Templates for MSSPs

Overview

A Template is a structured collection of configuration settings designed to help Managed Security Service Providers (MSSPs) efficiently onboard and manage multiple tenants. By using reusable templates, MSSPs can streamline administrative workflows, ensure consistency across tenants, and accelerate customer onboarding.

Templates are derived from a Base Tenant, and they enable MSSPs to apply consistent security and operational policies in bulk with the following key characteristics:

  • Provides a consistent set of predefined settings that can be applied across multiple tenants.

  • Built using the configuration of an existing, designated tenant to simplify setup and ensure uniformity.

This functionality empowers MSSPs to maintain high standards of security and operational control across their tenant ecosystem.

Base Tenant: A Base Tenant is the source tenant from which a template is created. It serves as the reference point for copying configuration settings.

The base tenant’s configurations define the structure and content of the template, and enables MSSPs to apply consistent settings across multiple tenants.

Parent MSSPs: Parent MSSPs can create configuration templates and push them to:

  • Tenants they manage directly.

  • Tenants managed by MSSPs that they have created.

Note - Templates feature is available only for customers in the Early Availability (EA) program. If you want to activate this feature, contact Avanan Support.

Benefits

  • Faster Customer Acquisition: MSSPs can quickly apply predefined configurations to new customers.

  • Consistency Across Tenants: Ensures aligned security and email configurations across all managed tenants.

  • Ease of Management: Simplifies updates and propagates changes across multiple tenants efficiently.

  • Audit and Control: Monitors configuration status and identifies deviations across tenants.

Template Lifecycle

The lifecycle of a template includes the following key steps:

  1. Create: Create a new template based on a selected tenant’s configuration. See Creating a Configuration Template.

  2. Assign: Assign the template to one or more tenants. See Assigning Configuration Templates.

  3. Push: Apply the template settings to the assigned tenants. See Pushing a Template to Tenants.

  4. Edit: If required, update the base tenant or modify the template settings. See Editing a Configuration Template.

  5. Push Again: If you made any changes to the template, reapply the updated template manually to keep assigned tenants aligned. See Pushing a Template to Tenants.

What Settings are Copied from the Template to the Tenant

When a configuration template is pushed to a tenant, the system copies the settings from the template to the tenant, depending on whether Office 365 Mail or Google Gmail is onboarded in the tenant.

Office 365 Mail

  • Threat Detection policies

  • Click-Time Protection policies

    Note - The system does not sync the DLP policies, and policies applied to specific users/groups in the base tenant will be copied as All Users and Groups.

  • Security Engine Settings (Security Settings > Security Engines)

    • Anti-Phishing

    • Anomalies

      Note - The system does not sync the Click-Time Protection engine settings.

  • Office 365 Mail Notification Templates (Security Settings > SaaS Applications > Office 365 Mail > Advanced)

  • Exceptions

    • Anti-Phishing

    • Anti-Spam (trusted senders, applied to all recipients)

      Notes:

      • The entries will not be modified when applying a template.

      • In the recipient tenant, all currently listed trusted senders remains unchanged.

    • URL Reputation

    • Anti-Malware

  • User Interaction Settings (Security Settings > User Interaction)

    • End User Portal

      Note - If the End User Portal in the base tenant is activated for some users, it is enabled for all users in the tenants assigned to the template.

    • Daily Quarantine Digest

    • Automatic handling of restore requests and phishing reports

    • Automatic restore from Microsoft quarantine

Google Gmail

  • Exceptions

    • Anti-Phishing

    • URL Reputation

    • Click-Time Protection

    • Anti-Malware

  • User Interaction Settings (Security Settings > User Interaction)

    • End User Portal

      Note - If the End User Portal in the base tenant is activated for some users, it is enabled for all users in the tenants assigned to the template.

    • Daily Quarantine Digest

    • Automatic handling of restore requests and phishing reports

  • Security Engine Settings (Security Settings > Security Engines)

    • Anti-Phishing

    • Anomalies

      Note - The system does not sync the Click-Time Protection engine settings.

What Settings are Not Copied from the Template to the Tenant

When a configuration template is pushed to a tenant, the system does not copy the following settings and data:

  • Collaboration application settings and policies (for example, Office 365 OneDrive, Google Drive, Microsoft Teams, etc.)

  • Security Awareness Training settings

  • DMARC management settings

  • DLP policies, data types, and security engine settings

  • Archiving settings

  • Security Checkup report scheduling

  • Customers' personal data (for example, trusted senders for individual users')

    Note - The system copies the global trusted senders defined by administrators for all users.

Required Permissions

  • Only Managed Service Security Provider (MSSP) Portal administrators can create and manage templates. See Creating a New Tenant.

  • Help Desk Users can view template assignments but cannot modify them.

Creating a Configuration Template

The Configuration Templates page allows administrators to:

  • Create, edit, and delete configuration templates.

