Not-for-profit IT in Melbourne is different from commercial SME IT in four practical ways: discounted Microsoft 365 nonprofit licensing through TechSoup Australia, much higher user churn from volunteers, stricter donor-data privacy obligations under the APPs, and a board that expects IT spend justified against the mission and ACNC reporting.
That mix changes how we scope, price, and run support for charities and community organisations. If you treat an NFP like a 30-person law firm, you’ll over-engineer some things, miss compliance gaps elsewhere, and quietly burn through the small operating surplus the board has fought to protect.
This piece walks through what genuinely differs about not for profit it services melbourne organisations need, where the savings really are, where the risks hide, and what we’ve learned running IT for charities, community legal centres, peak bodies, and social enterprises across Greater Melbourne.
Why NFP IT is its own discipline
Most MSPs treat NFPs as small businesses with a tighter budget. That’s lazy and it costs you money. A 40-person charity in Carlton running donor records, a volunteer roster of 200, an ACNC Annual Information Statement, and a Salesforce NPSP instance has more compliance surface than a 40-person engineering firm. The complexity sits in different places, not in fewer places.
The four pressure points we see consistently:
- Licensing eligibility and renewals. Microsoft 365 Business Premium retails around $30 per user per month. For eligible NFPs through TechSoup Australia, equivalent licensing can drop to a small admin fee per year. Get the eligibility wrong, or let DGR status lapse, and the saving evaporates.
- Volunteer lifecycle. Paid staff might churn at 10 to 15 per cent per year. Volunteer access turns over far faster — short placements, event crews, board members rotating off. Identity hygiene is the single biggest control gap we find in NFP audits.
- Donor-data sensitivity. A donor list is regulated personal information under the Privacy Act and the Australian Privacy Principles. Fundraising compliance varies by state. Most boards don’t know where their donor database actually lives or who can export it.
- Mission-aligned spend. Every dollar spent on IT is a dollar not spent on programs. The board will ask. Your MSP needs to be able to defend the spend in plain English against program outcomes, not feature lists.
Microsoft 365 nonprofit licensing — what actually qualifies
This trips people up more than any other single thing. Microsoft’s nonprofit program in Australia runs through TechSoup Australia (the merged Connecting Up service). To qualify, your organisation generally needs:
- Endorsement as a charity by the ACNC, or eligibility as a deductible gift recipient (DGR) under the ATO, or recognition as an NFP under specific categories Microsoft accepts
- A mission that meets Microsoft’s anti-discrimination policy
- Re-validation roughly every two years
Common stumbles: a social enterprise structured as a company limited by guarantee but without ACNC endorsement, an auxiliary or fundraising entity that doesn’t itself hold DGR status, or a hospital foundation that assumes the parent entity’s status carries across. None of those automatically qualify.
When eligibility is confirmed, the savings are significant. Business Premium grants for up to ten users plus discounted licensing beyond that, free Exchange Online Plan 1 grants, and discounted Power Platform and Azure credits. For a 40-staff charity, the annual Microsoft saving versus commercial pricing typically runs $12,000 to $18,000. That’s a part-time program worker. It’s worth getting right.
We handle the TechSoup validation, link the tenant to the nonprofit program, set up the grants correctly, and diarise the re-validation so it doesn’t lapse mid-financial-year. More on the platform piece at our Microsoft 365 page.
TechSoup Australia beyond Microsoft
Worth naming because most NFP managers under-use it. TechSoup Australia (connectingup.org) brokers donated and discounted software, hardware, and services for eligible NFPs. Beyond Microsoft, the catalogue covers Adobe, Autodesk, Bitdefender, Cisco Webex, Tableau, Zoom, and a long tail of sector-specific tools.
Hardware is more limited but worth checking — refurbished laptops and desktops are sometimes available at sharp prices for small charities. Where new hardware is needed, we’ll often spec mid-range business-grade machines and budget for a 4-to-5 year refresh cycle rather than the 3-year cycle commercial clients run, because the cashflow profile suits NFPs better and the warranty exposure is manageable.
The governance burden — what your board actually needs
Commercial directors care about uptime and cost. NFP boards care about uptime, cost, mission alignment, risk, and the Annual Information Statement. The reporting cadence is different.
A useful NFP IT governance pack, delivered quarterly to the board, contains:
- Operational summary — tickets resolved, P1 incidents, average response, uptime
- Risk register update — top three IT risks with current mitigations and residual rating
- Privacy and donor-data control status — who has access to the CRM, MFA coverage, recent access reviews
- Spend against budget and mission alignment — what was spent and how it served the program
- Compliance calendar — ACNC due dates, cyber insurance renewals, software re-validations
This is not heavy. Done properly it’s two pages plus appendices. But it’s the artefact that lets the board sign off the IT spend without flinching, and it’s the artefact that auditors (internal and external) lean on at year end. If your current MSP isn’t producing something like this, ask why.
