Why a Tier-1 Microsoft CSP matters for banks, credit unions, and mortgage lenders.
ABT is the largest Tier-1 Microsoft CSP primarily dedicated to the mortgage industry, with a specialized practice for community banks and credit unions. ABT was among the first 15 organizations globally to be authorized as a direct-billing Microsoft Cloud Solution Provider, and 750+ financial institutions trust us to manage their tenants through that direct relationship. This page explains what changes for your institution when your CSP holds the direct billing relationship with Microsoft, and how to evaluate any CSP before you sign.
Direct billing relationship with Microsoft
Microsoft sells cloud licenses through two kinds of partner.
Microsoft's Cloud Solution Provider program separates partners into two authorization models. Most institutions never hear the distinction, because the marketing language reseller channels use is identical. The contractual reality is not.
Your CSP buys licenses directly from Microsoft and owns the relationship end to end.
A Direct Bill partner has a direct contractual relationship with Microsoft for cloud subscriptions. Microsoft Learn defines the model in plain language: "As a direct-bill partner, you own the end-to-end relationship with your customer and with Microsoft." That phrasing is load-bearing. The Tier-1 partner issues your invoice, holds the support contract Microsoft escalates against, attests to your Microsoft Customer Agreement on your behalf, and signs the Microsoft Partner Agreement that governs how customer data is handled.
- Direct billing relationship with Microsoft
- First-level support is contracted directly to the CSP, escalated to Microsoft engineering through a paid Advanced Support for Partners or Premier Support for Partners plan
- MCA attestation on the customer's behalf in Microsoft Partner Center
- Signed Microsoft Partner Agreement directly with Microsoft
- Eligible for the higher Solutions Partner designation track and direct incentive funding
Your CSP buys licenses through a distributor, who holds the direct relationship with Microsoft.
An Indirect Reseller works through a distributor (Microsoft's official term is "indirect provider"). Microsoft Learn says it bluntly: "As an indirect reseller in CSP, you work with indirect providers (also known as distributors) who have a direct relationship with Microsoft." The reseller owns the customer-facing pitch and the day-to-day account work. The distributor sits underneath them, handling the billing infrastructure, the MCA flow, and the contractual relationship with Microsoft.
- Reseller buys licenses from a major Microsoft distributor (one of the authorized indirect providers)
- The distributor owns the contractual relationship with Microsoft
- Customer support typically routes through the distributor's escalation chain before reaching Microsoft
- The reseller's contract leverage and incentive eligibility depend on the distributor's tier and policies
- If the distributor relationship dissolves, customer subscriptions usually stay with the distributor
A note on terminology. Microsoft's current documentation uses "Direct Bill" and "Indirect Reseller." The older "Tier-1" and "Tier-2" labels stuck in industry conversation and remain widely used. Both refer to the same authorization split. ABT uses Tier-1 and Direct Bill interchangeably on this page.
How the Microsoft CSP program got here.
Understanding why Tier-1 status matters now requires a quick look at how Microsoft has tightened the program over the last decade. Each round of consolidation made the Tier-1 designation harder to earn and easier for buyers to verify.
The CSP program launches with a low bar to entry.
Microsoft introduced the Cloud Solution Provider program in late 2014 as a replacement for the older Open License and Open Volume models. Any partner with a Microsoft Partner Network membership could theoretically participate. Direct Bill authorization was available to partners who could demonstrate basic billing infrastructure. ABT was authorized as one of the early Direct Bill participants, among the first 15 organizations globally to take the direct relationship with Microsoft when the program opened. The qualifying bar was modest, the partner ecosystem was wide, and most of the partners selling Microsoft 365 in those years were Direct Bill rather than Indirect Reseller.
Microsoft tightens Direct Bill requirements; smaller partners shift to Indirect.
In 2018, Microsoft introduced what is now recognized as the first major Direct Bill consolidation. New Direct Bill partners had to maintain a paid support plan (Advanced Support for Partners or Premier Support for Partners), a billing automation system capable of integrating with Microsoft Partner Center APIs, and a customer provisioning system. Existing Direct Bill partners faced annual reassessment against the same standards. The practical effect was a meaningful annual investment in support and infrastructure that smaller partners could not sustain. Partners who could not clear that floor migrated to the Indirect Reseller channel and started buying through distributors. The Direct Bill partner population dropped meaningfully for the first time.
Direct Bill revenue threshold climbs to $1M USD; Solutions Partner designation required.
Microsoft announced sweeping changes to Direct Bill authorization on May 1, 2025, effective October 1, 2025. The trailing twelve-month CSP revenue threshold rose from approximately $300,000 to $1,000,000 at the Partner Global Account level (a 230% increase). Solutions Partner designation in the relevant solution area became mandatory, replacing the older silver and gold competency model. Partner Capabilities Assessment is now an annual event rather than a one-time enrollment hurdle. Multi-factor authentication enforcement across Partner Center became mandatory on April 1, 2026. The bar for buyers to ask "are you actually a Tier-1 CSP" got more meaningful, because not every legacy Direct Bill partner cleared the new threshold. ABT cleared each of these gates as they were introduced and continues to operate at the Direct Bill level under the FY26 framework. For buyers in financial services, Tier-1 status itself doubles as a partial vendor risk attestation: Microsoft has done a portion of the diligence work for you.
What changes between the two authorization models.
