May 28 2020
Six Vital Pieces to the M&A Office 365 Governance Puzzle
By Doug Barney
Mergers and acquisitions (M&A) are an issue for enterprises large and small alike. At the same time, today the majority of enterprises have or are moving to SaaS productivity and collaboration/communication applications — of which Microsoft Office 365 (recently renamed Microsoft 365) is a leading light.
That means there are three main scenarios for these shops when it comes to M&A and Office 365, including:
- An O365-based enterprise buys another O365-based enterprise
- An O365-based enterprise buys a non-O365-based enterprise and must deal with migration, governance, as well as security and application and user management
- A non-O365-based enterprise buys an O365-based enterprise and must deal with integration issues – and plan for proper governance
When bringing on an O365-based company, the fundamental process of moving that tenant over is fairly straightforward, and is really an integration of the tenants. IT chooses which will be the host tenant (likely, the buyer gets this honor), creates dummy users on that side, and then copies the email addresses of the mailboxes. This gets the ball rolling, but is just the beginning.
As you go deeper, things get more complex. “You may need to onboard folks from the acquired company, merge two environments and govern them, identify security issues, and meet compliance regulations before the deal can be done. If people are let go, offboard safely and address data loss prevention (DLP) issues before they cause problems,” said Matt Smith, Solution Architect for CoreView.
Here are the six steps to take to insure top shelf M365/O365 governance during the M&A process.
1. Conducting an O365 Assessment
Assessment is critical because IT generally does not know the details of what each side of the deal has, or how O365 is set up and managed. Luckily, basic analysis and reporting reveals how people use the platform, how are they licensed, the number of users, plus what applications are used and what are not. This is also a good time to investigate what Azure Active Directory is used for.
Meanwhile, Shadow IT discovery is critical because unapproved apps can be a security and data leakage nightmare. Knowing if Dropbox, for instance, is used but not protected or managed can save whopping headaches later.
If your IT team is taking in and ultimately integrating a new O365 tenant, your IT staff should conduct a full and deep analysis. Here are processes for a proper O365 tenant readiness assessment:
Read-Only Admin for Assessment: When analyzing a target company you have not yet bought, it is best to have read-only access. Fortunately, read-only is a CoreView RBAC setting to all of our O365 management and security reports.
Security Assessment: Before buying or integrating a company, it is good to know the state of security. Here are some items to look at – their O365 Secure Score, Failed Logins, state of MFA, Conditional Access, and DLP.
Workload Adoption: What is the detailed usage level of key applications such as Exchange, OneDrive, Teams/Skype, SharePoint, etc? Licenses: What licenses are in inventory, what has been disbursed?
Protocols: What protocols provide client access to the platform? For Exchange, CoreView shows which protocol is used to access mail (MAPI, POP3, IMAP), and can infer what other types of access methods are currently in use to, say, access Teams.
Devices: You cannot protect end users unless you know what devices they have and the state of the operating systems – are they up to date and patched? Lastly, as part of the assessment, IT should look carefully at how the target company manages their Office 365 environment, including if they have Virtual Tenants, RBAC, and O365-specific security policies.
2. IT Administration
When an O365 shop buys a non-O365 shop, the aim is usually to bring the new company onboard with the chosen SaaS platform. For many deals, that means migrating the acquired to O365.
One problem is that IT tends to focus on the migration to O365 itself, not its actual operation, which should concern IT just as much. Gartner in its ‘Market Guide for Cloud Office Migration Tools’, put out in February 2019, pinpointed how Office 365 migration tools are limited to, well, just migration. “Migration of emails, files and application data is a common scenario for cloud office migration, but few vendors move all three workloads using a single tool and even fewer address post migration requirements of governance,” Gartner argued. “Include as part of your cloud office migration strategy the ability to address both short-range (on-premises to cloud office) and longer-range (ongoing platform governance, tenant splits, consolidation or cross platform shifts) migration demands.”
Ignoring these operational issues during a migration or integration means living with an insecure, unwieldy and breach-prone SaaS environment.
3. Securing O365 Before Fully Integrating Acquired Tenant
O365 security is an issue — M&A or no. Adding a new company to the equation worsens the problem. If you buy a company that is not secure, you take on those vulnerabilities. Consider Marriott. During the Marriott-Starwood merger, Starwood, come to find out, suffered a data breach affecting some 500 million customers. Not a good PR move for Marriott.
While this was not an O365 breach, Office 365 is a major hacker target and source of breaches of enterprise and PII data — and so has to be carefully protected.
Security issues often bite acquisitions right where it hurts. In fact, a survey by Forescout shows that 65% of IT pros regret an acquisition due to security problems they inherited.
