MSP Onboarding Checklist: Your First 90 Days
Choosing a managed service provider is the hard part, but it is not the finish line. The first 90 days decide whether you made the right call, and a structured MSP onboarding checklist is what keeps a new provider honest while they still have everything to prove. Onboarding is when documentation gets captured, credentials get organized, security gets baselined, and backups get tested - or when all of that quietly does not happen and you find out the hard way a year later.
This is a 30/60/90-day plan you can run alongside any new provider. Each phase has a clear goal, the work that should happen, and the milestone you grade them against. Use it to turn a fuzzy "they seem to be doing stuff" handover into a measurable transition you can hold to your contract.
What good MSP onboarding looks like (and why most go sideways)
Good onboarding is methodical and visible. You can see the provider building a picture of your environment, you get documentation you can actually open, and by the end of three months your technology is more understood, more secure, and more recoverable than it was when you started. There is a written plan, named owners, and regular check-ins.
Onboarding goes sideways for a predictable reason: the provider treats it as a formality instead of a project. The sales energy fades, a technician quietly takes over your environment without documenting it, and the "transition" becomes nothing more than pointing their monitoring tools at your network. Months later you discover the asset list was never finished, the backups were never tested, and the only person who understands your setup is a technician who has since moved on. The fix is not to micromanage - it is to insist on milestones and to grade them. A provider running a tight onboarding will welcome that structure, because it is how they work anyway.
One more reason to take onboarding seriously: it is the cheapest time to catch a mismatch. If you spotted issues during evaluation, our guide to MSP contract red flags shows how those same patterns surface in the contract. Onboarding is where they surface in practice.
Days 1-30: Discovery, inventory, and the documentation handoff
The first month is about knowledge transfer. The provider cannot manage what they have not documented, and you cannot hold them accountable for an environment no one has mapped. Aim to end month one with a complete picture of what you have and who controls it.
Kickoff and stakeholders
Start with a kickoff meeting that names the people on both sides: your main point of contact, the provider's account manager, and the technical lead who will know your environment. Agree on how tickets are submitted, how urgent issues are escalated, and how often you will meet during onboarding. Write it down. A provider who cannot tell you who owns your account in week one is a warning sign.
Asset and license inventory
The provider should build a complete inventory: servers, workstations, network gear, mobile devices, software licenses, domain registrations, and every cloud service in use. This list is the foundation for everything that follows, including security and budgeting. Ask to see it in a format you can read and keep, not just inside their tools.
Administrative credentials and ownership
This is the step most likely to be rushed and the most important to get right. Every administrative account - your Microsoft 365 or Google Workspace tenant, firewalls, servers, backup systems, domain registrar - should be inventoried, secured, and owned by your business with the MSP holding access on your behalf. Confirm where credentials are stored and that you retain ownership. CISA's cybersecurity best practices stress keeping ownership of and visibility into your own accounts rather than handing them over wholesale.
Documentation handoff
By day 30 you should receive baseline documentation: a network diagram, the asset and license inventory, the list of administrative accounts, and notes on any business-critical or custom systems. This documentation belongs to you. If a provider cannot or will not share it, you are already locked in, which is exactly the situation a clean onboarding is meant to prevent.
Days 31-60: Monitoring, security hardening, and backups
With the environment mapped, month two is about making it stable, secure, and recoverable. This is where a good provider earns the monthly fee, and where you want to see concrete configuration, not promises.
Monitoring baseline
The provider should have monitoring in place across your critical systems - uptime, disk space, patch status, and security alerts - and be able to show you what "normal" looks like. A baseline matters because it is how anyone tells the difference between a healthy system and one that is quietly degrading. Ask what is monitored, what triggers an alert, and who responds when one fires.
Security hardening
Security is not a single switch, it is a set of defaults. Expect multi-factor authentication enabled on every account that supports it, endpoint protection deployed and reporting, a defined patch management cadence, and removal of unused or stale accounts. Hold the work against a recognized standard: the NIST Cybersecurity Framework gives you a vocabulary for what "secure" should include, and Microsoft's security documentation details the baseline controls for the cloud platforms most small businesses run on. Ask the provider to walk you through what they hardened and why.
Backup verification
A backup you have never restored is a hope, not a backup. By the end of month two the provider should show you that backups are running, where they are stored, how long they are retained, and - this is the part that gets skipped - the result of an actual test restore. The widely used 3-2-1 approach (three copies, two media types, one off-site) is a reasonable benchmark to ask about. If a provider cannot demonstrate a successful restore, that gap needs a date next to it.