A row-by-row look at the operational differences that show up in your invoice, your support tickets, your contract paperwork, and your vendor due diligence file.
| Operational area | Tier-1 / Direct Bill (ABT) | Tier-2 / Indirect Reseller |
|---|---|---|
| Who issues your invoice | The CSP issues directly. One invoice from one party. Microsoft is paid by the CSP. | The reseller issues, but the distributor handles the billing infrastructure. Reconciliation, taxes, and credit terms can vary by distributor. |
| Who holds the contract with Microsoft | The CSP signs the Microsoft Partner Agreement directly. The customer signs a service agreement with the CSP. | The distributor signs the Microsoft Partner Agreement. The reseller has a sub-arrangement with the distributor. The customer typically signs with the reseller. |
| First-level support escalation | The CSP runs a dedicated support desk, contracted to a paid Advanced or Premier Support for Partners plan that gives engineering-level escalation directly into Microsoft. | Support typically routes from reseller to distributor to Microsoft. Multi-layer support paths can add response time, especially for cross-tenant or priority cases. |
| Microsoft Customer Agreement attestation | The CSP attests to MCA acceptance on the customer's behalf in Microsoft Partner Center, or invites the customer to accept directly. | The distributor or reseller mediates attestation. The reseller cannot independently attest. |
| Tenant administration | Granular Delegated Admin Privileges (GDAP), time-bound and least-privileged, granted by the customer directly to the CSP. Customer always retains ownership. | GDAP is also used, but a multi-layer admin model can exist if the distributor holds parallel admin access for fulfillment. |
| Incentive program access | Direct access to Microsoft incentive programs, Solutions Partner designation funding, Azure Migrate and Modernize / Azure Innovate migration funding for qualifying engagements, and Azure Partner Earned Credit. | Eligibility depends on the distributor's policies. Many incentive programs are negotiated at the distributor level. |
| Pricing and contract leverage | CSP negotiates terms, bundling, and timing directly. Volume aggregated across the entire customer book gives leverage on Microsoft commitments. | Reseller's leverage is constrained by the distributor's price sheet and policies. |
| If the partner relationship ends | Customer subscriptions can transfer to a different CSP through Microsoft's customer-managed transfer process. The customer's tenant always belongs to the customer. | Subscriptions typically stay with the distributor, who may reassign the customer to a different reseller in their network. |
| Annual Solutions Partner designation review | Microsoft renews each Direct Bill partner's Solutions Partner designation annually based on a Partner Capability Score covering performance, skilling, and customer success metrics. Publicly verifiable via Microsoft's Solutions Partner directory. | No equivalent requirement at the reseller level; the distributor's capability is what Microsoft assesses. |
| Revenue and tenure threshold | $1M USD trailing twelve-month CSP revenue plus 12 months of prior Indirect Reseller experience required before applying (FY26 requirements, effective October 1, 2025). | No revenue threshold. Lower entry bar is the design intent of the Indirect Reseller channel. |
The short version of the table above.
Tier-1 (Direct Bill) and Tier-2 (Indirect Reseller) are not different products. They are different contractual paths to the same Microsoft 365 and Azure subscriptions. The path determines who issues your invoice, who holds the contract with Microsoft, who answers the phone when you have an outage, and how your vendor risk team reads the relationship in their next due diligence cycle. Both paths are legitimate. Both can serve regulated institutions well. The Tier-1 path is the one ABT chose when the CSP program launched in 2014, and it is the one we have continued to clear through every round of Microsoft tightening since.
The decision is not "Tier-1 is better." The decision is "which path matches my operational reality, my support expectations, and my audit posture." If you do not know what tier your current CSP holds, you can find out in 60 seconds by looking at your invoice. If you do know, the next question is whether the difference matters enough to your specific institution to justify a transfer. That is the conversation ABT's licensing team has every week with credit unions, banks, and mortgage lenders evaluating their CSP relationship. We are happy to have it with you, whether you stay on your current path or transfer to ABT's Direct Bill relationship at the end of the discussion.
Not sure who your CSP actually is?
Pull up your last Microsoft 365 invoice. The party billing you is your CSP partner of record. If they billed through a distributor, your tenant sits behind that distributor. ABT's licensing team will read your invoice with you in 15 minutes and tell you exactly where you stand, whether you should switch, and what a Tier-1 transfer would change about your support and contract experience.
What a Tier-1 relationship changes for your institution.
Direct Bill is not a marketing tier. It alters who answers your support call at 6 AM, who can move your renewal date, who stands behind the SOC 2 attestation, and who has skin in the game when an examiner asks for evidence.
Support depth and escalation latency
Tier-1 partners are required by Microsoft to operate first-level support and to maintain a paid Advanced Support for Partners (ASfP) or Premier Support for Partners (PSfP) plan. ASfP is the product Microsoft built for partners who need direct engineering escalation. When ABT engineers cannot resolve an issue in your tenant, they open a case directly with Microsoft engineering through the partner support channel. Most cases reach a Microsoft engineer within minutes during business hours.
An Indirect Reseller often does not hold its own ASfP plan. The distributor's plan is what gets used. That adds a hop. The reseller calls the distributor, the distributor calls Microsoft. Each layer adds time, and each layer is a separate company with its own ticket queue and SLA. For a community bank dealing with a Friday afternoon mailflow outage during loan funding, that latency matters.
Contract leverage and pricing flexibility
Tier-1 partners hold their own price sheet relative to Microsoft. They can negotiate bundle terms, time renewals, and aggregate volume across their entire customer base. ABT moves licensing for 750+ financial institutions through a single CSP relationship. That book of business gives Microsoft a reason to pay attention when ABT requests special pricing, term flexibility, or migration funding for a specific FI engagement.
