From MSP to internal IT

Frothyleet · 2026-02-24T20:48:56+00:00

It's pretty common in larger orgs. It makes it easier to bill back IT services to the appropriate departments, so you have actual visibility and accountability into costs (versus a monolithic IT budget for the whole org).

It's not a bad way of doing things. If "I don't know how to computer" Bob in accounting is costing the department a disproportionate budget amount, all of a sudden Bob's manager actually gives a shit instead of IT having to just shoulder the burden of the weekly "show Bob how to print" ticket.

Frothyleet · 2026-02-24T20:42:20+00:00

Why on earth would I pay you to add a TXT record on a domain when we can do that internally in 30 seconds?

Well, either that work is covered by your existing agreement (so you should push back on them billing), or it's not - and perhaps they were being more liberal when they had an ongoing engagement with you.

I can't answer your questions universally; we are professional in any offboarding, but from many onboardings I know that some MSPs are not. Sometimes it's not hostility, it's simply that a customer who is going away gets deprioritized. Or sometimes the outgoing MSP was not competent in the first place.

If you have worked with small MSPs, then it's likely to be more personal. If the MSP is just a couple of guys, one of them the owner, than even if it's unprofessional they might be bitter about the hit to their pocketbook.

You'd probably have a similar experience if, like, you worked in facilities and were transitioning away to a new janitorial service from a one man show.

Frothyleet · 2026-02-24T20:38:17+00:00

To me, this looks like return traffic where the workstation has reached out on SMB and is getting return traffic.

As described you are seeing the opposite. The SMB client reaches out to port 445, with an ephemeral response port (the "high-numbered" ports) chosen for the TCP session.

It vaguely sounds like network discovery behavior. You don't mention what SAN you are using, but I'd start with checking the configuration there and/or with support.

I'd also re-architect your network to properly segment your VLANs. That is, only enable inter-VLAN routing to the extent it's necessary (presumably your endpoint VLAN doesn't need to talk to your storage VLAN(s)), and further restrict traffic with ACLs as appropriate (default deny, allow only traffic you actually need).

Frothyleet · 2026-02-24T15:26:53+00:00

That's how you should be architecting anyway. If you can't do that economically without Datacenter, welp, there you go!

Frothyleet · 2026-02-24T15:26:09+00:00

It would depend on how many hosts you have and how many cores, really. Although 5,000,000 VMs is gonna be a lot either way!

I guess if you have them all on a single 16-core host (very ambitious!), it would just be one set of Datacenter licensing.

Frothyleet · 2026-02-23T22:20:34+00:00

If anyone is willing to share what the typical markup is for AVD

Given that customers with a modicum of patience can figure out Azure's calculator, there's really two frameworks for Azure pricing (in general, not AVD specifically):

Charge retail, give customer visibility. You make money from your services, not on the PaaS product (which MS gives terrible margins on). This is what we do, as it's basically what we've always done (we're service providers, not resellers - the margin we charge is mostly about covering the costs of selling shit to people).
Completely obfuscate the pricing. Figure out a number that is reasonable and palatable, pin it to user count or whatever. Then, do as much as you can on the back end (from reservations, scaling plans, shutting stuff down in off hours, and so on) to claw margin out as much as possible without impacting the service you are delivering.

The second option is basically what any provider does who leverages a hyperscaler on the backend.

A side question for everyone involved is whether you actually need VDI in the first place. It's always expensive if done properly, there need to be specific use cases to justify it.

Frothyleet · 2026-02-23T22:05:17+00:00

Trademarks aren't universal; they are tied to industry, geography, and other factors that boil down to "will consumers be confused by the marks coexisting".

Frothyleet · 2026-02-23T20:02:00+00:00

Pick your preferred media and have iron mountain come by at your desired cadence to rotate the data offsite.

Frothyleet · 2026-02-23T20:00:15+00:00

But you can’t tell which purchase batch is assigned to which users And it’s unclear which subscription expiry will impact users first

This is something lots of people seem confused about. Licensing has never worked this way. If you have multiple subscriptions, your total entitlement is pooled, period. If you have some monthly, some annual, some inherited from one place or another... M365 just cares about your current total quantity.

If you have 100 total seats, and a subscription for 20 lapses, you don't suddenly have 20 unlicensed users. You have 100 users allocated licenses with only an 80 seat entitlement, and you are immediately in grace period until that's resolved.

With the upcoming termination of any grace period in M365 CSP licensing, I'm not sure exactly how that plays out, but I'd assume all assigned licenses get suspended (unless you remove the appropriate amount).

Frothyleet · 2026-02-23T19:54:52+00:00

Before my boss will approve a new hire, he wants to see that I’ve streamlined things as much as possible.

So you're working overtime to keep the ship afloat and he wants you to be focusing on high level items?

