is built into the deployment services. Similarly, there are no separate charges for solutions- development integration work, and management tools are priced into the managed services. Managed services make sure the proper security settings are maintained and acting on Azure security alerts.

Multicloud Security Opportunity

figure
“Regulations and compliance have been getting stronger in the US, which is good for us.”

Compliance

The SMB compliance opportunity for nonspecialized partners is almost solely in data security. To date, this compliance opportunity exists mostly at organizations with 150 employees or more. Partners said a compliance deployment typically takes a week or two and costs no more than $10,000. Adoption services around defining compliance policies are an additional 25% on top of deployment costs. There are no solutions-development offerings in terms of custom integration work, and any partner IP is included in deployment and managed services. Partners are beginning to sell some compliance managed services in areas like DLP monitoring, but attach rates are still low at 10%

Compliance Opportunity

figure
“The Zero Trust story works very well in SMB and SMC — much more so than with enterprise.”

Identity

As with enterprise organizations, Identity is foundational to all of the security work that partners do for SMBs. Deployment work consists of turning on capabilities in Microsoft 365 Business Premium or the standalone security add-ons. Additionally, partners are moving their customers to Microsoft solutions such as SSO and MFA from other vendors. Adoption services consist of basic training that uses templated content and is worth an additional 20% on top of the deployment costs. Partners that have created their own identity security tools for enterprises are also selling them to SMBs, but at a higher per-user fee. Identity managed services is included in full IT and user-support outsourcing contracts.

Identity Opportunity

figure
NEXT SECTIONPartner Investments And Best Practices

Each year, Forrester asks representatives of partner organizations what new best practices and investments are fueling their success in terms of go- to-market and delivery. This year, much of the conversation was around increasing managed services capabilities, especially managed XDR. Specific examples of where partners are investing and developing best practices include:

  • Continuing to fight to hire, train, and retain the best people. Almost every partner talked about the difficulties they face hiring enough delivery resources with the requisite IT security experience and skills. Because of this, they are putting more effort into upskilling their existing employees. Several of the partners have well developed internship and recruitment programs with local universities. One partner described their internship program in which students work on their Tier 1 support desk and can then move into full-time employment. Another partner has a two-year training program where they train university graduates without any IT security skills.
  • Acquiring Microsoft Cloud Partner Program (MCPP) specializations. Partners all spoke very favorably of the new MCPP and are working hard to get staff the certifications necessary for each specialization. This can be more of a burden for smaller partners without deep bench resources, but it’s something they still feel is worth completing.
  • Investing more in sales and marketing. In addition to investing in delivery, partners are building up their sales and marketing capabilities at higher levels than in past years. This was especially true for MSSPs with managed XDR offerings because they believe there is a real land-grab opportunity. Partners also stressed the importance of aligning their marketing messaging to Microsoft’s messaging.
  • Leveraging Microsoft funding and programs. Partners are increasingly taking advantage of Microsoft programs to drive upgrades to the Microsoft 365 E5 and Business Premium SKUs and to drive consumption. Opinions were mixed about some of the funded workshops, but partners generally felt that they do result in new, large customer journeys. Every partner that has accessed ECIF funding was very happy with that program.
  • Expanding into more solution areas. Partners coming from a Microsoft 365 Security background are continuing to move into adjacent areas such as the data security parts of Compliance and the Azure security part of Multicloud Security. Some of the specialized compliance partners are also starting to broaden into other parts of Compliance and Microsoft 365 Security. This expansion helps protect them from other partners stealing away their customers.
  • Going all in on Microsoft. Many of the partners are 100% Microsoft shops, although some do work with other vendors in complementary areas such as firewall devices. Partners felt focusing exclusively on Microsoft gave them the necessary focus to be experts in the breadth of portfolio and to be seen by customers as an expert. Partners also expressed that being seen as 100% aligned with Microsoft is beneficial for co-sell and comarketing initiatives.
  • Building out managed SOC and managed XDR offerings. As discussed throughout this study, partners are very excited about the managed services opportunities. Many are making substantial investments to reposition their companies as MSSPs. These can be quite sizable investments, so this is not the right answer for every partner.
  • Investing in standardization and automation. Partners stressed the importance of creating more standardized methodologies, processes, and tools. This is especially important for partners that service SMBs or that are moving into this segment. Otherwise, it is not possible to be profitable. An oft-cited example of a process being automated was new-customer onboarding.
NEXT SECTIONConclusion

FY23 saw a significant increase in partner opportunities for enterprise customers and the emergence of full-blown security and compliance opportunities in the SMB space. This growth was driven by greater customer demand because of the increasing number and complexity of cyberattacks and by the added opportunities afforded when a customer moves to the Microsoft 365 E5 and Business Premium SKUs.