An Indirect Reseller is constrained by the distributor's price sheet. Special pricing, custom bundles, and Microsoft-funded migration program requests have to flow up through the distributor before they ever reach Microsoft. Distributors apply their own commercial filters before requests reach Microsoft.
Tenant control and contractual ownership
The customer always owns the Microsoft 365 tenant. Microsoft owns the infrastructure. The CSP partner manages the tenant via Granular Delegated Admin Privileges (GDAP), which is time-bound and least-privileged by design. That model is identical for Tier-1 and Tier-2 partners.
What differs is what happens if the partner relationship ends. With a Tier-1 partner, transferring your subscriptions to a new CSP is a customer-managed process. With an Indirect Reseller, the underlying CSP contract is between the distributor and Microsoft. Subscriptions typically stay with the distributor, who may reassign you to a different reseller within their network. The underlying chain of ownership stays with the distributor; the reseller-facing relationship can change without affecting the contractual layer. (Phase 3 below covers the actual transfer mechanics in detail.)
Vendor due diligence posture
FFIEC's Third-Party Risk Management guidance and the OCC's vendor management bulletins all expect institutions to evaluate the financial stability, compliance posture, and operational capability of any vendor with access to non-public personal information. Microsoft's Direct Bill authorization is itself a partner-level audit. Tier-1 partners must demonstrate revenue stability ($1M USD trailing twelve-month minimum), pass an annual security score check, hold an active support plan, hold an active signed Microsoft Partner Agreement, and document managed services capability through an annually renewed Solutions Partner designation. Examiner expectations align with the NIST Cybersecurity Framework 2.0 and the Cyber Risk Institute (CRI) Profile, the framework FI examiners adopted after the FFIEC retired its Cybersecurity Assessment Tool in August 2025. ABT's NIST CSF 2.0 Assessment for Financial Institutions maps your current environment against the framework.
That maps cleanly to what your vendor risk team is going to ask for. ABT's SOC 2 Type II report (under NDA, conducted by an independent third-party auditor and currently tracked under SYS-20712), attestation of ABT's signed Microsoft Partner Agreement, verifiable Direct Bill CSP authorization, and the GDAP scope are the artifacts that close most CSP-related vendor due diligence requests.
Why an FI-dedicated Tier-1 CSP is different from a generic one.
Tier-1 status alone is not a guarantee of financial services fit. Most Tier-1 CSPs are large generalists (SHI, CDW, Insight, Connection) that handle every vertical. A Tier-1 CSP that has spent 25 years configuring tenants for credit unions, community banks, and mortgage companies brings a different set of muscle memory to your environment.
Examiner-ready out of the box
FFIEC, OCC, NCUA, and FDIC examiners ask about audit log retention, Conditional Access enforcement, MFA coverage, vendor SOC 2 attestation, and IT audit scope. Generalist Tier-1 CSPs serve every vertical with a similar configuration profile by design. A specialist CSP can configure tenants for the specific examiner expectations a financial institution faces. ABT configures tenants for those expectations from day one. Microsoft Purview Audit, Microsoft Entra ID Conditional Access in Grant mode, Microsoft Intune device posture, and Microsoft Defender for Office 365 anti-phishing are baked into the standard Guardian hardening profile.
GLBA Safeguards mapped to Microsoft controls
The Gramm-Leach-Bliley Act Safeguards Rule (16 CFR 314.4) is the regulation your examiner cites. ABT's Guardian operating model maps Microsoft 365 controls to GLBA Safeguards Rule subsections, with documented per-control mapping available to customers in active engagement. Examiner expectations align with the NIST Cybersecurity Framework 2.0 and the Cyber Risk Institute (CRI) Profile, the framework FI examiners adopted after the FFIEC retired its Cybersecurity Assessment Tool in August 2025. ABT's NIST CSF 2.0 Assessment for Financial Institutions maps your current environment against the framework. Generalist Tier-1 CSPs typically focus on the licensing transaction. The regulatory crosswalk between Microsoft 365 controls and the GLBA Safeguards Rule is something a specialist FI-focused CSP brings as part of the engagement.
Mortgage and core integration in the same conversation
ABT runs MortgageExchange (LOS-to-core integrations), MortgageWorkSpace (the dual-domain mortgage platform), and DocumentGuardian (loan-document automation) on Azure for the same financial institution audience. When you talk to ABT about Microsoft 365 licensing, you are also one conversation away from connecting your loan origination system to your core, automating loan documents, and bringing your mortgage subsidiary onto the same governance baseline as the bank. That is not a Tier-1 generalist offer.
What Tier-1 CSP status unlocks across the Microsoft stack.
CSP discussions usually start with Microsoft 365 licenses, because that is what the customer is buying month over month. The same authorization tier governs how your CSP shows up across the rest of the Microsoft cloud surface. A few of the cleanest examples below.
Microsoft 365 Copilot Business and Copilot for the enterprise
The CSP partner is the only path to buy Microsoft 365 Copilot Business under the 300-seat SMB cap. Tier-1 partners get the earliest access to new Copilot SKUs at launch, the ability to negotiate bundled pricing on the Business Premium plus Copilot Business combination, and direct access to Microsoft incentive funding for Copilot adoption sprints. ABT positions Copilot Business inside the same Guardian-governed tenant we manage your security from, so adoption never crosses outside the compliance boundary your examiners expect to see.
The practical implication for a 200-seat institution: the Copilot conversation lands inside the same Tier-1 CSP relationship that governs your Business Premium, your Defender, and your Purview Audit. One renewal date. One negotiation. One support escalation path.
