Option A
A generic MSP
Charges you a monthly fee, sends invoices for invisible work, and stays reactive. No reporting. No improvement. No framework.
01
The foundational tier of the CompleteCare stack
Run your IT to a defensible CIS IG1 standard: onboarded in 30 days, paced to your operating budget, month-to-month.
Microsoft 365 Business Premium managed service for nonprofits, foundations, and rural hospitals.
The 4-Phase IG1 Path™ is Microsoft Business Premium delivered as a 12-month installment plan instead of a $100,000 upfront engagement, built specifically for mission-driven organizations that don’t have an IT department.
60 minutes · We tell you where you stand before you commit
- Microsoft Solutions Partner, Charity-Authorized
- Microsoft 365 Business Premium specialists
- Month-to-month: no 12-month lock-in
- ~20 years of nonprofit-specific Microsoft IT
The honest answer
When your board asks “is our IT well-run?” what do you actually have to show them?
For most mission-driven organizations between 50 and 1,000 staff, the honest answer is not much. There’s an IT vendor sending invoices. There’s a person on the team who handles tickets. There’s hope.
There’s no framework. No defensible posture data. No coverage map against a recognized cybersecurity standard. No answer when a major funder, a cyber-insurance underwriter, or a regulator asks the question.
Meanwhile, attacks on foundations, legal aid organizations, community health centers, and faith-based nonprofits are increasing every quarter. Donor data, client information, beneficiary records: all of it sits in tenants that nobody is actively defending.
Option B
Hiring an IT manager
Costs $90,000–$120,000 fully loaded. That’s one person trying to do an entire team’s job, with no Microsoft partner access and no security operations function behind them.
Option C
A traditional implementation SOW
$50,000–$100,000 upfront. Most nonprofit budgets can’t absorb that. And when it ends, you still need a managed service.
CompleteCare Foundations is a fourth option.
CompleteCare Foundations: the defensible IT standard.
The same scope as a traditional Business Premium implementation, delivered as predictable monthly installments.
CompleteCare Foundations is the foundational tier of the CompleteCare stack: the Microsoft 365 tenant baseline on top of which Govern, Intelligence, and Shield are eventually layered. It is built on a named methodology: The 4-Phase IG1 Path™.
It’s the same scope as a traditional Business Premium implementation engagement: Conditional Access, MFA, Intune, Defender for Endpoint, Defender for Office 365, Purview labels, DLP, retention. Delivered as a 12-month installment plan via your 20-hour monthly engineering workstream rather than as a single upfront SOW.
The endpoint is CIS Top 18 IG1 baseline coverage, backed by Microsoft’s full Business Premium stack, configured by Microsoft-certified engineers, and reported back to you every week, every month, every quarter.
By month 12, you stand in front of your board with a one-page letter you can defend: “Our IT operates to a defensible CIS IG1 baseline. Here’s the evidence.”
The methodology
How you get there.
The 4-Phase IG1 Path runs across the first 12 months and continues as steady-state operations from month 13 forward. Every phase maps to specific CIS Top 18 controls.
01
Months 1–3
Identity, apps & email
Conditional Access baseline, MFA enforced for everyone, legacy authentication blocked tenant-wide, Self-Service Password Reset, mailbox migration completed, SSO for your primary applications, email authentication (SPF/DKIM/DMARC), privileged-access cleanup.
CIS controls: 5 (Account Management), 6 (Access Control), 8 (Audit Log), 4 (Secure Configuration).
02
Months 3–6
Devices
Every corporate device under Intune. Compliance policies enforced. Microsoft Defender for Endpoint deployed (replacing any legacy AV). BitLocker enforced. LAPS rolled out. Windows Update for Business configured. Mobile App Protection Policies in place.
CIS controls: 1 (Asset Inventory), 2 (Software Inventory), 4 (Secure Configuration), 7 (Vulnerability Management), 10 (Malware Defenses).
03
Months 6–9
Collaboration & data protection
OneDrive deployed with Known Folder Move. SharePoint and Teams governance configured. Sensitivity labels deployed across the organization. Data Loss Prevention policies in enforcement mode. Retention policies aligned to your records requirements. Microsoft Defender for Office 365 tuned beyond defaults.
CIS controls: 3 (Data Protection), 9 (Email & Browser Protections), 10 (Malware, collaboration side), 11 (Data Recovery, partial).
