Melbourne not-for-profits run on volunteer-grade IT until something breaks. This is a practical strategy guide for NFPs with 25 to 150 staff: maximising the Microsoft non-profit licensing offers, the volunteer-vs-staff identity model, ACNC governance basics for donor data, and a realistic three-year roadmap on an NFP budget.
Why NFP IT looks the way it does
The pattern is consistent across the Melbourne NFP sector. A founder built the IT environment 8 to 15 years ago, probably with the help of a tech-savvy volunteer, and it grew organically as the organisation grew. Permissions accumulated, mailboxes were shared, board members got admin access, a couple of well-meaning contractors built things that nobody now understands. The IT spend looks lean on paper because most of it was donated, volunteered, or quietly absorbed into operational lines. The risk position looks fine until you actually audit it.
The Australian Charities and Not-for-profits Commission (ACNC) governance standards do not prescribe specific IT controls, but they do require that responsible persons act with reasonable care and diligence, that the organisation’s assets (including data) are managed properly, and that conflicts of interest are managed. For an NFP holding donor financial data, beneficiary case files, or vulnerable-person information, IT is in scope for that diligence obligation whether or not the board has framed it that way.
And then there is the funding reality. NFPs are running with thin margins, restricted grants, and a board that wants every dollar to go to the mission. Spending $80,000 a year on IT looks indefensible until you compare it to the cost of an incident that takes the organisation offline for a week. The strategy below is built to maximise the impact per dollar in an NFP context, drawing on a decade of work with Melbourne charities, social enterprises, and community organisations since founding TechAssist in 2014.
Maximising Microsoft non-profit licensing
The single largest cost lever for an Australian NFP is the Microsoft non-profit offer, and it is the one most under-claimed. Eligible organisations (registered charities with ACNC, plus some NDIS providers and educational organisations) can access:
| Offer | What you get | Annual saving vs commercial |
|---|---|---|
| Microsoft 365 Business Basic (donated, free) | Web and mobile Office, Exchange, Teams, OneDrive, SharePoint | $110 per user / year |
| Microsoft 365 Business Premium (heavily discounted, ~$8 per user / month) | Full Business Premium including Defender, Intune, Entra ID P1 | $290 per user / year |
| Microsoft 365 E3 (donated up to 10 seats, then discounted) | Enterprise-tier productivity and security | $480 per user / year |
| Microsoft 365 E5 (heavily discounted) | Full enterprise stack including E5 security | $700+ per user / year |
| Power Platform (discounted) | Power Apps, Power Automate, Power BI | Variable |
| Azure credit grant (annual) | $3,500 USD per year in Azure consumption credit | ~$5,500 AUD |
The offers most NFPs underclaim are the Business Premium discount and the Azure credit. We routinely see NFPs running on Business Basic (free) when Business Premium at $8 per user per month would give them dramatically better security at trivial extra cost. We also see NFPs paying for Azure consumption that the annual credit grant would have covered.
A community services NFP in Footscray that we work with had 95 paid staff on Business Basic plus a handful of E3 licences for the leadership team. Migrating the whole organisation to Business Premium (at NFP discounted pricing) cost them an extra $9,500 a year and gave them Defender for Business, Intune device management, conditional access through Entra ID P1, and the foundation for an Essential Eight Maturity Level 1 posture. The same upgrade at commercial pricing would have cost $34,000 a year. The NFP discount made the security upgrade affordable.
The catch with the Microsoft non-profit offers is that they have changed several times over the past three years. The free E1 grant disappeared in 2024; the free Business Basic grant remains but with seat limits; pricing has shifted. The current state at the time of writing is in the Microsoft Tech for Social Impact portal, and we recommend reviewing your entitlements annually. The work to revalidate is small; the saving is large.
Donor data and ACNC governance basics
The IT-relevant parts of ACNC governance for an NFP holding donor or beneficiary data:
Responsible persons and diligence
Governance Standard 5 requires responsible persons (board members, trustees) to act with reasonable care and diligence in the role. In practice, that means the board needs to be able to demonstrate that data assets are being managed properly. The audit trail that satisfies this is documented controls (a basic security policy, evidence of MFA enforcement, a register of vendors processing personal data, an incident response plan). Not enterprise-grade artefacts, but defensible documents that would survive scrutiny.