Partners are continuing to expand beyond their comfort zones of Microsoft 365 Security into Multicloud Security and Compliance. The managed XDR opportunity really began to blossom this year, and partners that previously had managed SOC offerings have benefited greatly from expanding into this area. Partners also saw more and larger opportunities for competitive takeouts as their customers look to save money.

Partners expect their success to accelerate in FY24 because of the market trends discussed earlier, the increase in Microsoft license sales that result in follow-up work, and customers’ increasing desire for outsourcing IT and IT security. A partner needs to grow at 20% just to keep up with Microsoft’s license growth. Achieving this success requires partners to make the necessary investments in people, methodologies, and solutions to be successful, and this increasingly means achieving the new MCPP specializations.

Summary Of The Microsoft Security Partner Opportunity (Enterprise)

Solution area Total revenue per user per month Expected revenue per user per month Expected YOY growth
Microsoft 365 Security $41.55 $13.10 7%
Multicloud Security $23.05 $8.15 9%
Compliance $19.20 $5.80 20%
Identity $21.05 $2.25 6%
XDR $11.25 $1.75 N/A
Total $116.10 $41.05 14%

Summary Of The Microsoft Security Partner Opportunity (SMB)

Solution area Total revenue per user per month Expected revenue per user per month Expected YOY growth
Microsoft 365 Security $37.25 $12.20 28%
Multicloud Security $4.35 $0.45 N/A
Compliance $2.65 $.50 N/A
Identity $4.40 $1.75 30%
Total $48.65 $14.90 37%
NEXT SECTIONAppendixes

Appendix A: Endnotes

i Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.

ii Source: “The Partner Opportunity for Windows 365,” a commissioned study conducted by Forrester Consulting on behalf of Microsoft, April 2023.

iii Source: “The Partner Opportunity For Microsoft Modern Work,” a commissioned study conducted by Forrester Consulting on behalf of Microsoft, July 2023.

iv An attach rate is the likelihood of a given service/solution being including in what a customer purchases. Attach rates are applied to workloads (e.g., Microsoft 365 Security, Multicloud Security, Compliance, Identity, and XDR) and to services (e.g., deployment, advisory, business solutions, and managed services). In other words, they’re applied to the typical mix of solutions and services a customer buys. This will vary based on how a partner has entered into security. For example, a compliance partner will attach a lot more compliance and an MSSP will attach a lot more Microsoft 365. Use this calculation: total opportunity X attach rate = = expected opportunity.

v Source: Forrester Analytics Global Business Technographics® Security Survey, 2021.

vi Ibid.

vii Source: Forrester’s Software 1 Survey, 2022.

viii Source: Forrester Analytics Global Business Technographics® Security Survey, 2021.

ix Ibid.

x Ibid

xi Source: “The Total Economic Impact™ Of Microsoft Security,” a commissioned study conducted by Forreser Consulting on behalf of Microsoft, February 2023.

About Forrester Consulting

Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in scope from a short strategy session to custom projects, Forrester’s Consulting services connect you directly with research analysts who apply expert insight to your specific business challenges. For more information, visit forrester.com/consulting.

Forrester Research, Inc.© All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to forrester.com.

Cookie Settings

Cookie Preferences

Accept Cookies

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions (data inputs, website navigation), so you don’t have to re-enter data when you come back to the site or browse from one page to another.

Behavioral information collected by our web analytics vendor is used to analyze data pertaining to visitor trends, plan website enhancements, and measure overall website effectiveness. We may also use cookies or web beacons to help us offer you products, programs, or services that may be of interest to you and to deliver relevant advertising. We may use third-party advertising companies to help tailor website content to users or to serve ads on our behalf. These companies may also employ cookies and web beacons to measure advertising effectiveness.

Please accept cookies and the collection of behavioral information to receive full functionality and enhance your experience. If you decline cookies, some features of the website may not function normally.

Please see our Privacy Policy for more information.