  • Assign templates to tenants.

  • View the assignment status of templates.

  • Check the Assigned To column for the number of tenants using each template.

  • Push updates to tenants. See Pushing a Template to Tenants.

    Note - When a template is assigned but not pushed, the status for the tenant shows as Not Aligned.

To create a configuration template:

  1. Go to Templates.

  2. In the Configuration Templates page that appears, click Add New Template at the top of the page.

    The Create Configuration Template pop-up appears.

  3. In the Name field, enter a name for the template.

  4. In the Description field, describe the purpose or contents of the template.

  5. (Optional) To make the template default for new tenants that you create, select Set as default configuration templates checkbox. See Creating a New MSP.

  6. In the Based on Tenant section, select an existing tenant to use as the basis for the configuration.

  7. (Optional) In the Assigned Tenants section, select the required tenants to assign the template:

    • All tenants

    • All tenants except

    • Only specific tenants

    • None (default)

    Note -You can assign tenants to the template even after creating it. See Assigning Configuration Templates.

  8. (Optional) To apply the template to the selected tenants immediately, select Push changes to assigned tenants now checkbox.

  9. Click Save.

Assigning Configuration Templates

To assign a configuration template to the tenant:

  1. Go to Manage Tenants.

  2. In the table, click the icon next to the Actions column for the tenant you want to assign a configuration template.

  3. Click Assign Template.

    The Assign Configuration Template pop-up appears.

  4. In the Select a configuration template to assign to section, select the required configuration template.

  5. (Optional) To apply the template to the selected tenant immediately, select Push changes to assigned tenants now checkbox.

  6. Click Assign.

Finding a Tenant's Template Assignment State

  1. Go to Manage Tenants.

  2. The Configuration Template column shows the assigned template for each tenant.

  3. To view a specific tenant's assigned template, use the available filtering and sorting options. See, Managing Tenants and MSPs.

Editing a Configuration Template

To edit a configuration template:

  1. Go to Templates.

  2. In the Configuration Template page that appears, click the icon for the template you want to edit.

  3. Click Edit.

  4. In the Edit Configuration Template pop-up that appears, make the required changes.

  5. Click Save.

Pushing a Template to Tenants

To push a configuration template to tenants through the Manage Tenants page:

  1. Go to Manage Tenants.

  2. In the table, click the icon next to the Actions column for the tenant you want to push a template.

  3. Click Push Template.

  4. In the Push Template confirmation pop-up that appears, click Push.

To push a configuration template to tenants through the Templates page:

  1. Go to Templates.

  2. In the Configuration Template page that appears, click the icon for the template you want to push to the tenant.

  3. Click Push to assigned tenants.

  4. In the Push Template confirmation pop-up that appears, click Push.

Handling Deviations

If a tenant deviates from its assigned template, it no longer reflects the full set of configurations intended by the MSSP, which may result in missing critical security or operational settings.

Template Status Indicators

The Manage Tenants page displays the deviation status in the Template Status column with the following states:

  • No Template: The tenant does not have a configuration template assigned.

  • Aligned: The tenant's configuration matches the assigned template.

  • Blank: The tenant is edited and deviates from the assigned template.

  • Failed to Push: An error occurred while applying the template to the tenant.

  • Updating: The template is currently being applied to the tenant.

Note - Administrators can resolve the tenant deviations by clicking Push Template. To do that, see Pushing a Template to Tenants.

Error Handling

In the Configuration Templates Page:

  • Errors appear alongside tenant counts in the Assigned to column.

  • Hover over errors to view detailed breakdown of it.

  • Click the error count to open Tenant Management with applied filters.

Note - Administrators can resolve the tenant deviations by clicking Pushed to assigned tenants. To do that, see Pushing a Template to Tenants.

Deleting Templates and Base Tenants

  • Template Deletion: When a template is deleted, assigned tenants retain their configuration settings but lose the association with the template.

    To delete a configuration template:

    1. Go to Templates.

    2. In the Configuration Template page that appears, click the icon for the template you want to delete.

    3. Click Delete.

    4. In the Delete Deployment Template confirmation pop-up that appears, click Delete.

  • Base Tenant Deletion: The system blocks deletion of a base tenant if a template is based on it. You must assign the template to another tenant before deleting it.

    To delete a base tenant:

    1. Go to Manage Tenants.

    2. In the table, click the icon next to the Actions column for the tenant you want to delete.

    3. Click Delete.

    4. In the Delete Deployment Template confirmation pop-up that appears, click Delete.

Setting a Template as a Default Template

Administrators can set any template as the default template. When creating new tenants, the system automatically pre-fills the default template. See Creating a New Tenant.

To make a Template the default template after creating it:

  1. Go to Templates.

  2. In the Configuration Template page that appears, click the icon for the template you want to make default template.

  3. Click Set as Default.

    The system sets the selected configuration template as the default template.