Working with a managed IT provider doesn't have to mean handing over permanent control of your digital infrastructure. Lock-in is a real risk, but it's avoidable if you know what to look for and what to put in writing before you sign. Here's how to structure the relationship correctly from the start.
The Three Lock-In Patterns
Lock-in comes in three forms:
Data lock-in: Your data is in the MSP's proprietary systems and can't be easily exported. Documentation, configurations, and asset records that exist only in their internal tooling.
Credentials lock-in: Your domain registrar, your M365 tenant admin account, and your firewall login exist only on the MSP's systems. If the relationship ends badly, you can't get into your own environment.
Configuration lock-in: Your infrastructure is configured in ways only the MSP understands. No runbooks, no documentation, no person on your team who can describe how anything works.
All three are avoidable with contractual and operational discipline.
You Own the Tenants
The following should be owned by your business, not by your MSP:
- Your Microsoft 365 tenant (registered to your business email and billing card)
- Your domain registrar account
- Your DNS hosting account
- Your cloud provider accounts (Azure, AWS)
- Your accounting and ERP platform tenants
- Your cyber insurance policy
The MSP is added as a delegated admin or partner admin to your M365 tenant, they get access to manage it on your behalf, but they do not own it. If they set up your M365 tenant under their own account with you as a "customer," you have a significant lock-in problem. Fix this before it becomes a contract dispute.
The test: can you log in to your M365 tenant as a Global Administrator independently of your MSP? Can you log in to your domain registrar? If the answer to either is "I'd have to ask them," that needs to change.
Credential Transparency
Every admin credential for every system under management should exist in a password manager or credential vault that you also have access to. Not a vault that only the MSP can access, where you'd need to file a request to get your own firewall password.
Acceptable arrangements:
- Your MSP uses their credential vault, and you have a documented break-glass export procedure that produces your credentials in a portable format
- A shared credential vault (1Password Business, Bitwarden Teams) where your admin account has owner access
- Physical documentation in a sealed envelope stored at your premises, updated quarterly
The standard: if the MSP's office burned down tomorrow, you could get into every system you own.
Documentation Belongs to You
Your IT environment documentation, network diagrams, runbooks, configuration baselines, as-built documentation, IP addressing scheme, should be delivered to you on a regular cadence (quarterly or whenever significant changes are made) and stored in a system you control.
Not in the MSP's internal wiki. Not "available upon request." Delivered and stored where you can access it independently.
In your Statement of Work or MSA, specify: documentation delivered quarterly, in a format you can open and use (PDF, Visio, clearly labelled files). This is a standard clause, any professional MSP will agree to it.
Exit Clause in the Contract
Standard professional services contracts include a transition assistance clause: 30 - 90 days of cooperation if you decide to leave, at defined rates, with a documented handoff procedure.
What this should include:
- Transfer of all admin credentials to the incoming provider or to you
- Export of all documentation in standard formats
- Cooperation with the incoming provider for knowledge transfer
- No holding of credentials, domains, or infrastructure hostage
If a proposed contract does not include this, ask for it. An MSP that resists a reasonable exit clause is telling you something important about how they operate.
Pick Tools That Travel
MSPs use their own RMM (remote monitoring and management), PSA (professional services automation), and security tools. That's appropriate, it's how they operate efficiently at scale. The question is whether your data is trapped in those tools.
Your business data, user accounts, files, email, financial records, should live in M365, your cloud storage, your accounting platform. The MSP's tools act on that data; they don't own it. When the MSP relationship ends, your data stays in your M365 tenant. Their RMM agents get uninstalled; your data stays.
The one exception worth noting: if the MSP built significant custom integrations or automations on your behalf (Power Automate flows, custom scripts, integrations between systems), those should be documented, owned by your tenant, and handed over as part of any transition.
How to Test the Lock-In Position Annually
Once a year, ask your MSP three questions:
- If I needed to access [critical system] independently, how would I do that? Can you show me?
- Where is our documentation stored and how do I access it?
- What would a 60-day transition to a new provider look like?
The answers reveal your actual position. A good MSP has clear, documented answers to all three. The answers may identify gaps that are worth addressing as part of your annual IT review.
Talk to a Prince George-based IT team about structuring a transparent, portable MSP relationship, call 672-983-1174 or book a free assessment at northstarit.ca.
Want this in your inbox?
We send a short monthly note with one cybersecurity or IT topic that BC business owners should know about. No sales pitch.
Get the monthly note Read more InsightsServices mentioned in this post.
Frequently asked questions
What should I do if no domain found is reported by my new IT reseller or MSP?
If a new provider cannot find your domain or access records, it often means the previous MSP registered it under their own name rather than yours. You must immediately request the transfer authorisation code (EPP key) and ensure the administrative contact email is changed to one you control. North Star can assist BC and Alberta businesses in auditing these records to ensure you retain legal ownership of your digital identity.
How can I avoid MSP vendor lock-in during a new contract?
Avoid lock-in by ensuring your contract explicitly states that all hardware, software licences, and domain names are owned by your organisation. Require that all administrative passwords be stored in a shared vault you can access at any time. Look for 30 or 60 day out clauses rather than multi-year commitments. Our team at North Star prioritises transparency, ensuring our clients in Prince George and beyond always have the keys to their own kingdom.
Is it possible to migrate from a restrictive MSP to North Star?
Yes, we specialise in helping businesses transition away from restrictive providers. We perform a comprehensive discovery process to identify where your data lives and who owns the access rights. Even if your current provider is uncooperative, there are technical and legal avenues to recover your assets. We have successfully managed migrations for clients across Western Canada, ensuring a smooth handoff without operational downtime.