Escalation paths
Confirm the escalation ladder for real incidents: who you call, how fast it moves up, and how major issues are communicated to you. Test it with a low-stakes ticket if you can. The middle of an outage is the worst time to learn that no one is accountable for your account after hours.
Days 61-90: Your first QBR and SLA scorecard
The final phase closes the loop. By now the environment is documented, monitored, secured, and backed up. Month three is when you formally grade the transition and set the rhythm for the relationship.
The first QBR
Around day 90, hold your first quarterly business review. A QBR is a scheduled meeting to review performance, look at ticket trends, check the status of security and backups, and plan upcoming work and budget. Treat the first one as the onboarding report card. Come with the asset list, the documentation, and your contract's SLA in hand.
SLA scorecard
Grade the provider against the targets you signed. Did response and resolution times meet the SLA? Were security and backup milestones hit? Is the documentation complete and in your hands? A provider running a real operation will bring their own data to this conversation. If they cannot report on their own performance, that is itself a finding.
Gaps and remediation
No onboarding is perfect, so list what is unfinished and put a date on each item. A missing test restore, an incomplete asset list, or an account still owned by the provider are all fixable - if they are tracked. Leaving day 90 with a written remediation list and owners is the difference between a healthy relationship and a slow drift back into the fog. If the gaps are large and the provider is defensive, revisit your evaluation; the framework in how to choose a managed IT service provider can help you decide whether to course-correct or move on.
Your 90-day MSP onboarding checklist
Here is the full checklist in one place. Save it, share it with your provider before kickoff, and check items off together as you go.
Days 1-30 - Discovery and handoff
- Kickoff meeting held; account manager and technical lead named
- Ticketing and escalation process agreed in writing
- Complete asset inventory (hardware, software, licenses, cloud accounts)
- Administrative credentials inventoried, secured, and owned by your business
- Baseline documentation delivered (network diagram, accounts, critical systems)
Days 31-60 - Stabilize and secure
- Monitoring deployed across critical systems with a defined baseline
- MFA enabled on all supported accounts
- Endpoint protection deployed and reporting
- Patch management cadence defined and running
- Backups configured, retention defined, and a test restore completed
- Escalation path documented and tested
Days 61-90 - Review and lock in
- First QBR scheduled and held
- SLA scorecard reviewed against signed targets
- Open gaps documented with owners and remediation dates
- Documentation confirmed complete and in your possession
- Ongoing meeting cadence and reporting agreed
If you run this checklist and the provider keeps pace, you have a partner. If they stall on the basics - inventory, documentation, a tested restore - you have learned something important while it is still easy to act on.
Want one reference to keep open through the whole transition? Download the free MyMSPHub buyer's guide and run it alongside this checklist across the first 90 days.
Frequently asked questions
How long does MSP onboarding take?
Most small and midsize business onboardings run 30 to 90 days. The first 30 days cover discovery, asset inventory, and the documentation and credential handoff. Days 31 to 60 establish monitoring, security baselines, and verified backups. Days 61 to 90 lead up to your first quarterly business review, where you grade the transition against the SLAs you signed. Larger or more regulated environments can take longer, but 90 days is a reasonable bar for a clean, fully operational handover.
What should an MSP do in the first 30 days?
In the first 30 days an MSP should run a discovery and kickoff meeting, build a complete inventory of your hardware, software, licenses, and cloud accounts, collect and document administrative credentials, and produce baseline documentation of your network and systems. By the end of month one you should have a shared asset list, a documented environment, and clear ownership of every account.
What documents should my MSP hand over?
Ask for a network diagram, an asset and license inventory, a documented list of administrative accounts and where credentials are stored, your backup and recovery configuration, an escalation and contact list, and the runbook for any custom or business-critical systems. These belong to your business and should be accessible to you, not locked inside the provider's tools alone.
What is a QBR?
A QBR is a quarterly business review - a scheduled meeting where you and your MSP review performance against the SLA, look at ticket trends and recurring issues, check the status of security and backups, and plan upcoming projects and budget. The first QBR around day 90 is the moment to grade the onboarding and agree on any remediation.
What if my MSP misses onboarding milestones?
Treat missed milestones as early data, not a catastrophe. Document what was promised and what slipped, raise it in writing, and put a remediation date on each gap. The onboarding period is when patterns show themselves, so a provider that is already slow to inventory assets or hand over documentation is showing you how the relationship will run. Use your contract's SLA and escalation terms to hold them to the plan.
Free Buyer's Guide
The complete guide to finding and hiring the right MSP for your business.
Download Free Guide