HomeResourcesGlossaryCo-Managed IT
Managed IT Glossary

What is Co-Managed IT?

Co-Managed IT is a hybrid engagement model where an external MSP supplements an internal IT team rather than replacing it. The internal team keeps context and business relationships while the MSP provides specialist depth, after-hours coverage, tooling, and scale on demand.

Blocks 99% of password attacks
Required by most cyber insurance
Core to SOC 2, HIPAA, PCI
How It Works

How Co-Managed IT works

Three-step view of how it operates in practice.

1

Clarify roles

Define who owns what: tickets, strategy, security, projects, vendor management. Written RACI prevents gaps.

2

Share tools

Both teams work from shared RMM, PSA, and documentation. One system of record, two operators.

3

Coordinate cadence

Weekly stand-ups, quarterly reviews, shared incident response. Partnership, not vendor relationship.

Co-Managed IT Variants

Common co-managed patterns

A clear breakdown of the common variants.

Pattern

Coverage extension

Internal team works business hours; MSP covers nights, weekends, holidays.

Most common

Specialist depth

Time-based one-time codes from an app like Microsoft Authenticator or Google Authenticator. Offline-capable and phishing-resistant against many attacks.

Convenient

Project scale

The user approves a sign-in with a tap on their phone. Easy to use but vulnerable to MFA fatigue attacks — always pair with number matching.

Strongest

Tooling & vendor management

FIDO2 keys like YubiKey, or device-bound passkeys. Phishing-resistant by design — the key will not authenticate against a fake domain.

Why It Matters

Why Co-Managed IT matters for SMBs

Co-Managed IT is a hybrid engagement model where an external MSP supplements an internal IT team rather than replacing it.

67%
of organizations with 1-3 internal IT staff use a co-managed MSP model
Source: Service Leadership Index, 2024
Pitfalls

Common Co-Managed IT mistakes

  • Turf warsWithout clear roles, internal and external teams duplicate work or drop tickets between them. RACI is mandatory.
  • One-way knowledgeAdmins, finance, and anyone with access to money or sensitive data should use an app or hardware key — never SMS alone.
  • No joint planningQuarterly joint roadmap sessions align priorities. Without them, the MSP drifts to their own agenda.
  • Billing surprisesScope-creep in co-managed engagements is common. Clear inclusion/exclusion and change-request process prevents friction.
Common Questions

Co-Managed IT frequently asked questions

Often similar cost, different value. You get more specialist hours and tooling for the same spend as fully-outsourced, but you’re still paying internal IT salaries too.
Organizations with 1-3 internal IT staff who need depth, coverage, or tooling they can’t justify hiring for. Above 5 internal IT, specialist engagements often replace broad co-managed.
Look for process maturity, willingness to work in YOUR tools (not just theirs), and a track record with similar engagements. Culture fit matters.
Typically: RMM (remote monitoring), PSA (ticketing), documentation (IT Glue / Hudu), security (EDR console, SIEM). One system, two operators.
Have a documented recovery process before it happens. Typically an administrator verifies the user's identity through an out-of-band channel, temporarily disables MFA, and re-enrolls the user with a new device. Backup codes or a secondary security key reduce downtime.
Related Services

LogicalNet services related to MFA

Identity & Access Protection Primary

MFA enforcement, conditional access, least privilege, and identity monitoring.

Email Security

Phishing defense, account-takeover monitoring, and secure email gateways.
Related Terms

Related glossary terms

MSP

Policies that adapt to device, location, and risk signals.

MSSP

A security model that verifies every request as if it came from an open network.

Fractional CIO

Give users only the access they need — nothing more.

NOC

FIDO2 keys and passkeys that cannot be proxied or replayed.
Identity & Access

Want to supplement your internal IT team without replacing them?

Talk to a LogicalNet identity expert. We will review your current environment, recommend the right MFA methods for each group of users, and help you deploy without disrupting the business.

Schedule Consult Identity Services
No commitment · Local engineers · Response within 1 business day