According to an article in Dark Reading, the acquiring company should carefully examine the security posture of the company being bought. These discovered problems do not always rule out an acquisition, but should be addressed prior to the IT integration — and even be part of a price calculation. “Cybersecurity due diligence should start before any deal is made. You are looking for cybersecurity issues that could rule out a deal or affect the sale price. For instance, Verizon knocked $350 million off of its purchase price for Yahoo after two data breaches were discovered,” the web site argued, adding that survey data “revealed 73% said the discovery of an unknown data breach would be a deal breaker for an acquisition.”
In the case of O365, audit logs can be examined to determine security history. One can even run a CoreView Office 365 Health Check, which examines the entire tenant for security issues.
Office 365 Health Check and Auditing
The M&A transition is a critical and sensitive time. “Knowing exactly what is happening during that sensitive human resource time is important. The first thing CoreView does as part of an Office 365 Health Check is turn on auditing for every single workload. That data now exists where it almost certainly did not exist before because with O365, auditing is not turned on by default,” CoreView’s Smith explained. “Then CoreView can store that audit information indefinitely, alert on anomalous activities, and expose the full data analytics of the Office 365 E5 suite their users may have. This all increases security awareness. When people know they are being watched, it improves their behavior. That is why cameras are so prominent by the register in the convenience stores. There is a reason why those are not all hidden cameras. It positively impacts behavior.”
A CoreView Office 365 Health Check fully points out the security issues that you may be inheriting, as well as license savings that can be had.
When you are in the process of negotiating, there are bound to be security issues to explore and tackle. For one, you do not want confidential information being released. Moreover, after an acquisition, oftentimes people are redundant and let go – which raises security issues with data leakage, confidential information shared or stolen, and nefarious acts by disgruntled ex-employees. “Once you’ve acquired a company, oftentimes there’s redundancies and people get laid off and that’s where a lot of confidential data gets stolen, leaked out, shared,” Smith argued.
A deep analysis of the target tenant can nip these problems in the bud. “What cannot be overemphasized is the ability to look at large volumes of data in detail and extract from there high impact issues. Looking at the entire file state of an organization, their OneDrive and SharePoint sites, be it on-premises or in the cloud and identifying what sensitive data exists is all absolutely critical. Equally important is identifying potential configuration issues and even recommending a security model for those assets,” Smith explained. “Then finally, consider tagging that data or enhancing the metadata so those assets can be found in what is going to be a much larger tenant when the two organizations merge. That has to be a key pillar to assessing and creating a merged structure going forward.”
4. Proper and Safe Onboarding
Once the integration is underway, IT must onboard O365 workloads in either direction. “Typically, it is a payment company acquiring a subsidiary. In that case, the subsidiary has a certain involved way of provisioning O365 user accounts, mailboxes, SharePoint sites and other functions such as external/ guest users,” Smith said.
Workflow and Provisioning
Clearly provisioning is a huge deal during a merger or acquisition. Most companies being bought, if they have O365, use provisioning scripts. “However, if IT gives admins the ability to run those same scripts in the new environment, under the native model O365 administration model, IT has to offer global admin rights to run those PowerShell scripts,” Smith argued. These global rights simply give admins, including those from the target company, way too much power.
Limited rights through RBAC, and automation via workflow, together smooth and secure O365 for a larger tenant. “With the CoreView workflow model, IT can get very granular. IT could give admin rights to only add telephone numbers for users, which is exaggerating to prove a point. But you really can get that granular,” Smith said. “IT also cares how users from the target company access the O365 platform. Maybe IT wants to permit web access from home, or allow mobile devices including Androids, Windows mobiles, as well as iPhones. That may not be the policy of the parent company or the acquiring company, or it could be a merger of peers. Just knowing what those policies are and being able to see them firsthand versus calling the admin saying, ‘Okay, how do you do stuff?’ is important. On that, CoreView can be very specific and detailed.”
Finally, licensing is a key part of the onboarding/provisioning process. “CoreView helps with initializing their onboarding in phases. For instance, IT could give user permissions just to do licensing — for now. IT can create license pools for usage. IT can provision out of their corporate licenses instead, and getting an efficiency from that. Or IT could let someone create users and change passwords — but just for their group. Here, Virtual Tenants, license pools and functional access control, all come into play,” Smith said.
5. Looking at Licensing
Conducting a license analysis not only identifies savings, but also shows if the licenses of the target company match the needs of the buyer. Say the buyer tends towards high-end E5 licenses, while the target company makes do with E3 or even E1. Or the reverse, where the target overspends on high-end licenses they don’t need.
There are also benefits through the unified purchasing of licenses – these are only truly realized if you have controls in place via license pools.
