Application + Microsoft Partner verification required
The Microsoft 365 management platform Australian MSPs actually want.
Manage365 replaces the stack of scripts, spreadsheets, and half-finished portals MSPs stitch together. A versioned config library you push to every tenant, auto-response playbooks, Copilot governance, Essential Eight scoring, NDB workflow, PSA + RMM integration and white-label client portals — purpose-built for Australian Microsoft Partner MSPs.
Not self-service. No free tier. Every tenant is a verified Microsoft partner.
Config kinds
30
push · drift · rollback
Standards apply
<60s
vs. 0–3h in CIPP
Playbook actions
10
auto-response primitives
GDAP renewal
Auto
no 730-day cliff
Why Manage365
Built for Australian MSPs who've outgrown the free tier.
Manage365 is the platform we wished existed when we were stitching together CIPP forks, custom scripts, and PowerApps to manage our own clients. So we built it. Properly.
MSP Library: define it once, push to every tenant
A versioned catalogue of M365 configs you author across Identity, Intune, Exchange, SharePoint, Teams and Defender. 30 config kinds with push, drift detection and rollback. v1, v2, v3 with auto-upgrade per assignment. Migration plans when non-auto-upgrade tenants need approval.
Fast where CIPP is slow
Node.js + NestJS with Graph batching. Standards that take hours in PowerShell-based platforms apply in under 60 seconds. No Azure cold starts. No 90-day token cliff. No "check back later".
Australian compliance first
Essential Eight maturity scoring, APRA CPS 234 dashboards, Notifiable Data Breaches workflow with 30-day and 72-hour deadline alerting — baked in, not bolted on.
Auto-response playbooks
Trigger on alert: disable user, revoke sessions, force password reset, block country, convert mailbox, notify, open PSA ticket. Ten primitives you compose into rules. Full execution history with partial-success reporting per action.
Feature map
Every surface an MSP touches day-to-day.
CIPP-complete plus the premium additions you'd normally need three separate vendors for.
Identity & lifecycle
- Full M365 user CRUD across every tenant
- Bulk CSV user creation + offboarding (50 rows at once)
- Just-in-time admin grants via Graph (auto-revoke)
- Compromise remediation playbook (one click)
- Offboarding wizard + shared-mailbox conversion
Security audits — cross-tenant
- Admin roles, MFA coverage, app credentials expiry
- Guest sprawl, mail forwarding, inbox rules audit
- OAuth consent phishing detection
- Legacy auth detection + security baseline check
- Daily automated sweep → deduplicated alerts
Exchange & mail flow
- Message trace across tenants (send, receive, delivery)
- DKIM rotate + signing-key status per domain
- Tenant Allow/Block list edits from one pane
- Quarantine release / delete (EXO PowerShell)
- Transport rule authoring + CRUD
MSP Library
- 30 config kinds: Identity, Intune, Exchange, SharePoint, Teams, Defender
- Versioned (v1, v2, v3) with auto-upgrade toggle per assignment
- Migration plans when non-auto-upgrade tenants need approval
- Per-assignment override editor — JSON merged on top of standard defaults
- Dry-run preview shows the diff before pushing — never push blind
- Two starter packs: 21 CA templates + 11 Intune/Exchange/Defender baselines
Compliance & audit
- Essential Eight maturity scoring (ML 0–3)
- APRA CPS 234 + CIS M365 + NDB workflow
- SIEM webhook export (Splunk, Sentinel, Cribl)
- Configurable audit retention + daily pruning
- SHA-256 chain-hashed audit log
Endpoint & device management
- 11 Intune device actions: wipe, retire, sync, rotate LAPS + BitLocker, lost mode
- Intune policy authoring (config + compliance CRUD)
- App catalog (Win32 / WinGet / Office / mobile)
- Autopilot device lifecycle + enrolment status
- Cross-tenant device compliance rollup
Copilot governance
- Licence ROI: idle seats + wasted spend per tenant
- Oversharing scan before you flip Copilot on
- Prompt-audit enablement per tenant
- Sensitivity-label coverage before indexing
- Purview alignment for every Copilot rollout