The Privacy Act position
The Privacy Act small business exemption (under $3 million turnover) used to cover many NFPs. Two important caveats: NFPs providing health services (which is many) do not get the exemption, NFPs that are funded by government contracts may have contractual obligations equivalent to the APPs, and the Privacy Act reforms are narrowing the exemption for everyone. The pragmatic position for an NFP of any size is to operate as if the APPs apply, because the donor base, the grant funders, and the boards increasingly expect that posture. Our piece on the Privacy Act for SMBs and what your IT team must do covers the detail.
Beneficiary case data
For NFPs holding case data on beneficiaries – homelessness services, family violence support, mental health services, refugee support – the data sensitivity is at the highest tier. The controls need to match: encrypted storage, strict access controls, audit logs, MFA enforced for every user, careful management of contractors. Funders for these services often impose explicit data security clauses; the IT posture is contractual as well as ethical.
The volunteer-vs-staff identity model
The identity question is where most NFP IT environments fall apart. A typical mid-sized NFP has paid staff, volunteers, board members, contractors, partner organisations, and donors all interacting with various systems. The traditional approach – everyone gets a full Microsoft 365 licence with full mailbox and tenant access – is expensive, dangerous, and unnecessary.
The model we recommend for Melbourne NFPs:
| User type | Identity model | What they get |
|---|---|---|
| Paid staff | Member user with M365 licence | Full M365, Teams, SharePoint, Outlook, Intune-managed device |
| Regular volunteers (weekly+) | Member user with Business Basic (donated) | Free Business Basic, Teams, OneDrive, scoped SharePoint access |
| Occasional volunteers | Entra ID guest (B2B) | SharePoint and Teams access only, no mailbox, MFA enforced |
| Board members | Member user with Business Basic or Business Premium | Full Teams, scoped board SharePoint site, NO admin role |
| Contractors | Entra ID guest (B2B), time-limited | Scoped access, MFA, automatic expiry on contract end date |
| Partner organisations | Entra ID B2B with conditional access | Shared SharePoint workspace, no email, controlled by access policies |
The Entra ID guest (B2B) model is the unlock. Guests don’t consume Microsoft 365 licences from your tenant; they use their own. You pay for the infrastructure once, and contractors, board members at other organisations, and partner orgs can access scoped resources without licensing cost. For an NFP with 60 paid staff, 20 regular volunteers, 8 board members, 12 contractors, and 4 partner orgs, the licensing footprint is 60 paid licences plus 20 donated Business Basic. The other 24 people are B2B guests at zero licence cost.
The discipline that makes this work is the lifecycle. Guest accounts need to expire when the contract ends; volunteer accounts need to deactivate when the volunteer stops volunteering; board members need their access removed when they leave the board. Without lifecycle hygiene, the tenant fills up with orphaned accounts and the security posture rots. Conditional access policies and access reviews in Entra ID can automate most of this, but somebody needs to set it up and watch it.
Grant-funded vs operational IT spend
One of the structural challenges for Melbourne NFPs: most funders restrict grants to direct program costs, and IT is treated as overhead. The result is a chronic shortfall in IT investment because operational funding does not stretch and grant funding will not cover it.
Three practical strategies:
Bundle IT into program costs where it genuinely is
If a program needs a case management system, the licensing, training, and support for that system is a program cost, not overhead. The same logic applies to the laptops the program staff use, the security tooling that protects the beneficiary data, the M365 licences that enable the case workers to collaborate. Many funders accept this when it is explained. The key is to budget the IT for the program at the proposal stage, with the line items broken out.
Apply for dedicated IT capacity grants
Several Australian foundations and government programs fund organisational IT capacity specifically: cyber security uplift grants, digital transformation grants, infrastructure modernisation grants. They are competitive but real money is available. A heritage and arts NFP we work with in Brunswick received a $45,000 cyber security uplift grant in 2025 that funded the full Essential Eight Maturity Level 1 implementation we had been recommending for two years.
Treat the IT investment as risk mitigation in the board narrative
Boards approve risk mitigation spend when they understand the risk. The ‘this is the security stack’ conversation rarely lands; the ‘a successful cyber attack on this organisation would cost X dollars, take Y weeks to recover from, and trigger Z mandatory disclosures’ conversation usually does. The IT spend becomes risk insurance, which boards understand better than infrastructure.
The realistic 3-year roadmap (25 to 150 staff NFP)
What does a sensible IT modernisation roadmap look like for a mid-sized Melbourne NFP that is starting from a typical legacy posture?
