Features (MSP)
What are the features and what do they mean for you?
For Managed Service Providers: How PAA helps you run and grow your architecture practice
This guide explains PAA’s MSP-specific capabilities from a partner perspective — what you can do with each feature, how it helps you serve clients more efficiently, and how to get the most out of the platform.
1. The MSP Tier — What It Is
The MSP tier is a management-only subscription designed for managed service providers, VARs, and cloud consultancies who manage Azure and Microsoft 365 environments for multiple clients.
Key concept: The MSP tier is a parent account that provisions and manages child tenants. Each child tenant is a fully independent PAA workspace for a single client, with its own users, data, assessments, and subscription.
As an MSP, you:
- Pay a flat EUR 200/month platform fee
- Provision up to 100 child tenants for your clients
- Get a 20% discount on every child tenant subscription you create
- Have a unified dashboard showing all clients, their billing, usage, and security posture
Your clients:
- Each have their own isolated PAA workspace
- Choose their subscription tier (Team, Business, or Enterprise)
- Can access all the features their tier includes
- Never see other clients’ data
2. Child Tenant Management
Creating Client Workspaces
Provision a new client workspace in minutes from your MSP Dashboard:
| Field | What It Does |
|---|---|
| Client Name | Internal identifier for the tenant |
| Display Name | The name shown to the client in the UI |
| Admin Email | Email address for the client’s first admin user |
| Subscription Plan | Team, Business, or Enterprise (minimum Team) |
| Billing Cycle | Monthly or annual (annual saves ~8%) |
| Description | Internal notes about this client |
What happens on creation:
- A new isolated PAA workspace is created for the client
- An admin user is created with the specified email
- The subscription is activated immediately
- The client receives an invitation email with onboarding instructions
Managing Existing Clients
From the child tenant list, you can:
| Action | How |
|---|---|
| Search clients | Filter by name across all your tenants |
| Filter by status | Active, Suspended, Provisioning |
| Filter by plan | Team, Business, Enterprise |
| Sort by name, revenue, or date | Click column headers |
| View client details | Click any row to open the detail panel |
| Change subscription plan | Upgrade or downgrade from the detail panel |
| Remove a client | Cancel the subscription at the end of the billing period |
Upgrading & Downgrading Client Plans
Change a client’s plan directly from your dashboard without involving the client:
- Immediate upgrade: Applied right away (useful when a client needs more capacity now)
- End-of-cycle change: Takes effect at the next billing date (standard process)
Plan changes are validated against the MSP’s tier rules — you can’t assign a plan that isn’t allowed under your MSP agreement.
Client Status Lifecycle
| Status | Meaning |
|---|---|
| Provisioning | Tenant is being set up (usually seconds) |
| Active | Client is fully operational |
| Suspended | Client has a payment issue; access is restricted |
| Deprovisioning | Cancellation in progress; data is being retained |
3. Scoped Admin Access
What It Is
As your MSP practice grows, you’ll have team members who manage specific clients — but shouldn’t see other clients’ data. PAA’s scoped admin access (the MspAdmin role) lets you control exactly which child tenants each team member can access.
How It Works
When you add a team member to your MSP tenant, you can configure their access scope:
| Access Level | What They See |
|---|---|
Full Access (ManagesAllChildTenants = true) | All child tenants, all billing, all usage data |
Scoped Access (ManagesAllChildTenants = false) | Only the specific child tenants assigned to them |
For scoped users, you assign a list of Managed Child Tenant IDs. Those users will:
- Only see their assigned clients in the child tenant list
- Only see billing data for those clients
- Only see usage analytics for those clients
- Only see Secure Score data for those clients
Why This Matters for MSPs
| Scenario | How Scoped Access Helps |
|---|---|
| Dedicated account managers | Each AM only sees their own client portfolio |
| Junior staff | Restrict sensitive billing data to senior team members |
| External contractors | Grant time-limited, scoped access to specific clients |
| Compliance requirements | Prevent staff from accessing data for clients in other regions |
4. Aggregated Billing & Invoicing
What You Can See
The MSP billing dashboard gives you a complete financial picture of your practice:
Revenue Overview
| Metric | What It Shows |
|---|---|
| Total MRR | Total monthly recurring revenue across all active child tenants |
| Active Client Count | Number of tenants currently on active subscriptions |
| Revenue by Plan | MRR breakdown: how much comes from Team vs. Business vs. Enterprise clients |
Revenue by Plan Breakdown
For each subscription tier in your portfolio:
- Number of clients on that plan
- Monthly revenue from that segment
- Annualized revenue projection
Invoice Status Summary
| Status | Meaning |
|---|---|
| Paid | Invoices collected successfully |
| Pending | Invoices awaiting collection |
| Overdue | Invoices that have missed their due date |
Payment Alerts
When a client has a payment issue (past due or suspended), you’ll see an alert with:
- Client name
- Alert type (PastDue or Suspended)
- Amount outstanding
- Days overdue
This lets you proactively reach out to at-risk clients before they lose service.