Defender XDR — portfolio view
- Cross-tenant incidents in one pane
- Cross-tenant alerts + recommendations
- Severity + tenant filters
- Drill through to the Defender portal with one click
- Feeds PSA ticket creation + playbooks
GDAP & tenant management
- GDAP auto-renewal — relationships within 90 days of expiry
- Partner Center pre-flight validator
- Partner tenant (your own M365) managed alongside customers — always free, no GDAP needed
- Read-only tenant mode for change-freeze windows + handover audits
- Hard-delete with audit-surviving confirmation
Business & white-label
- Per-tenant profitability + churn risk scoring
- Executive dashboards + TV wallboards (6 views)
- White-label client portal on custom domain
- MSP billing + invoicing (Stripe + EFT + GST)
- Branded PDF reports for QBR + compliance evidence
Response & alerts
- Auto-response playbooks: 10 primitives, full execution history
- Alerts → Teams / Slack / PSA tickets / email
- Deduplication keys so nothing fires twice
- Severity escalation chains (L1 → L2 → L3)
- HIBP breach monitoring per tenant
Docs & integrations
- Hudu push — assets, configs, passwords auto-sync
- IT Glue push — same, for teams still on IT Glue
- HaloPSA + NinjaOne bidirectional sync
- Custom webhook destinations
- SIEM forward (Splunk, Sentinel, Cribl) for audit log
MSP Library
Define it once, push to every tenant, watch for drift.
Stop rebuilding the same Conditional Access policy, the same Intune compliance rule, the same transport rule in tenant after tenant. The MSP Library is a versioned, MSP-authored catalogue you assign, push, and roll back — with per-assignment overrides when reality calls for them.
30 config kinds end-to-end
Identity, Intune, Exchange, SharePoint, Teams and Defender — push, drift and rollback on every kind.
Version control, properly
v1, v2, v3. Auto-upgrade toggle per assignment. Non-auto-upgrade tenants get a migration plan so your techs can review before anything moves.
Per-assignment override editor
JSON editor merges your overrides on top of the standard's defaults at push time. Different break-glass UPN here, different watchlist domains there — one standard, every edge case.
Dry-run preview before every push
See the field-by-field diff against the live tenant before you push. Read-only, repeatable, surfaces ‘already in sync’ / ‘will create’ / ‘will update’ / ‘cannot reach tenant’.
Two starter packs in one click
21 Conditional Access templates plus 11 curated Intune compliance baselines, Exchange transport rules, anti-phish, Safe Links/Attachments and Defender ASR (audit). Idempotent — re-running skips what you already have.
Assignment history
CA-baseline-v3 · 47 tenants
- • 41 tenants on v3 — auto-upgrade on
- • 4 tenants pending migration plan approval
- • 2 tenants drifted — one-click reconcile
- • 0 tenants out of scope
Config kinds supported
Conditional Access
21 built-in templates
Intune policies
Config + compliance
Defender
Safe Links / Attachments
Exchange
Transport + spam
SharePoint
Tenant + site
Teams
Meeting + messaging
Auto-response playbooks
Alerts that actually respond.
SaaS Alerts told everyone auto-response was the future. They were right. Manage365 now ships the same idea, wired into the rest of the platform. Trigger on any alert, compose actions from 10 primitives, keep a full execution history with partial-success reporting per action.
- Trigger on any alert — impossible travel, new admin grant, mailbox rule creation, OAuth consent, MFA disable, Defender incident.
- Execution history per run — which actions succeeded, which partially succeeded, which failed and why.
- Scoped to RBAC — playbook authorship requires the STANDARDS_PUBLISH permission. Not every L1 tech can disable every user in every tenant.
10 playbook primitives
- Disable user
- Revoke sessions
- Force password reset
- Block country
- Convert mailbox to shared
- Notify Teams / Slack
- Open PSA ticket
- Remove inbox rules
- Revoke OAuth grants
- Quarantine device
Compose any combination into a rule. Chain on success or on partial success. Fall back to notify-only on failure.