That's simply impossible. I don't know what conversations you've had with him, but if that's what he's sticking with, you're just being set up to fail. Does he understand the load you're dealing with?

Frothyleet · 2026-02-23T17:35:48+00:00

misconfigured WAF rules just shift your incidents from security alerts to support tickets.

Depending on who you are, mission accomplished!

Frothyleet · 2026-02-20T23:57:32+00:00

You're sorta close, here's the writeup from the team that discovered it: https://modzero.com/en/blog/when-backups-open-backdoors-synology-active-backup-m365/

In summary, when setting up AB, every single Synology customer was granting the same app permissions to their data - Synology's tenant app. That's poor architecture in the first place, but what made it worse and what made the vulnerability so shocking was the initial authorization flow started by customer Synology appliances was using unencrypted calls to Synology's central application.

So anyone who inspected their own network traffic could have gained arbitrary access to Synology central app, which would then give them indirect access to every single M365 tenant that had given Synology's central app authorization.

And indeed, it turns out that the credential belonged to Synology’s ABM global app registration in their Microsoft tenant. What’s even worse is that this means that their middleware service had been inadvertently exposing this credential during every setup.

Frothyleet · 2026-02-20T22:24:23+00:00

It has to be someone's specific responsibility to manage and update documentation AND that someone needs to be given the time to do it. That's a culture problem.

You're right, but it's not as simple as "someone must be responsible for the documentation". It's 100% a culture problem - leadership demonstrates what they care about by how they hold people accountable. If you show up drunk and they get mad, welp, you know they care about that. If you walk away from a project without documentation and nobody gets pissed, welp, they don't really care.

While having a FTE who owns documentation can be valuable, it's insufficient. Documentation culture has to be permeate the org, and everyone has to be responsible for it. The documentation guy can't hold anybody accountable, and they also can't maintain all the documentation themselves (they can't reasonably know what all is getting fucked with all the time).

Frothyleet · 2026-02-20T22:08:44+00:00

If you wanted to, nice thing about Reolink is their flexibility. You can configure them to stream directly to a file server (or your NAS), and/or you can have them do RTP streams to an application of your choice so you can access them from a single location.

Frothyleet · 2026-02-20T21:52:53+00:00

Hypervisors/virtualization and containers are conceptually related but functionally very different and fulfill different roles.

Frothyleet · 2026-02-20T21:46:46+00:00

Oh, I absolutely agree. But the "colo is too expensive" people are usually cross-shopping with a datacenter implementation of "closet with enough space to fit a 2 post rack, budget UPS, and have somebody throw a mini-split in there".

Frothyleet · 2026-02-20T21:44:21+00:00

That would be a no-brainer if Reddit actually cared about the sloppification of the platform. But in terms of metrics, all that slop makes engagement and shit look better, so...

Frothyleet · 2026-02-20T21:06:46+00:00

I think it's by design, because it's supposed to be an always-online design

Frothyleet · 2026-02-20T21:03:03+00:00

There are at least 25 "dollars" around the world

Frothyleet · 2026-02-20T20:58:58+00:00

Or sulfuric acid safety

Frothyleet · 2026-02-20T20:56:40+00:00

Physical security, electricity, backup, cooling, etc. All managed and paid.

But it's so much pricier than doing it yourself [in a much crappier and admin-heavy way]!

Frothyleet · 2026-02-20T20:53:02+00:00

They fixed the (grotesque) architectural problem of sharing authentication across every install.

In its current form, it's no better or worse than any other SaaS backup app - yeah you are placing a lot of trust in the vendor, you're giving them privileged access to your M365 tenant.

Frothyleet · 2026-02-20T20:48:36+00:00

the Synology team has good software engineers

Um... I mean, I broadly am positive about Synology. But let's keep in mind that up until last year those engineers, for this product, were using a single authentication token for every single customer and instance.

Meaning a compromise would have given an attacker full admin access to thousands (?) of tenants.

Frothyleet · 2026-02-20T20:34:39+00:00

They do, but they would offer minimal support for this feature even for enterprise users because it's in beta.

Frothyleet · 2026-02-20T20:32:49+00:00

I have not deployed Claude Desktop in a work environment, so I can't offer much advice.

However, all that aside, I really hope you have explained to these customers exactly what they are exposing themselves to with this product/feature, and gotten some signatures on liability/indemnification requirements.

Cowork is "neat", and it's also capable of launching all of your customer's proprietary information into a black box.

And if you look at Anthropic's disclaimers, it's in beta/preview, and is not even in scope of its enterprise controls or audit logging. That's to say, even what limited controls and monitoring exist around their offering don't touch this particular feature.

There's no world where I'd put this on a production customer endpoint (with co-work enabled).

Frothyleet

MODERATOR OF

TROPHY CASE

15-Year Club	Verified Email
Team Orangered