PotSolutions Case Studies › OpenSupport

Case Study

OpenSupport

PotSolutions fully developed OpenSupport — a multi-tenant support portal built for managed service providers. One Docker image hosts unlimited customer domains with branded portals, ITSM ticketing, service catalog, visual approval workflows, Intune asset sync, and deep Microsoft 365 integration.

PotSolutions Build MSP / ITSM Multi-Tenant SaaS Microsoft 365 Azure

The Challenge

Every Client Wants Their Own Portal

MSPs need to offer professional, branded support to each customer — but running separate tools, portals, or ticket systems per client does not scale. Staff end up juggling email, shared mailboxes, spreadsheets, and disconnected PSA tools.

Customers expect a modern self-service experience: raise tickets, browse a service catalog, track their devices, and approve changes — all under their own company branding. MSP technicians need a single console to manage every client, with proper isolation, Entra ID sign-in, and Microsoft Graph integration for users, groups, and Intune devices.

Off-the-shelf ITSM products rarely fit MSP multi-tenancy out of the box. PotSolutions set out to build a purpose-designed platform: tenants as data, not code; hostname-based routing from one deployment; and Microsoft-native identity and device sync from day one.

The Solution

One Platform, Unlimited Branded Portals

OpenSupport gives MSPs a white-label support platform — customer portals, technician console, and platform administration — all from a single containerised deployment on Azure.

Multi-tenant by design

  • Host-based routing — one Docker image serves many customer domains; the tenant is resolved from the incoming hostname.
  • Zero-code onboarding — a five-step wizard creates identity, domains, M365 connection, and branding; customers point a CNAME and go live.
  • Per-tenant branding — logos, accent colours, hero images, greetings, support phone, and footer text — plus MSP-level defaults.
  • Three-tier hierarchy — platform operators, MSP administrators, and customer end users — each with scoped access and session types.
Customer domains (many hostnames) + MSP admin hostname │ ▼ Caddy reverse proxy (port 80) /api/proxy/* → Next.js (3000) /api/* → NestJS API (4000) ← Azure health check /* → Next.js customer + admin UI │ ▼ supervisord — API + web + Caddy in one container image │ ├─► Azure SQL (Prisma, versioned migrations) └─► Microsoft Graph — Entra OIDC, Intune, mail, user/group sync Monorepo: apps/api (NestJS) · apps/web (Next.js 15) · apps/tray-win (.NET 8) Packages: db (Prisma) · ui (shared React) · workflow-engine

What We Built

Full ITSM for MSPs

PotSolutions delivered the complete product — API, web portal, workflow engine, email pipeline, desktop tray app, infrastructure, and CI/CD.

Customer portal

  • Incidents, service requests, and change records with threaded messages
  • Service catalog with categories, custom fields, and workflow-linked items
  • Knowledge base articles — tenant-scoped or MSP-wide
  • Device inventory from Intune with compliance status
  • Approval tasks with multi-stage chains and group rules
  • Announcements targeted by Entra or tenant groups

MSP admin console

  • Cross-tenant ticket and change management
  • Visual workflow builder (React Flow) with approval, notification, and webhook nodes
  • Tenant wizard — identity, domains, Graph consent, branding
  • User and group import from Microsoft 365 with include/exclude filters
  • Email-to-ticket via Graph subscriptions with threaded replies
  • Controlled impersonation — MSP admin acts as a tenant user when needed

Microsoft 365 integration

  • Entra ID sign-in — OIDC with domain-based auto-provisioning; users matched to tenants by email domain on first login.
  • Per-tenant Graph app permissions — admin consent for users, groups, devices, and mail; secrets stored encrypted in the database.
  • Intune asset sync — hourly cron pulls managed devices, maps to users, tracks compliance across all active tenants.
  • Reliable email — outbound outbox with retry/backoff, inbound Graph delta sync, conversation threading, and templated layouts.
  • Windows tray app — .NET 8 systray launcher with WebView2 and Entra SSO; deployable via Intune, SCCM, or GPO for one-click ticket creation.

DevOps & Infrastructure

Production on Azure

Terraform defines the Azure estate. GitHub Actions builds, migrates, deploys, and verifies every release — with OIDC authentication and no long-lived credentials.

Deployment pipeline

  • Build — multi-stage Docker image pushed to GitHub Container Registry (API + Next.js + Caddy via supervisord).
  • Terraform apply — Linux Web App for Containers on Azure, Azure SQL elastic pool, managed configuration.
  • Database migrate — Prisma migrations with temporary SQL firewall rule for the CI runner only.
  • Verify — pipeline confirms the live /api/health endpoint reports the expected build SHA before passing.

Engineering approach

A pnpm + Turborepo monorepo keeps the API, web app, shared UI package, Prisma schema, and workflow engine in sync. The NestJS API is split into focused modules — tickets, catalog, workflows, assets, mail, knowledge base, and more. Browser traffic reaches the API through a Next.js proxy route so the internal NestJS port is never exposed publicly; only the health endpoint is called directly by Azure.

Technology

What We Used

Application

Next.js 15 / React 19 NestJS 10 TypeScript Prisma Tailwind CSS 4 TipTap React Flow .NET 8 / WebView2

Platform & DevOps

Microsoft Entra ID Microsoft Graph Intune Azure SQL Azure Web App for Containers Docker / Caddy Terraform GitHub Actions GHCR

The Result

MSP-Grade Support, One Deployment

OpenSupport is a production platform — fully designed, built, and deployed by PotSolutions — giving MSPs a Microsoft-native alternative to stitching together generic tools per client.

1
Docker image · unlimited portals
0
Code changes to onboard a tenant
3
Ticket types + visual workflows
24/7
Intune sync + email pipeline
Each customer gets a fully branded portal on their own domain — tickets, catalog, KB, devices, and approvals under their logo
MSP technicians manage every tenant from one admin console — with impersonation when they need to see exactly what the customer sees
Microsoft-native identity — Entra OIDC, per-tenant Graph permissions, encrypted secrets, and domain-based auto-provisioning
Visual workflow engine with approval chains — everyone, anyone, majority, or manager routing without custom code per client
Email-to-ticket with threaded replies, outbound outbox retries, and welcome templates — conversations stay in the ticket record
CI/CD verifies every deploy against the live build SHA — database migrations, bootstrap, and health check before the pipeline passes

Similar Challenge?

Building a Multi-Tenant SaaS?

Whether you need a white-label portal for your MSP, a Microsoft 365-integrated service desk, or a full multi-tenant platform from architecture through production — PotSolutions designs and ships it.

Start a Project More Case Studies
Theme