Per-Client Invoice History
For any individual client, view:
- Full invoice history with dates and amounts
- Invoice status (Paid, Pending, Overdue)
- Payment history for client billing conversations
- Paginated list with newest invoices first
5. Usage Analytics Across All Clients
The MSP Usage Dashboard
See how your clients are consuming PAA across all their workspaces in one view:
Aggregate Totals
| Metric | What It Counts |
|---|---|
| Total Users | Sum of users across all active child tenants |
| Total Sessions | Total AI sessions run this month across all clients |
| Total AI Tokens | Total token consumption across all clients |
| Total Assessments | Total assessments completed across all clients |
Per-Client Usage Breakdown
For each child tenant:
- Users, sessions, tokens, and assessments this month
- Current plan and token limit
- Usage percentage — how close the client is to their plan limit
Clients are sorted by usage percentage so you can instantly see who’s approaching their limit.
Usage Alerts
When a client reaches 80% of their plan limit, PAA flags it as a usage alert with:
- Client name
- Which limit is being approached
- Usage percentage
- Recommended action (upgrade vs. continue)
Why This Matters
| Insight | Action You Can Take |
|---|---|
| Client at 95% of token limit | Proactively offer an upgrade before they hit the cap |
| Client at 10% of token limit | Consider whether the plan is right-sized |
| High aggregate usage growth | Opportunity to discuss expanding the engagement |
6. Secure Score Portfolio
What It Is
The Secure Score Portfolio gives you a single view of Microsoft Defender Secure Score across all your clients — no need to log into each client’s M365 tenant separately.
What You See
Portfolio-Level Summary
| Metric | What It Shows |
|---|---|
| Portfolio Average | Average Secure Score percentage across all clients with data |
| Total Children | Total number of managed child tenants |
| Children with Data | How many have synced their M365 Graph data |
| Lowest Scoring Tenant | The client most in need of security attention |
Per-Client Breakdown
For each client tenant:
- Current Secure Score (points and percentage)
- Maximum possible score
- Number of controls implemented vs. not implemented
- When data was last collected
Clients are shown sorted by score so you can immediately identify who needs the most help.
Data Collection
Scores are pulled from each client’s Microsoft Graph data snapshot. Clients with no snapshot data are shown with HasData = false so you can identify gaps in coverage and prompt those clients to configure their M365 integration.
Why This Matters for MSPs
| Use Case | How It Helps |
|---|---|
| Client QBRs | Walk into every quarterly review with a concrete security number |
| Service differentiation | ”We track your Secure Score and alert you when it drops” |
| Upsell opportunities | Clients with low scores are candidates for deeper security engagements |
| SLA reporting | Demonstrate security improvement over time |
| Portfolio risk management | Identify which client represents your biggest security risk |
7. Client-Facing Capabilities
When your clients log in to their PAA workspace, they have access to the full PAA platform based on their subscription tier. As their MSP, you benefit from the work done in each client’s workspace.
What Clients Can Do in Their Workspace
Everything in the standard PAA feature set applies to each client workspace:
| Feature Set | Available To |
|---|---|
| AI-powered architecture assessments | Team, Business, Enterprise |
| Azure compliance & scanning | Business, Enterprise |
| Identity & security scanning | Business, Enterprise |
| Zero Trust assessment | Business, Enterprise |
| M365 Security checks (275 automated) | Business, Enterprise |
| Visual diagram editor | Team, Business, Enterprise |
| Change Monitor (drift detection) | Business, Enterprise |
| Portfolio dashboard | All tiers |
| Report generation (PDF, PowerPoint) | All tiers |
| Jira/ServiceNow integration | Business, Enterprise |
| GitHub document sync | Team, Business, Enterprise |
You Can Also Work In Their Workspace
If your client grants you access to their tenant (e.g., by adding your team members), you can:
- Run assessments on their behalf
- Generate reports for them
- Review findings together
- Manage their integrations
8. Report Branding
What You Can Configure
Each client workspace supports custom branding for generated reports:
| Branding Element | What It Does |
|---|---|
| Company Logo | Your client’s logo (or your own for white-label reports) |
| Theme | Color scheme applied to generated documents |
| Company Display Name | Name shown in report headers and footers |
| Custom Footer Text | Legal disclaimers, contact info, or your MSP signature |
How It Works
Branding is configured per tenant from the tenant settings. When a PDF report or PowerPoint deck is generated, it uses the configured branding so the output looks like it came from your practice — not a generic tool.