Microsoft Entra ID, Defender, Purview, and Intune as a managed bundle
The Microsoft security stack (Microsoft Entra ID Conditional Access, Microsoft Defender for Office 365 anti-phishing, Microsoft Defender for Endpoint, Microsoft Purview Audit and Information Protection, and Microsoft Intune device management) is sold and licensed through the CSP channel. Tier-1 partners can bundle these add-ons into a single per-user roll-up, time the renewal to align with examination cycles, and stack Azure Migrate and Modernize funding on enablement projects that include Azure-side workloads. Indirect Resellers can also sell these add-ons, but the bundling and incentive flexibility is throttled at the distributor layer.
For ABT-managed institutions, the Guardian operating model wraps all of these together. Conditional Access policies are deployed in Report-Only mode first, monitored, then promoted to Grant. Purview Audit retention is configured to the institution's regulatory minimum. Intune enrollment is tied to device compliance posture. The deployment is not a license sale and a hand-off. It is an operating model that runs continuously.
Azure subscriptions, Azure-hosted apps, and Azure migration funding
Azure subscriptions sold through CSP are billed on consumption with the same volume aggregation benefits as Microsoft 365. Tier-1 CSPs can apply for Azure Migrate and Modernize funding, Azure Innovate for net-new AI and modernization workloads, the Azure Accelerate framework that consolidates both, VMware migration incentives, and the Azure Partner Earned Credit (15% of the customer's Azure consumption credited back to the partner each month). ABT runs Calyx PointCentral on Azure, hosts MortgageWorkSpace and DocumentGuardian on Azure for the FI customer base, and uses these incentive programs to keep migration economics favorable for community banks and credit unions.
For an institution evaluating an Azure-hosted application: the Tier-1 CSP your environment is on determines what Microsoft incentive funding can offset the cost of moving the workload. A Tier-2 reseller cannot independently apply for these programs.
Microsoft 365 admin oversight and the Microsoft Service Trust Portal
Tier-1 CSP partners have direct access to the Microsoft Service Trust Portal, where Microsoft publishes its own SOC 2, SOC 3, ISO 27001, and FedRAMP attestations. ABT pulls these on behalf of the customer when vendor risk teams ask for evidence that Microsoft (the underlying cloud platform) meets your institution's controls. We also have direct API access to the Microsoft 365 admin center for bulk operations (license assignments, conditional access rollouts, compliance log exports) that an Indirect Reseller has to request through their distributor's tooling.
The practical effect for a vendor due diligence cycle: ABT can deliver Microsoft's attestations, ABT's own SOC 2 Type II report (under NDA), the GDAP scope on file, attestation of ABT's active signed Microsoft Partner Agreement, and verifiable Direct Bill CSP authorization status (independently confirmable via Microsoft's Solutions Partner directory) in the same package. ABT's vendor due diligence package is structured to close most CSP-related reviews quickly. SOC 2 Type II is conducted by an independent third-party auditor and covers ABT's Cloud Platform and Services and the operational controls behind ABT's Tier-1 CSP delivery, currently tracked under SYS-20712.
Six questions to ask any CSP partner.
Whether you stay with your current CSP, switch to ABT, or evaluate a third option, ask these six questions and write down the answers. The pattern of what they say (and what they avoid) will tell you which authorization tier you are actually buying from.
Are you a Direct Bill (Tier-1) CSP, or an Indirect Reseller (Tier-2)?
Most CSP marketing language obscures this. Ask the direct question. The answer is binary. If they say "we work with Microsoft" or "we are a Microsoft partner," push for the specific authorization model. Both are legitimate; you just need to know which one you are buying from before you can compare apples to apples.
Who issues my invoice, and who signs the Microsoft Partner Agreement?
Tier-1: the CSP issues directly and signs the MPA directly. Tier-2: the reseller issues but the distributor signs the MPA. This determines who Microsoft holds responsible for handling your data and who Microsoft escalates against if something goes wrong. It also tells your vendor risk team which company's SOC 2 report they actually need to evaluate.
Do you maintain your own paid Microsoft support plan? Which one?
Tier-1 partners are required to hold either Advanced Support for Partners (ASfP) or Premier Support for Partners (PSfP). Ask which one. ASfP and PSfP are both paid Microsoft support plans. PSfP costs significantly more and includes a dedicated Customer Success Account Manager from Microsoft. If the partner cannot answer specifically, the support escalation path is going through their distributor or some other intermediary.
Will you attest to my Microsoft Customer Agreement, or do I sign it myself?
Tier-1 partners can attest in Microsoft Partner Center on the customer's behalf, or they can invite you to accept directly through your Microsoft 365 admin center. Tier-2 resellers cannot independently attest; the distributor mediates the flow. The right answer is "we will give you the option" rather than "we'll just take care of it for you." MCA acceptance is a customer signature; you should know which path it took.
What happens to my subscriptions if our relationship ends?
The honest answer for a Tier-1 partner: your tenant stays with you, your data stays in Microsoft's infrastructure, and you can transfer subscriptions to a different CSP through a Microsoft-managed customer transfer process. The honest answer for a Tier-2 reseller: subscriptions usually stay with the distributor, who can reassign you to another reseller in their network. Both can work; just know which one you have.
Can you confirm your active Solutions Partner designation and most recent Partner Capability Score?
Tier-1 partners must hold an active Solutions Partner designation in the relevant solution area, and Microsoft renews that designation annually based on a published Partner Capability Score (PCS) covering performance, skilling, and customer success metrics. The designation and renewal status are publicly verifiable via Microsoft's Solutions Partner directory. A Tier-2 reseller has no such artifact at the reseller level; the distributor is what Microsoft assesses.