Year 1: Foundation and triage
| Quarter | Priorities |
|---|---|
| Q1 | Validate Microsoft NFP eligibility and entitlements; tenant security audit; document current state |
| Q2 | Migrate paid staff to Business Premium; enforce MFA on every account; remove orphaned admin roles |
| Q3 | Implement Intune device management for staff laptops; baseline security policies; M365 backup deployed |
| Q4 | Volunteer and contractor identity rework using Entra ID B2B; board SharePoint site rebuild; first DR test |
Year 1 focus: the controls that most reduce risk for the least money. By the end of Year 1 the NFP should have a defensible Essential Eight Maturity Level 1 posture, a documented identity model, and a working DR position. Approximate cost for a 60-staff NFP: $40,000 to $60,000 above the existing baseline, much of which can be partially grant-funded.
Year 2: Optimisation and capability
| Quarter | Priorities |
|---|---|
| Q1 | SharePoint information architecture rebuild; retire founder-era shared mailboxes |
| Q2 | Power Platform pilots for case management or donor management workflows |
| Q3 | Vendor risk register and lite review programme; Privacy Act position documented |
| Q4 | Annual security audit; cyber insurance renewal at improved posture; team training |
Year 2 focus: making the staff genuinely productive and reducing the operational tax of accumulated technical debt. The SharePoint rebuild alone often returns 2 to 4 hours per staff member per week in time saved looking for documents.
Year 3: Strategic and scale
| Quarter | Priorities |
|---|---|
| Q1 | Copilot for M365 pilot with selected leadership and program staff |
| Q2 | Workflow automation for high-volume manual processes (intake forms, reporting) |
| Q3 | Mature DR posture with quarterly tests; Essential Eight Maturity Level 2 stretch goal where applicable |
| Q4 | Annual strategic review; multi-year planning for the next cycle |
Year 3 focus: capability that lifts the mission, not just the operational base. By the end of Year 3 the NFP should be at a mature state where the IT investment is producing visible program impact – more case workers serving more beneficiaries, more donor reach per fundraising dollar, better impact measurement for funders.
The two NFP-specific traps
Two patterns we see repeatedly in Melbourne NFPs that deserve specific attention.
Trap 1: Founder-era shared mailboxes
Almost every long-running NFP has a set of shared mailboxes that date to the founder era: info@, admin@, donations@, volunteers@, plus a clutch of program-specific ones. They were set up with shared passwords, often without MFA, often with everyone who has ever worked there still having access. The risk is enormous and the cleanup is awkward because important communications are routed through them.
The fix is a structured project: identify every shared mailbox, identify the legitimate access list, convert to proper Microsoft 365 shared mailboxes with delegated access (which means access is tied to individual identities, MFA-protected, and auditable), and migrate the workflows that depended on shared passwords to proper licensed accounts. Not glamorous, but it removes a real attack surface. Expect 60 to 100 hours of work for a typical mid-sized NFP.
Trap 2: Board members with full SharePoint access from 2018
Board membership turns over, but historical access often does not. A typical mid-sized NFP has 4 to 8 former board members whose accounts are still active in the tenant with the access they had when they left. Some of them may also be working at competing or partner organisations now. The conditional access policies they fell under in 2018 are not the policies in force today.
The fix is an Entra ID access review, run annually, against the board membership records held by the company secretary. Every former member’s access is removed cleanly. Future board members are onboarded with a clear lifecycle (account provisioned at appointment, access removed within 7 days of departure, conditional access policy enforced).
This sounds like basic hygiene because it is. The fact that it is missing in 80% of the NFPs we have audited is the point.
Security posture: aligning to Essential Eight on an NFP budget
The Australian Signals Directorate’s Essential Eight is the de facto baseline for organisational cyber security in Australia. Maturity Level 1 is achievable for a mid-sized NFP at modest cost when the Microsoft non-profit licensing covers the underlying infrastructure. The strategies that map to NFP-relevant controls:
| Essential Eight strategy | NFP-friendly implementation |
|---|---|
| Application control | Intune-managed devices with Defender for Business application control policies. See our guide to application control for the detail. |
| Patch applications | Intune update rings; Defender Vulnerability Management |
| Configure Microsoft Office macro settings | Intune policy; macros from the internet disabled |
| User application hardening | Intune policy on browser security, attack surface reduction rules |
| Restrict administrative privileges | Entra ID PIM for admin roles; named admin accounts only; remove standing admin from regular users |
| Patch operating systems | Intune update rings |
| Multi-factor authentication | Entra ID conditional access; phishing-resistant MFA for admins |
| Regular backups | M365 backup (third party) + on-prem if applicable; tested quarterly |
Maturity Level 1 across all eight strategies, for a 60-staff NFP, is achievable at around $25,000 to $40,000 in tooling and project costs above the existing licensing. Maturity Level 2 adds another $30,000 to $50,000 and is appropriate for NFPs with sensitive beneficiary data or government contracts that require it. For the broader context on aligning to the Essential Eight, our zero trust security model piece covers the complementary thinking.