04
Months 9–12
Secure remote access & LOB
Remaining SaaS apps integrated with Microsoft Entra ID. Entra Application Proxy publishes any on-premises web apps with SSO and Conditional Access. File share migration to OneDrive/SharePoint. Print evaluation against Universal Print. Legacy AD retirement plan executed.
CIS controls: 12 (Network Infrastructure, partial), 13 (Network Monitoring), 15 (Service Provider Management), 17 (Incident Response, matures).
Throughout: The Detection & Response Track
Defender XDR monitoring, alert configuration, hygiene sweeps, and The Cross-Client Learning Loop™: when an incident or significant finding affects any other CompleteCare client, the hardening propagates to you the same week.
The core stack
What you get every month.
Named components of CompleteCare Foundations, each independently scoped and individually deliverable.
The 4-Phase IG1 Path™
Named 12-month methodology mapped to CIS Top 18 IG1.
The 7-Day Foundation Sprint™
Tenant Baseline, Top-5 Hygiene Findings, First Roadmap, First Conditional Access Review: in your hands by Friday of week 1.
The Defensible IT Dashboard™
Monthly snapshot of CIS 18 IG1 coverage, Secure Score trend, hygiene closure rate, and phase progress.
The 20-Hour Monthly Engineering Workstream™
Real engineering capacity, planned against the 30-60-90 rolling roadmap, reviewed with you each month.
The Cross-Client Learning Loop™
Incidents at other clients become your protection. Same-week hardening propagation.
The Monthly Tenant Hygiene Sweep™
Eight-category structured monthly review: identity, privileged access, devices, licenses, applications, policies, email, data protection.
The CIS IG1 Coverage Report (Quarterly)
Board-ready posture report on CIS 18 control coverage with framework alignment statement.
The Done-For-You Promise™
Your time commitment is approximately 30 minutes per week to review the Weekly Tenant Monitoring Report. Everything else is done for you.
The Microsoft Liaison Service
We open and manage Microsoft support cases on your behalf. You never wait in a queue.
The Weekly Tenant Monitoring Report
A five-minute Monday read covering identity, endpoint, email, and Secure Score signals.
The Quarterly Business Review
Strategic session with the CN Service Delivery Manager and your leadership.
The Microsoft Solutions Partner Advantage
Full access to Microsoft partner channels, licensing programs, and technical escalation paths.
The bonus stack ($16,000 in stated value, included)
- The 4-Phase Implementation Playbook: the 35-page internal playbook yours to keep.
- The Tenant Hygiene Checklist (Excel): the same checklist your tenant is scanned against monthly.
- The Cross-Client Security Advisory Service: same-week advisories on industry threats and Microsoft changes.
- The Board-Ready Quarterly Letter: pre-drafted for your Executive Director to take directly to the board.
- Microsoft Roadmap Watch: proactive notifications on new Business Premium capabilities.
Risk reversal
Three named promises. None of them cosmetic.
Every CompleteCare tier carries named guarantees. These are the three that define Foundations.
01
The No-Lock-In Promise™
Month-to-month from day one. No 12-month contract. No 36-month auto-renewal. No termination fee. If you don’t see value any month, you give us 30 days’ notice and you walk away.
This is materially different from how most MSPs structure their engagements. They lock you in because they have to: their economics depend on it. Ours don’t. We’ve built CompleteCare around delivering visible monthly value, because the structural commitment is on us, not on you. Project SOWs have project-specific milestones described in the engagement document. Recurring services are month-to-month.
02
The 7-Day Foundation Sprint™ Promise
By Friday of week 1, you have tangible artifacts in your hands: a Tenant Baseline Assessment, your top 5 hygiene findings, your first 30-60-90 roadmap, and your first Conditional Access policy review. If we don’t deliver this pack by end of business Friday of week 1, your Service Initiation SOW fee is credited in full.
You shouldn’t have to wait 60 days to see what you paid for. The 7-Day Foundation Sprint is designed so you see what we found, what we’re prioritizing, and what we’re doing about it before you’ve finished onboarding paperwork. That’s a real accountability window, with real dollars behind it.
03
The Done-For-You Promise™
Your total time commitment to CompleteCare Foundations is approximately 30 minutes per week to review the Weekly Tenant Monitoring Report. Every other deliverable: the engineering workstream, the monthly hygiene sweep, the dashboard updates, the quarterly CIS report, the QBR prep: is owned by the M365 Managed Services team.