Where the Tier-1 advantage shows up on your invoice.
The honest answer is that Microsoft publishes an estimated retail price (ERP/MSRP) for each SKU, and the CSP partner pays Microsoft a wholesale "list price" before reselling. Microsoft does not contractually require a CSP to sell at or above the published ERP, but the wholesale price is a practical floor, because sustained per-seat discounting just compresses the partner's margin to a level that cannot fund the management, governance, and support layer your institution actually needs. The economic difference is not in the per-seat ERP. It is in everything around the invoice. Four places to look.
Bundle pricing on net-new SKUs at launch
When Microsoft launches a new SKU (Microsoft 365 Copilot Business at $21 standalone, the Business Premium plus Copilot Business bundle at $32 promo, the upcoming E7 frontier suite at $99 with the $9 E5 upgrade promo), Tier-1 partners can negotiate bundle terms that Indirect Resellers cannot independently access. ABT runs the Microsoft 365 Copilot Business pilot pack at favorable terms for institutions that want to test Copilot before committing to a full deployment, and the bundle math depends on Tier-1 access to current Microsoft promotional terms. For a 200-seat credit union: the difference between the pilot path and a list-price standalone purchase across the first six months can run into five figures. That is not a per-seat saving. It is a structural saving.
Azure migration and modernization funding for project economics
Microsoft's Azure Migrate and Modernize and Azure Innovate programs (now consolidated under the Azure Accelerate framework), together with Solutions Partner co-op marketing funds and partner-led migration incentives, are all partner-applied. Tier-1 CSPs apply directly to Microsoft. Indirect Resellers apply through their distributor. When ABT migrates a credit union's on-premises Exchange to Microsoft 365, or moves a community bank's loan-document workflow into MortgageWorkSpace on Azure, the project economics often include incentive funding that offsets the migration labor. The funding is real and material; the path to access it depends on Tier-1 status. A Tier-2 reseller can apply through their distributor, but the success rate and the speed of approval are categorically different.
License optimization and right-sizing as an ongoing service
Tier-1 partners typically run quarterly license reviews as part of the managed services baseline. ABT looks at actual user behavior in your tenant (which apps each user opens, how often, which licenses are sitting unused) and right-sizes the subscription mix. If 40 of your 200 Business Premium users only need email and Teams, those users should be on Business Basic, not Business Premium. The savings are not theoretical; they are the kind of thing that pays for the entire managed services engagement on its own. This is the work an Indirect Reseller often does not have the operational depth to do at the customer level. Their distributor relationship aggregates volume but does not optimize per-customer mix.
Predictable contract terms and the renewal experience
NCE introduced strict cancellation rules. A 12-month annual commitment cannot be cancelled past the 7-day window without continuing to pay through the term. That math is the same for Tier-1 and Tier-2 customers, but Tier-1 partners can structure mixed commitment portfolios for an institution (some users on monthly commitments for elasticity, the core seat count on annual for the price advantage) and time the renewal to align with budget cycles. ABT runs renewal calendars for our 750+ FI customer book and pre-stages the conversation with each institution 60 days before each annual renewal. That lets the CFO bring renewal pricing into the budget cycle rather than discovering it after. The renewal experience is itself a deliverable.
A few things this page is not saying.
Tier-1 CSP status is meaningful, but it is not a magic credential. Below are three claims you might hear adjacent to the Tier-1 conversation that ABT specifically does not make.
"Tier-1 means lower licensing prices."
Microsoft publishes an estimated retail price (ERP, also called MSRP) for Microsoft 365 and Azure SKUs and bills the CSP partner a separate wholesale "list price" for each seat. A Tier-1 CSP can legally sell a standard subscription below the published ERP if it chooses to, because Microsoft does not impose a minimum resale price on its CSP partners. The wholesale price is the practical floor, not a contractual one. Sustained discounting just compresses partner margin to a level that cannot fund the management, governance, and support layer customers actually need. Where the economics differ in practice is in Microsoft-funded promotional bundles Tier-1 CSPs are eligible to broker (the Business Premium plus Copilot Business CSP bundle through June 30, 2026 is one current example), Azure migration funding programs like Azure Migrate and Modernize and Azure Innovate that route through the partner, license optimization as an ongoing service rather than a one-time discount, and multi-year contract leverage on commitments. If a CSP's pitch is that Tier-1 status produces a cheaper per-seat subscription on standard SKUs without a Microsoft-funded promo behind it, ask them to show you the math on a current price list.
"Tier-1 partners host Microsoft 365 for you."
Microsoft hosts the Microsoft 365 infrastructure. CSP partners (Tier-1 and Tier-2 alike) manage your tenant under delegated admin authority. ABT manages your Microsoft 365 tenant. ABT hosts your Azure environment when you run Azure-based applications with us. The verbs are different on purpose, and we use them precisely because auditors and IT directors notice when the language is loose. See Microsoft Learn on GDAP for the canonical framing.
"ABT is the only Tier-1 CSP serving financial services."
We are not. Other Tier-1 CSPs serve financial institutions; some are large generalists (SHI, CDW, Insight, Connection) that cover every vertical, others are smaller specialists. ABT's specific position is the largest Tier-1 CSP primarily dedicated to the mortgage industry, with a specialized practice for community banks and credit unions. The "primarily dedicated" framing is intentional and verifiable. Generalist Tier-1 partners do excellent work on the licensing side but do not configure tenants for FFIEC, GLBA, OCC, NCUA, and FDIC examiner expectations the way a specialist does. The right CSP for your institution depends on whether you want a generalist with scale or a specialist with operational muscle memory for your vertical.