Donor data and the Privacy Act
If your NFP has annual turnover over $3 million, the Privacy Act applies in full and the Australian Privacy Principles are mandatory. Below that threshold, you may still be caught — for example, if you provide health services, hold tax file numbers, or have opted into the Act voluntarily. Many DGR-status charities are caught regardless of turnover because of the type of information they hold.
Practical implications for IT:
- Donor records must have access controls and an access log. A shared “fundraising” mailbox with the password on a sticky note is not defensible.
- Exports of donor lists need to be auditable. Power Automate alerts on bulk exports from your CRM are simple and cheap to set up.
- The Notifiable Data Breaches scheme applies. You need an actual incident response plan, not just a vague “we’ll call the MSP” — including who notifies the OAIC and on what timeframe.
- Fundraising agencies and external suppliers handling donor data need contractual privacy clauses and an annual review.
This sits alongside broader security posture work — MFA everywhere, conditional access, endpoint protection, mailbox audit logging. The full picture is on our cybersecurity services page.
Volunteer access — the silent risk
A community legal centre in Footscray we onboarded had 47 active Microsoft 365 accounts on a paid-staff headcount of 22. The rest were volunteers and former volunteers who’d never been offboarded. Three accounts hadn’t logged in for over two years but still had access to client matter folders. None had MFA enrolled. The original IT contact had left 18 months earlier and the handover was a single shared spreadsheet.
We cleaned it up over a fortnight — proper joiner-mover-leaver process, a volunteer access tier with restricted permissions, time-boxed accounts that auto-disable after 90 days of inactivity, and MFA enforced via conditional access. Annual cost impact: minimal once the cleanup was done. Risk reduction: enormous.
The pattern repeats. NFPs need a different identity model — one that assumes high volunteer churn and treats short-term access as the default, not the exception. Group memberships driven by HR data, not manually maintained. Self-service password resets so the operations manager isn’t fielding calls on a Saturday.
Pricing models that actually work for NFPs
The fully managed, per-user fixed monthly model still works for NFPs — it just needs to be priced honestly against the user mix. We bill paid staff at the standard per-user rate and volunteer accounts at a reduced rate that reflects the lower support load and lighter device footprint.
Some MSPs offer “pro bono” arrangements. Treat them carefully. Pro bono can mean genuinely donated time from a community-minded MSP, or it can mean a junior tech with no backup and no SLA. Ask the questions: who covers if the named engineer is on leave, what’s the response time, what happens at midnight when ransomware lands. If those answers are vague, the arrangement will fail when you most need it.
Our model: 13 Australian-based engineers, sub-15-minute P1 response, 24/7 NOC at Tecoma, per-user fixed monthly with NFP rates for eligible organisations. Predictable, accountable, defensible to the board.
NFP-specific platforms — Salesforce NPSP, Blackbaud, iMIS, Donortec, ThankQ
The CRM choice in the NFP sector is more fragmented than commercial. We see and support:
- Salesforce Nonprofit Cloud / NPSP — powerful, scales well, free for first 10 users via Salesforce.org, but real implementation costs and admin overhead. Best for organisations $5m+ turnover or with complex program data.
- Blackbaud Raiser’s Edge NXT — donor-focused, strong for traditional fundraising charities, weaker for case-management workflows.
- iMIS — common for peak bodies and member associations, integrates membership and events.
- Donortec / ThankQ — Australian-grown, strong fit for mid-sized fundraising charities, sensible licensing.
- Microsoft Dynamics 365 (with nonprofit accelerator) — viable if you’re already deep into Microsoft and want tighter integration.
Where we add value isn’t reimplementing the CRM — there are specialist NFP CRM partners who do that well. Our role is the Microsoft 365 integration layer: single sign-on so volunteers don’t have ten passwords, Power Automate workflows that move data between the CRM and finance system, mailbox routing for donor communications, document storage that respects the privacy controls in the CRM. That’s where most of the day-to-day friction lives.