The MSP question for NFPs
Most Melbourne NFPs that engage an MSP fall into one of three models:
- Pro-bono or heavily discounted MSP – the MSP donates time, often through their own community engagement program. Variable quality; the MSP’s paying clients always come first.
- Volunteer-led with MSP escalation – a tech-skilled volunteer manages day-to-day and engages an MSP for specific projects. Works well if the volunteer is genuinely skilled and committed; falls apart when they move on.
- Standard per-user managed services engagement – the NFP pays standard rates for the engagement, sometimes with a sector discount.
The honest assessment after a decade of NFP work: the third model produces the best long-term outcome. Pro-bono engagements are inconsistent and don’t survive the MSP changing strategy; volunteer-led models work until they don’t, and the transition cost is high. A standard managed engagement at a sector-appropriate rate gives the NFP the same response model as a paying commercial client, which matters when something is on fire at 3 a.m.
For TechAssist, our NFP engagements run on the same model as our commercial managed clients: per-user fixed monthly pricing, sub-15-minute P1 response from our 24/7 NOC at Tecoma, same-business-day on-site response across Melbourne metro from our two offices (Tecoma and 575 Bourke Street CBD), and the same 13 Australian engineers across helpdesk, projects and security. We typically offer a sector-appropriate rate that reflects the NFP budget reality, but the service is the same. The discipline of running it as a real engagement is what makes it work for both parties. To talk through an NFP engagement, our team is reachable through the contact page, or our Melbourne managed IT services page covers the broader engagement model.
Frequently Asked Questions
We are a very small NFP (under 25 staff). Does this strategy still apply?
Most of it does, scaled down. The Microsoft non-profit licensing maximisation is still the biggest lever. The identity model still matters even at smaller scale. The Essential Eight Maturity Level 1 alignment is still achievable. The MSP engagement is the piece that scales differently; for very small NFPs, a co-managed model or a sector-shared service can be more affordable than a per-user managed engagement. Our co-managed IT support page covers that model.
How do we get board buy-in for an IT investment that competes with program funding?
Frame it as risk mitigation and capacity-building, not infrastructure. The board cares about the mission and about not having a catastrophic incident; they typically do not care about Entra ID conditional access policies. Show the worst-case scenarios with realistic numbers, show what an Essential Eight Maturity Level 1 posture costs to put in place, and frame the spend as protecting program continuity. Most boards approve when the trade-off is framed honestly.
What is the single most impactful change for an NFP starting from a typical legacy posture?
Enforcing multi-factor authentication on every account, with no exceptions for the founder, the board, or ‘the person who has been here forever.’ It costs nothing beyond the Microsoft licensing you already have. It prevents the most common attack pattern. It is the change most NFPs delay because it is annoying for users in the first week, and the change that most NFPs regret delaying after the first incident.
Can we just rely on the donated free Microsoft 365 Business Basic?
For very small NFPs with low risk profiles, possibly. For most mid-sized Melbourne NFPs holding donor or beneficiary data, no. Business Basic does not include Defender for Business, does not include Intune device management, and does not include the conditional access capabilities that an Essential Eight posture requires. The Business Premium upgrade at NFP-discounted pricing is one of the highest-ROI spending decisions an NFP can make.
How do we handle the long tail of historical accounts in our tenant?
Run an Entra ID access review, focused on accounts that have not signed in for 90 days. Most are former staff, former volunteers, former board members, or test accounts that were never cleaned up. Disable them (do not delete immediately; the licence cost is zero and the audit trail is valuable). After 90 days of being disabled without complaint, delete. The cleanup typically removes 20 to 40% of the tenant accounts in a long-running NFP.
Where do we start if we have no IT documentation at all?
Start with three documents: a tenant configuration baseline (what is currently configured, by whom, for what reason), an asset list (devices, accounts, key vendors), and a basic incident response plan (who calls whom when something happens). These three documents are 80% of the audit-readiness conversation and form the foundation that everything else builds on. The work is typically 20 to 30 hours of MSP time and is some of the highest-value spending in the first year of a managed engagement.