Browse Getting Started
- Application categories (Zero Trust app management)
- Active Directory group policies
- Content categories
- Custom block pages
- Don't mix DNS providers
- Prevent DNS bypass
- Safe Search explained
- Safe Search supported search engines
- Security categories
- Working with policies
- Working with allow and block lists
- YouTube Restricted Mode explained
Setup and use guide for MSPs
End-to-end MSP onboarding: build global templates first, segment by organization, then deploy sites, roaming clients, and personas per tenant. Includes external Org Operator setup for co-managed environments.
ScoutDNS is built for managed service providers delivering DNS protection across many customer tenants. This guide walks through the four-step MSP setup pattern: build shared templates once, segment by organization, deploy per tenant, then invite your team plus any co-managed external operators.
[!TIP] Just running a trial? Use the Quickstart to stand up one site or a few roaming clients. Come back to this guide when you’re ready for real per-tenant deployment.
Setup overview
- Create global objects, template policies, global allow/block lists, default block page.
- Add tenants, one organization per customer.
- Configure deployments per tenant, sites, profiles, personas.
- Invite users, internal team and external Org Operators.
Key assignment structure
- Non-global allow/block lists are attached to individual policies.
- Policies are assigned to networks (Sites), devices (Profiles), or AD/Entra groups (Personas).
See Configurable objects and their associations for the full object model.
Step 1: Create global objects
Build shared templates at the parent account level first. Tenants can use or copy them later.
Global allow/block lists
Create global allow/block lists for domains you want controlled across every tenant, typically a small set of tools you always allow, plus a small set of threats you always block.
Template policies
Build a few baseline policies that match your common customer profiles (“Office worker”, “School”, “Hospitality guest”, etc.). You’ll copy these into specific organizations later.
Default block page
Edit the default block page once, add your logo and contact info. Every unassigned WAN and profile picks up your branding automatically.
Step 2: Add tenants
Tenant selector
The selector at the top right toggles between All Organizations and a specific organization. Every screen filters to whatever’s selected.
Create the organization
The Organizations tab is only visible from the All Organizations view.
Create each organization, typically one per customer.
Customer-specific block pages (optional)
If a customer wants their own logo, create a customer block page under their org and link it to their sites and profiles.
Tenant-level objects
[!IMPORTANT] Create objects from inside the tenant’s organization view, not from All Organizations. Doing so automatically links profiles and sites to that organization and applies the organization tag to policies and lists, which is what lets external Org Operators edit them later.
Switch into a specific organization via the selector, then:
- Create customer-specific allow/block lists for that tenant’s bespoke domains.
- Create customer-specific policies, or assign one of your template policies (you can copy a template inside the org view to make it editable by the tenant’s operators).
Step 3: Configure deployments per tenant
Decide what gets filtered and how.
Sites (WAN/LAN forwarding)
Configure sites to apply DNS at the office or location level. Best for guest networks, BYOD, headless devices, and anything that won’t run a roaming agent.
Roaming clients
Deploy the roaming agent to Windows and macOS devices that need to stay protected off the network too.
User and group policies (optional)
Configure Personas when you need different policies based on user group, Active Directory or Entra ID.
Step 4: Invite users
Internal team
Add role-based users directly in ScoutDNS, or wire up SSO with Microsoft Entra ID if your team is already in Entra.
External users (Org Operators)
Org Operators are external third-party users with per-organization scope, typically the IT contact at your co-managed customer. They authenticate locally (exempt from SSO), see only their assigned organizations, and can manage objects within those orgs.
- Verify organization tags on the objects you want Org Operators to edit. Objects without tags can’t be edited by org users.
- Create the Org Operator account from the Access Management tab with Manager or View role.
Subscribe to platform notices
Subscribe to status.scoutdns.com to receive notifications about systemwide issues, maintenance windows, and major releases. Worth doing on day one for every MSP, it’s the fastest path to a heads-up if something is affecting your fleet.
Related
- Configurable objects and their associations, the object model that ties this guide together
- Organizations (multi-tenant)
- Working with policies
- SSO with Microsoft Entra ID