Most IT programs ask your team to do significant work to support the IT program. We’re explicit that your job is to read a five-minute report on Mondays and show up to the quarterly review. If we’re consistently asking for more than that, raise it and we’ll fix the process, not charge you for the correction.
Managed service or implementation project. You choose.
Most clients engage Foundations as the managed service. Some need a one-time project. Both paths are available.
The default path (the canonical CompleteCare model)
Managed service
- Foundations runs as a recurring monthly engagement, banded by user count
- The Service Initiation SOW handles onboarding (months 1–2), then steady-state operations from month 3 forward
- 20-hour monthly engineering workstream, weekly reports, monthly reviews, quarterly QBR
- Month-to-month from day one; 30 days’ written notice to terminate
- Pricing: $2,500–$11,000/month banded by user count, plus a one-time Service Initiation SOW of $5,000–$15,000
The alternative: project-based
Business Premium implementation SOW
- Same 4-Phase scope, delivered as a defined-timeline project
- Project terms specified in the engagement document; typically 6–12 months delivery
- When the project ends, you keep what we built. No ongoing retainer required
- If you want to convert to the managed service afterward, that path is open
- Pricing: scoped per engagement; typically $50,000–$100,000 depending on starting tenant complexity and user count
What CompleteCare Foundations actually costs, compared to the alternatives.
| Option | Annual cost | What is delivered |
|---|---|---|
| CompleteCare Foundations (51–150 user band) | $54,000 ($4,500/mo) + $5,000–$15,000 Service Initiation SOW | Full 4-Phase implementation, ongoing managed services, CIS IG1 reporting, Defensible IT Dashboard, $16,000 bonus stack. Month-to-month. |
| Hire an IT manager | $90,000–$120,000 fully loaded | One person. No Microsoft 365 specialization. No security operations. No partner access. |
| Traditional Business Premium implementation SOW (upfront) | $50,000–$100,000 | Implementation only. Ongoing service is a separate contract. |
| Generic MSP (100-user organization) | $60,000–$180,000 | Break/fix. Reactive. No implementation arc. No framework. No transparency. |
Pricing by user band
Monthly fee for the managed service. Banded by Microsoft Business Premium-licensed user count.
| Tenant size | Monthly fee |
|---|---|
| Up to 50 Business Premium-licensed users | $2,500 / month |
| 51–150 users | $4,500 / month |
| 151–300 users | $6,500 / month |
| 301–500 users | $8,500 / month |
| 501–1,000 users | $11,000 / month (custom-scoped at the top end) |
| Over 1,000 users | Custom |
CompleteCare Foundations is less expensive than hiring one IT person and delivers an entire 4-Phase implementation, ongoing managed services, and a CISO-grade advisory function. The Service Initiation SOW is sized to your starting tenant complexity, typically $5,000–$15,000.
The activation hook
By Friday of week 1, you have tangible artifacts in your hands.
The 7-Day Foundation Sprint™ delivers a Tenant Baseline Assessment, your top 5 hygiene findings, your first 30-60-90 roadmap, and your first Conditional Access policy review, sent as a deliverable pack to your designated contacts. You see what we found, what we’re prioritizing, and what we’re doing about it before you’ve finished onboarding paperwork.
In practice
What this looks like in practice.
Community foundation, 80 to 130 staff
Engaged Foundations after a cyber-insurance renewal where the underwriter flagged MFA coverage gaps and missing device enrollment. Service Initiation SOW completed in 11 days. By month 3, Conditional Access covered 98 percent of sign-ins and every corporate device was enrolled in Intune. The Quarterly CIS IG1 Coverage Report was submitted to the underwriter at the next renewal, resulting in a 21 percent premium reduction.
“We’d been meaning to sort out our Microsoft 365 setup for two years. What I didn’t expect was having a clear picture of where we stood by end of week 1. That report alone was worth the service initiation cost.”
Operations DirectorRepresentative client profile
Legal aid organization, 150 to 250 staff
Came in with a patchwork tenant: MFA enabled on approximately 60 percent of accounts, no Intune, SharePoint sharing at default settings. The 4-Phase Path ran concurrently with their existing MSP through a 60-day transition. Phase 1 completed on schedule. Secure Score moved from 41 to 79 over the first 90 days. Client moved to full Foundations managed service at month 3.
