How long should MSP onboarding take?

A thorough MSP onboarding takes 30–60 days for most small and mid-size businesses. Larger environments with multiple locations or complex infrastructure may take 60–90 days. Be wary of MSPs who promise to "onboard you in a week" — they're either cutting corners on discovery or working with a very simple environment. Rushed onboarding means they don't know your systems, and the first time something goes wrong, they're learning your environment from scratch.

What should I give my new MSP access to?

Your new MSP needs admin access to: your Microsoft 365 or Google Workspace tenant, your firewall/router management console, your backup software/platform, all managed endpoints (via the RMM agent they install), and your line-of-business applications for integration purposes. They should NOT need your banking credentials, your domain registrar login, or access to personal accounts. Document every credential you share and confirm in writing what access is granted — you'll need this list when you eventually transition to a different provider.

MSP Onboarding: What Should Actually Happen in the First 60 Days

Quick answer Good MSP onboarding includes: a full environment discovery and documentation within the first 2 weeks, a security baseline assessment, MFA enforcement and patch backlog cleared by day 30, a tested backup restore by day 45, and a formal 60-day business review. If your MSP can't produce written documentation of your environment within 30 days, the relationship will be chaotic indefinitely.

The onboarding process is where most MSP relationships either succeed or start to fail. A provider who has a structured onboarding process usually has a structured service delivery process. One who wings the onboarding will wing everything else.

Week 1–2: Discovery and Documentation

The first two weeks should be focused on learning your environment — not fixing things yet. A good MSP will:

Inventory all devices: workstations, servers, network equipment, mobile devices. You should receive a documented asset register.
Document your network topology: IP scheme, VLANs, firewall rules, key integrations. You should receive a network diagram.
Audit user accounts: who has admin access, who has stale accounts, who has access they shouldn't. You should see a user access report.
Assess backup status: is backup running, when was it last tested, what are the retention settings?
Review patch status: what's the current patch age across all endpoints?

At the end of week 2, you should have written documentation of your environment. If the MSP can't produce this, they haven't done a real discovery — and they'll be solving tickets without understanding your setup.

Week 2–4: Security Baseline

After discovery, the priority shift is security baseline. This should include:

EDR deployment to all endpoints (or audit of existing EDR coverage)
Patch backlog cleared: critical and high-severity patches applied to all managed devices
MFA enforced across Microsoft 365 or Google Workspace and VPN access
Email security reviewed: DMARC/SPF/DKIM configured, email filtering enabled
DNS filtering enabled
Backup verification: confirm backup is configured correctly for all critical data

Week 4–6: Operational Handover

By week 4–6, the MSP should have completed the technical baseline and be operating in steady-state support mode:

Helpdesk system set up and all users know how to submit tickets
On-call and escalation contacts documented and communicated to your team
Monthly reporting configured: what reports will you receive and on what cadence?
Backup test completed: a real restore from backup, not just verification that backup software is running

Day 60: Business Review

A good MSP conducts a 60-day business review. The agenda should include:

Security baseline summary: where you started, what was addressed, what's still open
Ticket summary: volume by category, resolution times vs. SLA, top recurring issues
Patch status report: current patch compliance percentage across all managed endpoints
Backup status: current backup health, test results, retention confirmation
Roadmap items: hardware coming end-of-life, planned projects, security improvements recommended

Early Warning Signs

These are signals in the first 60 days that the relationship is starting badly:

No written documentation of your environment after 30 days
Tickets being closed without root-cause explanation
Unable to tell you the current patch status of your endpoints
No confirmation of backup test completion
No formal 60-day review offered or delivered
Different technicians answering every ticket with no continuity of knowledge

If you're seeing these signs in the first 60 days, escalate to the MSP's account management team in writing. Most MSP contracts have a 30-day termination right within the first 90 days — use it if the issues aren't resolved.