NFP IT vs commercial SME IT — the practical differences
| Consideration | Commercial SME | NFP (charity / community org) |
|---|---|---|
| Microsoft 365 licensing | Full retail, ~$30 per user per month for Business Premium | Grant tier for up to 10 users, discounted thereafter via TechSoup Australia |
| User churn | 10 to 15 per cent staff turnover per year | Same paid-staff churn plus 50 to 200 per cent volunteer turnover |
| Identity model | Single tier — employees | Tiered — paid staff, board, volunteers, time-boxed accounts |
| Sensitive data classes | Customer records, financial data | Donor data, beneficiary data (often vulnerable persons), health information |
| Governance reporting | Owner / GM quarterly | Board quarterly, ACNC annually, sometimes funder-specific |
| Hardware refresh | 3 years standard | 4 to 5 years with extended warranty, mixed new and refurbished |
| CRM | HubSpot, Salesforce Sales Cloud, Microsoft Dynamics | NPSP, Blackbaud, iMIS, Donortec, ThankQ — fragmented sector |
| Compliance frame | ATO, ASIC, industry-specific | ACNC, ATO (DGR), state fundraising authorities, Privacy Act, funder agreements |
| Spend justification | Productivity / revenue impact | Mission alignment + program outcome impact |
A worked scenario — Carlton health-promotion charity
A health-promotion charity in Carlton came to us with 28 paid staff, around 60 active volunteers, and a Salesforce NPSP instance about three years old. They were paying full retail for Microsoft 365 because their previous IT provider had never enrolled them in the nonprofit program. MFA was on for finance staff only. The board was asking for cyber insurance and the underwriter had sent back a 47-question security questionnaire that no one knew how to answer.
What we did over the first 90 days:
- Validated ACNC and DGR status, completed TechSoup registration, migrated their Microsoft 365 tenant to the nonprofit grant tier. Annual saving: $11,800.
- Built a tiered identity model — paid staff, board, standing volunteers, event volunteers — with conditional access policies for each. MFA enforced across the tenant.
- Cleaned up 14 dormant accounts, recovered 9 unused Salesforce licences.
- Implemented a joiner-mover-leaver workflow tied to their HR system so volunteer access auto-expires.
- Wrote the responses to the cyber insurance questionnaire and produced an evidence pack. Premium came in 30 per cent lower than the original quote.
- Set up the quarterly board IT report template, walked the operations manager through delivering it.
Net result: annual IT spend dropped by roughly $7,500 versus their previous arrangement (after our fees), security posture moved from poor to defensible, board confidence in IT measurably improved. Nothing exotic — just NFP-aware execution.
Where to start if you’re reviewing your IT now
If you’re an NFP exec or operations manager and any of the above is unfamiliar, three practical first steps:
- Confirm your Microsoft 365 licensing tier. Log into the admin centre, look at the subscription page, and check whether you’re on commercial or nonprofit SKUs. If commercial, you’re probably overpaying.
- Audit your active user accounts against your current paid staff list and current volunteer roster. Anyone in the directory who isn’t on either list is a risk and a cost.
- Check who can export your donor database. If the answer is “anyone in fundraising” or you’re not sure, that’s the first control to tighten.
None of those need an MSP to do. They need 90 minutes and a willingness to look. What an MSP brings is the execution capacity to fix what you find, and the ongoing discipline to keep it fixed.
For broader context on how the day-to-day support model works, our managed IT services overview covers the operational side, and the IT support page covers helpdesk specifics.
FAQ
Do you offer NFP discounts?
Yes. Eligible NFPs — ACNC-endorsed charities, DGR-status organisations, and recognised community organisations — receive reduced per-user rates on our managed plans. Volunteer accounts are billed at a further reduced rate that reflects the lighter support profile. We’ll quote transparently against your user mix and you can defend the spend to the board line by line.
How do we qualify for Microsoft 365 nonprofit licensing?
You’ll need ACNC charity endorsement, DGR status, or recognition as an NFP under one of Microsoft’s accepted categories, plus a mission that meets their anti-discrimination policy. Validation runs through TechSoup Australia and is typically required every two years. We handle the registration, tenant configuration, and re-validation reminders so it doesn’t lapse.
What about ACNC reporting requirements for IT spend?
The ACNC Annual Information Statement doesn’t break IT out as a separate line, but your audited financials will, and your board expects justification. We produce a quarterly IT governance report covering spend against budget, risk register status, privacy controls, and mission alignment. It’s two pages plus appendices and it’s designed to drop straight into board papers.
Can volunteers safely use Microsoft 365 without compromising donor data?
Yes, with the right configuration. The model we use is a tiered identity setup — volunteers get accounts with restricted permissions, no access to donor databases or finance, conditional access policies that enforce MFA, and time-boxed access that auto-disables after defined periods. Done properly, volunteers can collaborate effectively without ever touching regulated data.
What if we already have an MSP but suspect they’re not NFP-aware?
Ask three questions. One, are we on Microsoft 365 nonprofit SKUs and when does the validation renew. Two, can you show me the last access review for our CRM. Three, can you produce a one-page IT report I can take to the board. If any of those land badly, it’s worth a second conversation. Reach out via our contact page or call 1300 028 324 — happy to talk through it without pressure.
NFP IT done well is quiet, predictable, and defensible at the board table. It’s not magic. It’s just attention to the things that genuinely differ — licensing, identity, donor data, governance — and the discipline to keep them right year after year. If you’d like a sanity check on where your organisation sits, get in touch.