“We switched because our previous vendor couldn’t produce a CIS coverage report. Centered produced one on day 5. That was the test and they passed it immediately.”
IT DirectorRepresentative client profile
Faith-based nonprofit, 200 to 350 staff
Multi-site with a mixed device fleet and legacy authentication still enabled in two departments. Engaged Foundations as the managed service after the Executive Director received a board question about IT governance at the annual meeting. Phase 2 (Devices) required a five-day Pilot validation in the IT department before the broader rollout. Zero help-desk surge during cutover. Now in steady-state month 14 of operations.
“When the board asked the IT question, I didn’t have an answer. Now I bring the CIS coverage letter to every board meeting. It takes me five minutes to prepare because the letter is already drafted.”
Executive DirectorRepresentative client profile
Microsoft technologies included
Built on the full Microsoft 365 Business Premium stack.
Every component of Foundations is a Microsoft first-party capability, configured and managed by Microsoft-certified engineers under the CompleteCare service definition.
- Microsoft 365 Business Premium
- Microsoft Entra ID P1 (formerly Azure Active Directory)
- Microsoft Intune (device and app management)
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Office 365 Plan 1
- Microsoft Purview Information Protection
- Microsoft Purview Data Loss Prevention
- Microsoft Defender XDR (monitoring and response)
- Microsoft Exchange Online (mail hygiene and routing)
- Microsoft SharePoint Online and OneDrive for Business
- Microsoft Teams (governance and safety defaults)
- Microsoft 365 Lighthouse (multi-tenant health monitoring)
The universal starting point: the prerequisite for what comes next.
Foundations is the tier that everything else stacks on. You don’t have to commit to the rest of the stack to engage Foundations.
Three upper tiers: Govern, Intelligence, and Shield: operate on the Microsoft 365 tenant and require the Foundations baseline (or a documented equivalent) to run safely. Three more: Automate, Insight, and Construct: operate on Power Platform, Microsoft Fabric, and Azure respectively, and can stand alone, though we recommend Foundations for cross-cutting governance.
Most clients run Foundations alone for the first 6–12 months, then add Govern when regulatory exposure makes it relevant, Intelligence when AI ambition matures, and Shield when cyber-insurance or board concern raises the cybersecurity stakes. The Quarterly Business Review is the natural moment to surface those conversations.
Requires Foundations
CompleteCare Govern
Microsoft Purview compliance program for sensitive data: Information Protection, DLP, Insider Risk, eDiscovery, and Audit Premium.
See Govern →Requires Foundations
CompleteCare Intelligence
Governed Microsoft 365 Copilot, agent operations, and Managed AgentOps: the marquee tier for mission-driven AI.
See Intelligence →Requires Foundations
CompleteCare Shield
24×7 SOC on Microsoft Defender XDR and Microsoft Sentinel. For organizations with heightened cybersecurity obligations.
See Shield →Can stand alone
CompleteCare Automate
Workflow automation via Power Platform, including Power Automate, Power Apps, and Copilot Studio agents.
See Automate →Can stand alone
CompleteCare Insight
Data and analytics platform on Microsoft Fabric, including Power BI, Lakehouses, and Data Factory.
See Insight →Can stand alone
CompleteCare Construct
Custom mission-critical applications on Microsoft Azure: App Service, Functions, SQL, Cosmos DB, and Container Apps.
See Construct →New to the CompleteCare stack? See the full CompleteCare overview for the seven-tier architecture and how the tiers interact. If you’re on M365 Instant On and ready to move to a managed baseline, M365 Instant On graduates naturally into Foundations.
Questions
Frequently asked questions about CompleteCare Foundations.
How quickly do we see something tangible?
By Friday of week 1. The 7-Day Foundation Sprint™ delivers a Tenant Baseline Assessment, your top 5 hygiene findings, your first 30-60-90 roadmap, and your first Conditional Access policy review, sent as a deliverable pack to your designated contacts. You see what we found, what we’re prioritizing, and what we’re doing about it before you’ve finished onboarding paperwork.
What does “CIS IG1 baseline” actually mean?