Copilot governance
Tell your clients before they ask.
Copilot is the easiest line item a client will ever question. Prove the ROI, clean up the oversharing, turn on the audit trail, and check sensitivity-label coverage — before you index a single SharePoint site.
Licence ROI
Idle seats, wasted spend, per-tenant rollup. Reclaim what nobody's using.
Oversharing scan
Find the files anyone in the org can read before Copilot surfaces them in a prompt.
Prompt-audit enablement
One toggle per tenant to turn on prompt + response logging for compliance.
Sensitivity-label coverage
Where labels are missing, where they're inherited, where they break Copilot answers.
Defender XDR — portfolio view
Cross-tenant incidents in one pane
Every open Defender incident across every tenant you manage, plus alerts and recommendations, filterable by severity and tenant. No more rotating tabs between 40 Defender portals.
- • Severity + tenant filters
- • Click through to the Defender portal in context
- • Auto-file PSA tickets on high-severity incidents
- • Feeds playbook triggers end-to-end
Read-only tenant mode
Change-freeze, safely
Flip a tenant read-only for change-freeze windows, handover audits, or the first week of a new onboarding. Writes are blocked at the service layer — alerts and scans keep running.
Onboarding wizard
Single-scroll setup, fresh account to ready.
You sign up, you scroll, you're done. GDAP linked, Partner Center validated, library imported, PSA connected, first tenant scanned. No 14-step Notion checklist. No "come back tomorrow".
- 1
Partner Center pre-flight
We validate your MPN ID, GDAP templates, and admin consent before you assign a single tenant.
- 2
Link GDAP + auto-renewal
Bulk accept outstanding GDAP invites. Auto-renewal keeps relationships alive within 90 days of expiry.
- 3
Import the starter library
21 Conditional Access templates, Intune baselines, Defender policies — ready to assign.
- 4
Connect PSA + RMM + docs
HaloPSA, NinjaOne, Hudu, IT Glue — OAuth once, mapped per tenant.
- 5
Your Partner tenant is free
Add your own M365 tenant alongside customers. Never billable, no GDAP needed.
- 6
First scan runs
Essential Eight + NDB + CIS baseline completes before you close the tab.
Compliance, taken seriously
Australian frameworks, automated.
Stop exporting CSVs from five different admin centres and pasting screenshots into Word. Manage365 scans every Monday and gives you evidence your auditor will accept.
ACSC Essential Eight
Maturity Level scoring (0–3) across all eight strategies, mapped to M365 controls via Graph. Per-strategy remediation guidance.
APRA CPS 234
Full mapping of the standard to MFA, Conditional Access, DLP, Defender alerts, audit log availability. Auditor-ready evidence ZIP in one click.
Privacy Act 1988 Part IIIC (NDB)
Create suspected breach → 30-day assessment clock → 72-hour notification benchmark → record OAIC notification. Deadline alerts at T-7d, T-24h, T-6h.
CIS M365 Foundations
Level 1 and Level 2 baseline scoring. Tracks drift between assessments.
One-click evidence bundle
compliance-evidence-2026-04.zip
- • Latest scan per framework (E8 / APRA / CIS)
- • 90-day audit log with SHA-256 chain
- • Conditional Access policy snapshot
- • Tenant metadata + MSP attestation
- • Scan evidence JSONs + remediation notes
Built-in frameworks
Essential Eight
ACSC
APRA CPS 234
Financial services
CIS M365
Foundations L1 + L2
NDB Scheme
Privacy Act 1988
Pricing
Per tenant, AUD. Volume discount rewards growth.
No free tier. Application + Microsoft Partner verification required. GST-exclusive for Australian MSPs.