What most MSPs are not telling you about your Microsoft tenant.
Most managed service providers and CSPs tell you about the licenses you are buying. They say less about who actually holds the contract, who answers the phone when there is an outage, and who Microsoft escalates against if something goes wrong. Justin walks through what your invoice actually tells you about your CSP, why a Tier-1 relationship is not just a marketing label, and what to ask before your next renewal.
Watch the short for the 60-second version. When you are ready for a more detailed walk-through, the licensing guide breaks down what each Microsoft 365 plan actually includes, how the bundle pricing works, and where the Tier-1 CSP discount shows up on your invoice.
Read the licensing guideRelated reading.
Three blog articles that cover the practical side of Microsoft 365 licensing, examiner expectations, and Copilot deployment for financial institutions.
Microsoft 365 Copilot Business Buyer's Guide for Financial Institutions
The full breakdown of Copilot Business pricing, the Business Premium bundle at $32 per user, and how to evaluate Copilot for a regulated environment.
FFIEC IT Examination Readiness with Microsoft 365 Controls
The six artifacts examiners ask for, the Microsoft 365 controls that produce them (Purview Audit, Entra Conditional Access, Intune, Defender), and the order to put them in place.
NIST CSF 2.0 Assessment for Financial Institutions
The framework FI examiners now reference for AI governance and IT risk. ABT's structured assessment maps your current environment against NIST CSF 2.0 + CRI Profile and produces an examiner-ready gap report.
Frequently asked questions.
Thirteen of the most common questions IT directors and CFOs ask when comparing Microsoft CSPs for the first time.
Tier-1 CSP is the older industry term for what Microsoft now calls a Direct Bill partner in its Cloud Solution Provider program. A Tier-1 partner buys Microsoft 365 and Azure subscriptions directly from Microsoft, issues invoices to the customer, owns first-level support contractually, signs the Microsoft Partner Agreement directly, and attests to the Microsoft Customer Agreement on the customer's behalf. Microsoft Learn defines the model as "the partner who owns the end-to-end relationship with your customer and with Microsoft." Tier-2 (Indirect Reseller) partners buy through a distributor instead.
The fastest test is to look at your most recent Microsoft 365 invoice. If your CSP partner is the named billing party and the contract terms reference the Microsoft Partner Agreement directly, you are working with a Tier-1 Direct Bill partner. If the invoice references a major Microsoft distributor as the underlying provider, your CSP is operating as a Tier-2 Indirect Reseller. You can also ask your CSP directly. The answer is binary, and Microsoft's Partner Center records it as a single field in their authorization profile.
Microsoft publishes an estimated retail price (ERP, also called MSRP) for each cloud subscription and bills the CSP partner a separate wholesale "list price" for each seat. A Tier-1 CSP can legally sell below the published ERP if it chooses to, because Microsoft does not contractually require a minimum resale price. The wholesale partner price is the practical floor; sustained per-seat discounting compresses partner margin to a level that cannot fund the management, governance, and support layer customers actually need. Where Tier-1 partners create pricing flexibility is in volume negotiations, custom bundles, term timing, and access to Microsoft-funded incentive programs (Azure Migrate and Modernize, Azure Innovate, Solutions Partner co-op funds, Azure Partner Earned Credit, current promotional bundles like Business Premium plus Copilot Business through June 30, 2026). For an institution running 200 seats of Business Premium plus a Copilot pilot, the structural difference is rarely the per-seat ERP; it is whether the CSP can stack Microsoft-funded incentive programs into the engagement, time the renewal to align with budget cycles, and negotiate special pricing on net-new SKUs at launch.
No. Microsoft hosts the Microsoft 365 infrastructure (the data centers, the service code, the tenant database). Your CSP partner manages the customer tenant via Granular Delegated Admin Privileges (GDAP), which Microsoft Learn describes as "least-privileged access following the Zero Trust cybersecurity protocol." That distinction matters in regulatory contexts. Your data lives in Microsoft's infrastructure under your tenant boundary; your CSP configures, monitors, and supports your tenant under delegated admin authority. ABT manages your Microsoft 365 tenant. ABT hosts your Azure environment when you run Azure-based applications like MortgageWorkSpace or Calyx PointCentral with us. The verbs are different on purpose.
The shortest answer: one fewer hop in the escalation chain. With a Tier-2 reseller, support tickets that exceed first-level resolution typically route from the reseller's support desk to the distributor's support team and then to Microsoft. With a Tier-1 partner, the same ticket goes from the partner's support desk directly to Microsoft engineering through the partner's paid Advanced Support for Partners or Premier Support for Partners plan. The latency reduction is most visible in priority cases (mailflow outages, identity emergencies, cross-tenant issues during M&A) where minutes matter. Tier-1 partners are also required to maintain a passing security score and an annually renewed Solutions Partner designation, which means support staff training and ticket-handling rigor are auditable rather than implied.
Microsoft's New Commerce Experience locks annual commitments for the contracted term, but the partner-of-record can change mid-term while honoring the existing subscription terms. ABT's licensing team reviews your current commitments during Phase 1 (Discovery) and structures the partner-of-record change to either align with your renewal date or transition mid-term while preserving your committed pricing. Most institutions time the change to their annual renewal; some choose to transition mid-term when the support, governance, or renewal-cadence advantages outweigh the calendar misalignment.