The Center for Internet Security publishes the CIS Top 18 Controls: the widely-recognized cybersecurity standard for organizations. Implementation Group 1 (IG1) is the baseline tier appropriate for small and mid-sized organizations: 153 specific safeguards across 18 control areas. By month 12 of CompleteCare Foundations, your tenant is configured to meet IG1 across the controls Business Premium can deliver, with documented gap remediation plans for the few controls that require external services (like an annual penetration test).
Can I just buy the Business Premium implementation as a one-time project, without the managed service?
Yes. The Business Premium Implementation SOW is the project-based alternative to the managed service: same 4-Phase scope, same engineers, packaged as a one-time engagement with project milestones rather than a recurring retainer. When the project closes, you keep what we built; you can convert to the managed service later if you want ongoing operations. Typical project cost is $50,000–$100,000 depending on starting tenant complexity. Most clients ultimately choose the managed service because the recurring price is lower than the upfront project price and includes ongoing operations, but the project path exists for clients who need it.
We’re already with an MSP. Why switch?
Two reasons specifically. First, The No-Lock-In Promise™: if your current vendor has you in a contract, CompleteCare can run in parallel during the transition so there’s no service gap. Second, ask your current vendor for their version of The Defensible IT Dashboard™: a monthly snapshot of your CIS 18 IG1 coverage. Most can’t produce one. That’s the test.
What if we have more than 20 hours of engineering need in a month?
The 20-hour block covers the typical CompleteCare client. Top-up blocks are available in 10-hour increments at $3,500 per 10 hours. If you’re consistently running over, we’ll proactively recommend a permanent step-up to a larger standard block at a discounted rate.
What’s out of scope?
CompleteCare Foundations focuses on what Microsoft 365 Business Premium can deliver. On-premises infrastructure, end-user helpdesk for your staff, active Defender response beyond the standard runbook, and higher-tier Microsoft capabilities (Sentinel SOC, full Defender XDR, Purview eDiscovery Premium) are all available as add-ons or separate engagements, most through the upper CompleteCare tiers (Shield, Govern). We’re explicit about scope so there are no surprises.
Can we keep our existing IT person?
Yes. CompleteCare Foundations is designed to work with an internal IT contact, not replace them. The contact becomes your point of communication with us; they get the Weekly Tenant Monitoring Report; they’re part of the monthly Roadmap Review. We do the Microsoft 365 specialist work; they keep doing what they’re best at.
What about cyber insurance?
CompleteCare Foundations directly addresses many of the controls cyber-insurance underwriters now require (MFA enforced, EDR deployed, BitLocker, backup posture, IR plan). The Quarterly CIS IG1 Coverage Report is the artifact your insurance broker has been asking you to produce.
How does Foundations relate to the other CompleteCare tiers?
Foundations is the foundational tier. Govern, Intelligence, and Shield require Foundations active (or a documented equivalent baseline): they operate on the Microsoft 365 tenant and need the baseline to be deliverable safely. Automate, Insight, and Construct can technically stand alone but Foundations is recommended for governance reasons. Most clients run Foundations alone for the first 6–12 months, then stack upper tiers as their maturity grows.
The next step is a 60-minute tenant assessment call.
We’ll walk through your current Microsoft 365 environment, identify the highest-priority hygiene findings, and produce the initial scope for your Service Initiation SOW. If CompleteCare isn’t the right fit, for example if you’re not on Business Premium and don’t want to consolidate there, we’ll tell you that directly.
If it is the right fit, you sign the Service Initiation SOW and week 1 of the 7-Day Foundation Sprint begins. By Friday of that week, you have tangible artifacts in your hands.
And remember: month-to-month. No 12-month lock-in. The structural risk is on us, not on you.
Not ready for the assessment call? Begin a Discovery Sprint if a broader AI and IT roadmap is also in view, or see the full CompleteCare stack before committing to a single tier.
Thanks, we’ve got it.
A senior member of our team will reply within one business day to set up your tenant assessment call.
- Microsoft Solutions Partner for Modern Work
- Microsoft Solutions Partner for Security
- Microsoft Charity tenant authorization
- Microsoft 365 Business Premium specialists
- HIPAA BAA available on request
- 501(c)(3) verification required
CompleteCare Foundations is delivered by Centered Networks under the operating direction of our Service Delivery Manager, supported by our M365 Managed Services team: a 24×7 team of certified Microsoft engineers. Service is governed by the CompleteCare Service Definition (v3.0, May 2026) and the CompleteCare Pricing Schedule, both available on request.