Frontrow Technology
← All insights & guides
Guide

Managed Services

What a useful MSP Quarterly Business Review looks like: a template AU IT leaders can demand

Most MSP QBRs are a health check slide and a sales pitch. Here's what a substantive Quarterly Business Review should cover, and the exact questions to ask.

Graeme Lodge · 2 May 2026 · 10 min read

The Quarterly Business Review is the most underused governance mechanism in managed services. Most Australian businesses get a 45-minute call, a slide deck with green traffic lights, a licence count, and an upsell item that the account manager has been building to since January. That's not a QBR. That's account management dressed as strategy. Here's what to demand instead.

Section 1: Incident and service performance review

Start with the numbers. Not just ticket count, structured performance data that gives a real picture of tenant health over the quarter.

  • Total tickets by tier (L1/L2/L3), with trend vs prior quarter
  • Mean time to resolution by tier, with SLA performance
  • Number of incidents that escalated beyond agreed resolution scope, and why
  • Recurring issues, same user, same problem, three tickets in the quarter is a systemic issue, not a ticket
  • Any security alerts, identity anomalies or compliance flags raised by Microsoft Defender or Purview

If your MSP can't produce this table cleanly from their tooling, that's a signal about how they're operating your environment.

Section 2: Licence and spend efficiency

Licence management is a Tier 2 responsibility most MSPs leave to auto-renewal. A proper QBR breaks down your Microsoft 365 licence spend with enough granularity to make real decisions.

  • Total licence count by SKU, compared to active users in the last 30 days
  • Licences assigned but not activated, how many, which SKUs, and for how long
  • Licences on recently departed staff that haven't been reclaimed
  • Add-on licences (Defender P2, Purview, Teams Premium), utilisation vs spend
  • Any SKU-level changes Microsoft has announced affecting your renewals

An MSP running this discipline well will surface reclaim opportunities each quarter. Over a year, licence reclaim savings often offset 15–20% of the managed services fee. If your provider has never reclaimed a licence, ask what they're doing with your licence report.

Section 3: Security and compliance posture

Security posture is the section most QBRs skip or compress into a single Secure Score number. Secure Score alone is insufficient, it's a Microsoft-scoped metric that doesn't account for your actual risk profile, doesn't cover your endpoint posture, and can be inflated by low-effort actions. A useful posture review covers:

  • Secure Score trend over the quarter, with explanation of movements (not just the number)
  • Conditional Access policy changes, what was added, modified or removed and why
  • Privileged Identity Management: how many admin activations occurred, and were any anomalous?
  • Entra ID identity risks: risky sign-ins, unfamiliar location events, suspicious activity flagged this quarter
  • Essential Eight posture: current maturity level per control, trend from last quarter
  • Any Purview DLP alerts or sensitivity label policy triggers

Try it

Benchmark your Essential Eight posture

Use the tool to map your current maturity level before the next QBR. It gives you a baseline to hold your MSP accountable against.

Score each of the 8 strategies

Where are you on the Essential Eight — honestly?

Eight strategies. Four levels each. Pick the statement closest to your reality today. We'll map it to the Microsoft 365 tooling that closes the gap.

What's your target Maturity Level?

Maturity Level 2 — most orgs' pragmatic target

  • 01

    Application control

    Only approved applications can execute on workstations and servers.

  • 02

    Patch applications

    Internet-facing apps, browsers, Office, PDF readers patched promptly.

  • 03

    Microsoft Office macros

    Macros disabled unless from trusted locations and signed by a trusted publisher.

  • 04

    User application hardening

    Web browsers and productivity apps hardened against the most common attacks.

  • 05

    Restrict administrative privileges

    Admin accounts limited, separated and reviewed — the crown jewels of the tenant.

  • 06

    Patch operating systems

    Operating system patches applied on a schedule that matches the risk.

  • 07

    Multi-factor authentication

    MFA everywhere that matters — privileged accounts, remote access, important data.

  • 08

    Regular backups

    Backups of important data, configuration and software — and restores you have actually tested.

Section 4: Platform roadmap and strategic delivery

This is the section that separates an MSP from a helpdesk contract. The platform roadmap covers what was committed for the quarter, what was actually delivered, and what's planned for next quarter.

  • Roadmap items committed last quarter: status (complete / in progress / deferred) and rationale for any deferrals
  • Microsoft product updates relevant to your environment: what changed, whether it was tested and communicated before rollout, and what the impact was
  • Proposed roadmap for next quarter: specific, scoped work items, not vague categories
  • Technology debt: a list of known configuration gaps, deprecated integrations, or known risks that haven't been addressed and why

Technology debt is the hardest conversation in any QBR. A provider that won't table it is either not aware of it (which is a problem) or aware of it and choosing not to raise it (which is a bigger problem).

Section 5: Commercial review

End the QBR with the commercial position. This isn't a sales pitch, it's a transparent review of what the engagement is costing and what it's returning.

  • Hours consumed vs contracted, are you under or over the included hours?
  • Any statements of work billed outside the base contract, scope vs actual
  • Upcoming contract milestones: renewal dates, price review clauses, change-of-scope triggers
  • Commercial proposals from the MSP, if any, clearly separated from the business review

The commercial review should take ten minutes. If the QBR is ninety minutes and the commercial conversation is sixty of them, the structure has been inverted and you're in a sales call.

The QBR template in brief

  1. 1Incident and service performance: tickets, SLAs, recurring issues, security alerts
  2. 2Licence and spend efficiency: active vs assigned, reclaim, SKU changes
  3. 3Security and compliance posture: Secure Score, CA changes, PIM events, E8 maturity
  4. 4Platform roadmap: last quarter delivery, upcoming quarter commitments, tech debt
  5. 5Commercial review: hours consumed, SOW spend, renewal milestones

Send this structure to your MSP before the next QBR and ask them to present against it. The quality of the response tells you a great deal about the maturity of their delivery model.

Want us to run this with your team?

30 minutes. No deck. We'll walk through your tenant, your priorities, and the next sensible move.

Book a chatEmail Frontrow1300 012 466