Professional
Small MSPs (10–50 tenants)
Minimum 10 tenants
- All CIPP features
- Standards apply <60s
- E8 / APRA / CIS / NDB scoring
- 1 PSA integration
- Basic Copilot readiness
Most popular
Business
Mid-size MSPs (51–200 tenants)
Minimum 51 tenants
- Everything in Professional
- Unlimited custom standards
- Full compliance + remediation
- All PSA + 1 RMM integration
- Basic white-label
- Teams / Slack / webhook alerts
Enterprise
Large MSPs (201–500 tenants)
Minimum 201 tenants
- Everything in Business
- Full white-label + custom domain
- All PSA + all RMM integrations
- Churn prediction + profitability
- SIEM export + custom webhooks
- Priority support + CSM
Enterprise Plus
MSPs with 500+ tenants
Minimum 500+ tenants
- All Enterprise features
- Volume discount pricing
- Dedicated CSM
- Custom SLA
- White-glove onboarding
Against the alternatives
CIPP is great. Manage365 is what comes after it.
CIPP opened the door. We respect it. Manage365 takes the same API-first philosophy and builds a commercial-grade platform on top — no Azure cold starts, no 90-day token cliff, proper RBAC, a versioned config library, branded PDF reports, and AU compliance frameworks that ship on day one.
| Area | CIPP | Manage365 |
|---|---|---|
| Backend | PowerShell / Azure Functions | Node.js / NestJS |
| Cold starts | Yes, Azure Functions | None — always-on |
| Token model | 90-day refresh cliff | No 90-day cliff |
| Standards apply | 0–3 hours | <60 seconds |
| Config library | Flat standards list | Versioned v1/v2/v3 + migration plans |
| Config kinds end-to-end | Partial | 30 kinds, push + drift + rollback |
| Auto-response playbooks | None | 10 primitives + execution history |
| GDAP renewal | Manual before 730-day expiry | Auto-renew within 90 days |
| Partner Center validator | No | Pre-flight checks on signup |
| Partner tenant | Billable like any other | Always free, no GDAP |
| Multi-MSP SaaS | No (single deploy) | Yes, Postgres RLS |
| White-label | None | Full custom domain + colours |
| Branded PDF reports | No | QBR + compliance evidence |
| Compliance | Basic BPA | E8 + APRA + CIS + NDB auto |
| Copilot governance | None | ROI + oversharing + label coverage |
| Defender XDR portfolio | None | Cross-tenant incidents + alerts |
| PSA / RMM | Minimal | HaloPSA + NinjaOne + more |
| Docs platforms | None | Hudu + IT Glue push |
| RBAC | Admin only | L1/L2/L3 + STANDARDS_PUBLISH + client portal |
| Read-only tenant mode | No | Yes — change-freeze + handover |
| Hard-delete | Destructive | Audit-surviving confirmation |
| Sales model | Self-service | Application + MPN verify |
vs Microsoft Lighthouse
Lighthouse shows you a subset of tenants. Manage365 shows you every tenant you manage, with bulk ops, PSA integration, white-label, and audit logging that forwards to your SIEM.
| Area | Lighthouse | Manage365 |
|---|---|---|
| Tenants per view | Limited | Every tenant you manage |
| Bulk ops | Restricted | Full CRUD, 50-row CSV |
| PSA / RMM | None | HaloPSA + NinjaOne + more |
| White-label | Microsoft-branded only | Your brand + domain |
| AU compliance | None | E8 + APRA + NDB + CIS built-in |
| Audit log | Minimal | SHA-256 chain + SIEM forward |
vs SaaS Alerts
SaaS Alerts popularised auto-response. We ship it now too — plus the config library, compliance scoring, Intune device actions, GDAP renewal and client portal you'd otherwise buy separately.
| Area | SaaS Alerts | Manage365 |
|---|---|---|
| Auto-response | Yes — the category leader | Yes — 10 primitives + partial-success |
| M365 config push | No | Versioned library, 30 kinds |
| Compliance scoring | No | E8 + APRA + CIS + NDB |
| Intune device actions | No | 11 actions including LAPS + BitLocker |
| GDAP renewal | No | Auto within 90 days |
| Client-facing portal | No | White-label on your domain |
Ready to see it?
We approve MSP applications within two business days after Microsoft Partner Network verification. Come onboarded, leave ready to bill more with less work.