6. Maintaining What You Integrated/Migrated
When bringing on a new tenant, O365 IT pros should apply the least privileged access model, segmentation of audit logs, and smart and secure provisioning to make the combined tenant safe and effective.
Part of this is making sure the administration is itself safe. Here, delegating Office 365 admin responsibilities means less micromanaging at the top and more uptime in the field – and better security against IT insider threats and admin error. You can assign access by role so you have fewer global admins and better security. Meanwhile, CoreView can manage multiple tenants all within the same portal instance.
By giving all your tenants one place to do their work, you ensure that, no matter a person’s access level or subpool, they are never confused about where to access reports and perform management tasks.
CoreAdmin allows global IT administrators to delegate control over all aspects of the management interface, including reports, custom Powershell scripts and everyday admin functions.
By partitioning your tenant, you can limit access to specific geographies. Here, CoreView enables Virtual Tenants and license pools. These groups can be automatically governed by filtering via Azure AD attributes such as department, city, cost center, etc.
Delegation is fully integrated. CoreView supports delegation in our adoption, admin and security solutions, so you can make delegated workflows consistent across your company.
Learn more about delegation.
Value of Adoption
Keeping employees using Office 365 effectively is essential to maximizing the value of the merged entities. To get the most out of Office 365, you need employees to understand each product and use them consistently. CoreView helps by offering solutions for improving training, measuring usage and promoting adoption.
With CoreView, you can measure the effects of your training programs from a single dashboard. This way, you can stop jumping from product dashboard to product dashboard to report on Office 365 usage. Our CoreAdoption solution consolidates and easily segments usage data, so you can gauge training effectiveness with ease.
You can promote product usage with micro-targeted email campaigns. With CoreAdoption, you can send usage prompts, training materials and surveys via email reminders. Plus, you can target those campaigns to only reach the users who need help. Learn more about product adoption.
It is hard enough for IT to know the license state of their own tenant, never mind that of the target company’s environment. But how would you like to find your and theirs inactive Office 365 Licenses, and reallocate them with ease? With CoreAdmin, you can find all of your inactive, oversized and duplicated Office 365 licenses and reallocate them without ever leaving the management platform. This prevents overspending and helps you identify departments with low adoption.
Finally, you can determine the itemized cost of licenses by business unit, location and more. CoreAdmin lets you insert the net costs for your license SKUs into reports broken down by specific attributes like business unit, department, location and team. That way you can see how costs are actually distributed.
You can also base Office 365 budgets and chargebacks on actual usage. Each department in your company uses Office 365 differently. Make your budgets and chargebacks more accurate with SKU data mapped to your business units, departments, locations and more.
Offboarding Through Workflow
M&A’s often involve layoffs. Fortunately, employee offboarding can be done safely, securely and easily through a CoreFlow workflow. Workflow templates automate both provisioning and deprovisioning. And with automation, IT ensures users have the right licenses to access the right infrastructure. IT can “clone” users or create them from templates to reduce errors and speed provisioning. With this approach, IT automates the entire user lifecycle: onboarding, configuration, provisioning and removal.
CoreFlow makes it exceptionally easy to manage end users. Some provisioning processes can include 50 or more steps – all of which can be triggered by a single click – with full auditing implemented by default. This saves admin time, and insures these processes are error free.
The Final Analysis
One key lesson from the M&A experience is that deep, actionable and consolidated reporting is critical to maintaining and governing O365. At the same time, when companies merge, there are advantages of a single tenant by allowing employees of the combined entity to collaborate – such as with Microsoft Teams. The companies really come together through a single address book, and standard ways of sharing documents, files and data.
Now that we have walked through all six integration and O365 M&A governance steps, what does it all mean? “These steps help from a security aspect, a provisioning aspect, and for economies of scale by bringing the licensing purchasing power under a central authority. That typically has with it an economy of scale, increasing collaboration, allowing the collaboration to occur so that you realize the value of Office 365 in a single tenant,” Smith argued.
All this IT M&A legwork greatly eases the transition. Plus, IT is more comfortable knowing what the target company has for users, licenses, workloads, directories, security policies, administrative practices, configurations, as well as data sharing such as through SharePoint or OneDrive.
Get the Skinny on Properly Managing Office 365 Using CoreView
Learn more about Office 365 administration with a CoreView demo.
You can also get a free CoreView Office 365 Health Check that details license savings, state of application usage, and pinpoints security problems in your Office 365 environment.
Get your O365 user workload usage and security profile FREE with our new CoreDiscovery solution. You can get your free software now at the CoreDiscovery sign up page: https://www.coreview.com/core-discovery-sign-up/
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.