Use Cases
| Scenario | How Branding Helps |
|---|---|
| Client deliverables | Reports carry the client’s own branding |
| White-label practice | Apply your MSP’s branding to all client reports |
| Co-branded reports | Combine client logo with your MSP footer |
| Compliance documentation | Professional branded documents for audit submissions |
White-label domain and email (custom domain + sender address) is on the roadmap. Today, branding is available on report PDFs and PowerPoint exports.
9. API Access for Automation
What’s Available
MSP tenants have API access to automate your practice workflows. Common use cases include:
| Use Case | API Endpoint |
|---|---|
| Provision new client | POST /api/msp/children |
| List all clients | GET /api/msp/children |
| Get client details | GET /api/msp/children/{id} |
| Change client plan | PUT /api/msp/children/{id}/subscription |
| Get billing overview | GET /api/msp/billing/overview |
| Get client invoices | GET /api/msp/children/{id}/invoices |
| Get usage overview | GET /api/msp/usage |
| Get Secure Score portfolio | GET /api/msp/children/secure-scores |
Example: Automated Client Onboarding
When a new client signs a contract, your CRM or ticketing system can call the PAA API to:
- Create a new child tenant
- Set the subscription plan and billing cycle
- Create the admin user
- Return the client’s workspace URL
No manual steps required.
Rate Limits
| Endpoint Category | Requests/Minute |
|---|---|
| Create child tenant | 10 |
| List/get children | 60–120 |
| Billing endpoints | 30 |
| Usage endpoints | 30 |
| Secure Score | 30 |
See the MSP API Guide for complete endpoint documentation, authentication, and code examples.
10. Pricing & Business Model
MSP Tier Pricing
| Component | Price |
|---|---|
| Platform fee | EUR 200/month |
| Child tenants | Up to 100 included |
| Discount on child subscriptions | 20% off list price |
| Your billing | You pay PAA for the platform fee; child tenant invoicing is separate |
Child Tenant Pricing (with MSP Discount)
| Child Plan | List Price | With 20% MSP Discount |
|---|---|---|
| Team | EUR 499/month | EUR 399/month |
| Business | EUR 1,299/month | EUR 1,039/month |
| Enterprise | EUR 2,499/month | EUR 1,999/month |
Business Model Options
Option A: Pass-through billing
- You invoice clients at list price or your own rates
- You pay PAA the discounted rate
- You keep the margin
Option B: Bundled service
- PAA is included as part of a managed architecture service
- You absorb the cost and build it into your service fee
- Use the platform as a differentiator, not a line item
Option C: Co-sell
- Clients pay PAA directly for their subscription
- You earn the 20% margin credit on each client you manage
- Useful for larger clients who prefer direct vendor relationships
Revenue Example
| Portfolio Size | Plan Mix | Your MRR to PAA | Client MRR at List | Your Margin |
|---|---|---|---|---|
| 10 clients | 5 Team + 5 Business | 200 + 10×(avg 719) = EUR 7,390 | EUR 8,990 | EUR 1,400 |
| 25 clients | 15 Business + 10 Enterprise | 200 + 25×(avg 1,319) = EUR 33,175 | EUR 44,485 | EUR 11,110 |
| 50 clients | 20 Business + 30 Enterprise | 200 + 50×(avg 1,599) = EUR 80,150 | EUR 100,950 | EUR 20,600 |
Figures are illustrative and exclude annual pricing discounts.
11. What Your Clients Get
Each child tenant you create gives your client access to the full PAA platform at their chosen tier. This section summarizes what’s available at each tier so you can recommend the right plan.
Team (EUR 399/month with MSP discount)
Best for: Small clients (up to 5 users) doing periodic architecture reviews.
- 15 AI agents including Cloud Architect, Security, Cost, Reliability, Networking, Disaster Recovery
- 50 AI sessions per month
- Visual diagram editor with AI validation (Design Critic)
- Findings management and assignment
- GitHub document sync
- Webhook events
- Email notifications
- 90-day audit log retention
- 3 Azure subscriptions
- 500K AI tokens/month
Business (EUR 1,039/month with MSP discount)
Best for: Mid-size clients (up to 25 users) with active Azure environments and compliance requirements.