No. A CSP switch is a Granular Delegated Admin Privileges (GDAP) partner-of-record change in Microsoft Partner Center, not a data migration. Your Microsoft 365 tenant ID, users, mailboxes, files, SharePoint sites, Teams channels, and Conditional Access policies all stay exactly where they are. ABT initiates the partner-of-record change in Microsoft Partner Center; the customer accepts from their Microsoft 365 admin center; the change is effectively instantaneous once accepted. ABT routinely executes CSP partner-of-record changes for institutions transferring from other CSPs. The work that takes longer is voluntary and happens after the partner-of-record change: re-baselining the security configuration to ABT's Guardian standard, mapping GLBA controls to the Microsoft 365 surface, and aligning license mix to actual role-based usage. (See Phase 3 below for the full mechanics.)
Examiners review your vendor due diligence file for any vendor that touches non-public personal information. The FFIEC's Third-Party Risk Management guidance and the June 2023 Interagency TPRM Guidance both expect a documented assessment of the vendor's financial stability, compliance posture, and operational capability. A Tier-1 CSP's authorization is itself a partner-level audit by Microsoft (revenue threshold, security score, support plan, annually renewed Solutions Partner designation, signed Microsoft Partner Agreement). Examiner expectations also align with the NIST Cybersecurity Framework 2.0 and the Cyber Risk Institute (CRI) Profile, the framework FI examiners adopted after the FFIEC retired its Cybersecurity Assessment Tool in August 2025. ABT's vendor due diligence package gives your vendor risk team a clean stack of artifacts to present: the SOC 2 Type II report (under NDA), attestation of ABT's active signed Microsoft Partner Agreement, verifiable Direct Bill CSP authorization status (independently confirmable via Microsoft's Solutions Partner directory), and the GDAP scope. A Tier-2 reseller's vendor risk profile sits below the distributor's, which adds a layer to the diligence work.
Both ABT and the generalist Tier-1 partners hold the same Microsoft Direct Bill authorization. The differences are vertical specialization and operating model. Generalist Tier-1 CSPs serve every industry with the same configuration profile; ABT is the largest Tier-1 CSP primarily dedicated to the mortgage industry, with a specialized practice for community banks and credit unions, and has spent 25 years building muscle memory for that customer base. Guardian (ABT's hardening and monitoring overlay) maps Microsoft 365 controls to GLBA Safeguards Rule subsections, with documented per-control mapping available to customers in active engagement. ABT also runs MortgageExchange, MortgageWorkSpace, and DocumentGuardian on Azure for the same FI customer base, which means a single licensing conversation can connect to LOS-to-core integration, loan-document automation, and mortgage subsidiary governance without bringing in a third vendor.
GDAP stands for Granular Delegated Admin Privileges. It is the current model Microsoft uses to give CSP partners administrative access to customer tenants. GDAP grants specific, time-bound roles (Exchange Administrator, SharePoint Administrator, Security Reader, and others) for a defined period that the customer approves. The customer can revoke roles at any time. The older model, simply called Delegated Admin Privileges (DAP), gave CSP partners blanket Global Administrator access by default with no time limit. Microsoft fully retired the legacy DAP model through 2023 in favor of GDAP. Both Tier-1 and Tier-2 CSP partners operate under GDAP today. ABT requests only the specific GDAP roles needed to deliver the contracted managed services, and the request is documented in your Microsoft Partner Center for audit review.
Microsoft's CSP program allows only one CSP partner of record per customer per service line. Your Microsoft 365 subscriptions and your Azure subscriptions can be split across two different CSP partners if you want to, but each subscription type can only have one partner at a time. In practice most institutions consolidate to a single CSP for both Microsoft 365 and Azure to simplify support escalation and incentive alignment. ABT customers typically run their full Microsoft 365 stack and any Azure-hosted ABT applications (MortgageWorkSpace, DocumentGuardian, Calyx PointCentral) under the same Tier-1 relationship. Splitting CSPs across the two service lines is supported but adds operational overhead, because incentive programs and bundle pricing are usually structured around the combined book of business.
No. Tier-1 status is a necessary condition, not a sufficient one. The questions that determine fit are operational and cultural. Does the CSP serve institutions in your size band (50 to 5,000 seats is ABT's primary sweet spot)? Does the CSP understand the specific regulatory examiner you are preparing for (FFIEC, OCC, NCUA, FDIC, CFPB, or state-level)? Does the CSP run an operating model that produces ongoing artifacts you can hand to your audit committee, or does the relationship reset every renewal? ABT is a strong fit for community banks, credit unions, and mortgage lenders that want a single relationship covering Microsoft 365, Azure, security governance, and custom interfaces. ABT is not a good fit for an institution that wants the cheapest possible licenses and no managed services overlay; we are a higher-touch CSP than the generalist Tier-1 CSPs, and that is intentional. Ask the question of any CSP: who is your typical customer, and what does the relationship look like in year two?
Microsoft has tightened the Direct Bill bar twice in the last decade (2018 and the October 2025 changes), and the trajectory is consistent: fewer, larger, more capable Tier-1 partners over time. Each round of tightening is announced 5 to 12 months in advance and applied at the next annual reassessment. ABT cleared the 2018 round and the October 2025 round and continues to operate at the Direct Bill level under the FY26 framework ($1M USD trailing twelve-month CSP revenue, Solutions Partner designation, Advanced Support for Partners plan, passing Partner Capabilities Assessment, passing security score). For an institution choosing a CSP today, the more meaningful question is not what Microsoft might require next year; it is whether the CSP has the financial scale and operational depth to clear the next round of tightening when it lands. ABT has met every tightening round since the program's 2014 inception. That track record is itself a vendor risk signal worth recording in your due diligence file.
From first call to year-two renewal.
A practical view of what changes for your institution if you transfer your Microsoft 365 tenant to ABT's Tier-1 CSP relationship. Five phases, sequenced.
Phase 1: Discovery (15 to 30 minutes)
ABT's licensing specialist reviews your most recent Microsoft 365 invoice with you. We confirm your current authorization tier, identify which subscriptions you hold, and walk through what would change if you transferred to ABT's direct billing relationship. No commitment. No data movement. Just a conversation about what your current setup tells us. The honest output of Phase 1 is sometimes "stay where you are." Not every institution should switch CSPs.
Phase 2: Vendor Due Diligence (1 to 3 weeks)
Your vendor risk team requests the standard package: ABT SOC 2 Type II report (under NDA), the GDAP scope ABT will request, attestation of ABT's active signed Microsoft Partner Agreement, verifiable Direct Bill CSP authorization status (independently confirmable via Microsoft's Solutions Partner directory), the standard service agreement, and any custom controls you need documented. ABT delivers this package within 24 hours of the request. Most reviews close within two weeks; complex multi-charter institutions sometimes take longer. This phase is where the Tier-1 status pays off operationally. Microsoft renews ABT's Solutions Partner designation annually based on performance, skilling, and customer success metrics, and that public artifact closes part of the diligence work for you.
Phase 3: Partner-of-Record Change (instantaneous after acceptance)
The actual CSP transfer is a Granular Delegated Admin Privileges (GDAP) partner-of-record change in Microsoft Partner Center, not a data migration. Your tenant ID stays the same. Your users, mailboxes, files, SharePoint sites, Teams channels, and Conditional Access policies stay exactly where they are. ABT initiates the change in Microsoft Partner Center; you accept from your Microsoft 365 admin center; the relationship is effectively instantaneous once you accept. ABT runs a verification pass to confirm subscription counts and license assignments are correctly attributed under the new partner-of-record. You are added as a CSP partner-of-record on your existing tenant; nothing is migrated.
Phase 4: Guardian Hardening (30 to 60 days)
The opt-in security work begins after the partner-of-record change. Guardian deploys a baseline of policy templates across Conditional Access, Defender, Exchange, DLP, Retention, MDM/MAM, and Information Protection categories. Each policy lands in Report-Only mode first, gets monitored against your environment for unintended impact, then promotes to Grant after validation. We do not flip policies live on day one. Most institutions reach the full Guardian baseline within 60 days, with some custom-tuning for unique workflows.
Phase 5: Ongoing Operations (continuous)
Once Guardian is at baseline, the relationship shifts into the steady-state operating model. Quarterly license reviews. Monthly Security Insights reports for the executive team. Continuous Microsoft Secure Score monitoring across the Microsoft Secure Score control surface Guardian tracks. Annual examiner-readiness check 60 days before each examination cycle. License renewal pre-staged 60 days before each annual renewal date. Tier-1 escalation path on every support ticket. The relationship runs continuously, not transactionally.
Year Two: The Compounding Effect
Year two is when most Tier-1 CSP relationships start delivering returns the customer can quantify. The license mix has been right-sized through three quarterly reviews. The Guardian baseline is mature and the Secure Score is in the 90+ range. The first year of audit log retention is in place, so the next examiner cycle has the artifacts on file. Copilot Business has been deployed to a pilot cohort, evaluated, and rolled out broadly or paused based on actual user behavior. The "savings" the CFO can name come from the cumulative effect of those quarterly optimizations, not from a single big-bang switch. That is the structural advantage of running Microsoft 365 through a Tier-1 CSP that thinks of the relationship as ongoing.
ABT is not for every institution.
A Tier-1 CSP relationship with ABT is structured for institutions that want a managed-services overlay on top of their Microsoft 365 and Azure subscriptions, not just the licenses themselves.
If you want the cheapest possible per-seat license without the managed services layer.
ABT is a higher-touch CSP than the generalist Tier-1 CSPs by design. Institutions under 50 seats that want a purely transactional license relationship with no ongoing security, governance, or examiner-readiness work are usually a better fit for a generalist Tier-1 (SHI, CDW, Insight, Connection) or an Indirect Reseller with a lighter price point.
If your institution is in a vertical ABT does not specialize in.
ABT's operational muscle memory is mortgage-first, with deep practice for community banks and credit unions. Healthcare, manufacturing, retail, education, and other verticals are not where ABT's tenant configurations, regulatory crosswalks, and partner stack are tuned. A generalist Tier-1 CSP or a vertical specialist for your industry will be a stronger match.
Community banks, credit unions, and mortgage lenders in the 50-to-5,000-seat band.
If you want your CSP relationship to do operational work continuously rather than transactionally (quarterly license reviews, ongoing Guardian hardening, examiner-readiness pre-checks, mortgage and core integration in the same conversation, NIST CSF 2.0 and CRI Profile alignment), ABT is built around that operating model. The Tier-1 status is the enabling layer; the financial-services specialization is the reason institutions stay.
ABT's Tier-1 CSP practice is led by Justin Kirsch (CEO, ABT) and includes the ABT MortgageGuide Copilot beta (built on Microsoft Azure AI Foundry, currently in beta and available exclusively to ABT customers) under Hugo's direction. Track the public-claim review under LEAD-2245.
Ready to talk to a real
Tier-1 CSP?
ABT's licensing team will read your most recent Microsoft 365 invoice with you, identify your current authorization tier, and walk through what would change if you transferred your tenant to ABT's direct billing relationship with Microsoft.