Everything in Team, plus:
- All 20 AI agents (adds Kubernetes, Data Platform, DevOps, FinOps)
- 500 sessions per month
- Azure environment scanning (encryption, tags, ARM limits, storage security)
- Identity & security scanning
- Zero Trust assessment
- M365 Security (275 automated checks)
- Drift detection (Change Monitor)
- Jira & ServiceNow integration
- Slack & Teams integration
- API access
- Report branding
- Unlimited Azure subscriptions
- 5M AI tokens/month
Enterprise (EUR 1,999/month with MSP discount)
Best for: Larger clients with unlimited users, compliance reporting needs, and sovereignty requirements.
Everything in Business, plus:
- Unlimited users
- Unlimited sessions
- Compliance reporting (ISO 27001, NIS2, SOC 2, GDPR)
- Sovereignty dashboard and migration planning
- Priority support
- 100GB storage
- 30M AI tokens/month
- 730-day audit log retention
12. MSP Dashboard Walkthrough
When you log in to PAA with an MSP-tier account and navigate to the MSP Dashboard, here is what you see:
Overview Tab
The main landing view showing:
- Summary cards: total MRR, active clients, total users, total sessions
- Child tenant list with status badges, plan labels, and quick-action buttons
- Search and filter controls at the top of the list
Client Detail Panel
Click any client row to open a side panel with:
- Client info (name, status, creation date)
- Current plan and billing cycle
- Usage summary for the current month
- Billing status and next invoice date
- Quick actions: Change Plan, View Invoices, Remove Client
Billing Tab
Dedicated billing view with:
- Total MRR card
- Revenue breakdown by subscription tier (chart and table)
- Invoice status summary (Paid / Pending / Overdue counts)
- Payment alerts for at-risk clients
Usage Tab
Platform usage view with:
- Aggregate totals (users, sessions, tokens, assessments)
- Per-client usage table sorted by usage percentage
- Clients approaching their limit highlighted in amber/red
- Date range selector (defaults to current month)
Security Tab (Secure Score Portfolio)
Security overview showing:
- Portfolio average Secure Score
- Which client has the lowest score (flagged for attention)
- Per-client score table with current score, max score, percentage, and last data collection time
- Clients without M365 data configured are shown separately
13. Coming Soon for MSPs
On the MSP Roadmap
| Feature | What It Will Do | When |
|---|---|---|
| White-Label Domain | Custom domain (e.g., portal.yourcompany.com) instead of paa-platform.com | Roadmap |
| Custom Email Sender | Invitation and notification emails from your domain | Roadmap |
| MSP-Level Reporting | Generate portfolio reports across all clients for management reporting | Roadmap |
| Client Health Scorecards | Automated weekly/monthly scorecards emailed directly to clients | Roadmap |
| Sub-MSP Support | Allow your own sub-partners to manage a subset of clients | Roadmap |
| Bulk Operations | Apply changes (e.g., plan upgrades) to multiple clients at once | Roadmap |
| Client Onboarding Workflows | Guided onboarding checklists for new clients | Roadmap |
Request a Feature
Your input shapes the MSP roadmap. Contact us at:
- MSP Partner Portal: Contact your partner success manager
- Email: [email protected]
- In-app feedback: Use the feedback button in the MSP Dashboard
Getting Started as an MSP
Step 1: Sign Up for the MSP Tier
Contact the PAA team to provision your MSP account. You’ll receive:
- Your MSP tenant credentials
- Access to the MSP Dashboard
- Your partner onboarding guide
Step 2: Explore the Dashboard
Familiarize yourself with the MSP Dashboard before onboarding clients. Run a test child tenant creation to see the full provisioning flow.
Step 3: Provision Your First Client
Use the “Create Child Tenant” button to set up your first client workspace. Test the full client experience by logging in as the client admin.
Step 4: Configure Billing
Review the billing overview to understand how your MSP invoice is calculated. Set up any billing integrations you need for pass-through invoicing.
Step 5: Assign Team Members
Add your team members to the MSP tenant and configure scoped access where appropriate.
Step 6: Start Delivering Value
Use PAA in client engagements:
- Run assessments during onboarding
- Set up drift detection to catch unauthorized changes
- Use M365 security checks to demonstrate security improvements
- Generate branded PDF reports for quarterly business reviews
Last Updated: 2026-03-01
