Try Free – No Credit Card Required. Kickstart your Microsoft 365 Migration today!

Products

Pricing

Blog

The M365 Pre-Deal Due Diligence Problem: Why You’re Pricing What You Can’t See

12 min read

The M365 Pre-Deal Due Diligence Problem: Why You’re Pricing What You Can’t See

Published Date:


By Narasima Perumal Chandramohan

Microsoft MVP (10+ Years) | Co-Founder & Technical Lead, Apps4.Pro

Share

Every Microsoft 365 M&A problem usually starts in the same way.

A company gets a $1.8 million emergency consulting bill because a payroll workflow has to be rebuilt 48 hours before close. More than 2,000 users are locked out on Day 1 because Conditional Access policies were not migrated properly. A government contractor faces federal record-keeping violations because retention labels disappeared during the transition.

These problems usually do not begin on cutover weekend. They begin months earlier, during due diligence, when the deal team makes assumptions about the Microsoft 365 environment because nobody has the access, time, or evidence to verify what is actually there.

Most M&A migration advice starts too late. It assumes the merger has already closed or that the integration team is already 90 days into execution.

This part actually begins earlier: a Corporate Development team, an IT due diligence advisor, and a Big Four partner are reviewing a virtual data room. They have only 21 days, and they must estimate the risk and cost of a Microsoft 365 setup they have never been given access to.

Table of Contents

Why Pre-Deal Due Diligence Determines Deal Value

For many years, M&A research has shown a clear pattern: 83% of failed mergers and acquisitions (M&A) happen because companies struggle to integrate properly. Also, about 10% of a company’s value can disappear within just three months after the deal closes. Industry analysts describe this risky phase as the “Integration Valley of Death,” where up to 70% of the expected value of the deal is lost due to poor data quality and broken systems during integration.

Both studies point to the same main problem. Important decisions, like how much to pay, how the transition will work (TSA), how much budget is needed, and when systems will go live-are all finalized before the buyer fully understands the actual situation.

Microsoft 365 Tenant Isolation Cuts Both Ways

Tenant isolation is a basic security rule in Microsoft 365. It keeps your data separate from other companies data, and their data separate from yours. But it also means buyers can’t fully see what’s inside the tenant, making it harder to estimate its true risk and cost before buying it.

There is no “due diligence mode” in Microsoft 365. No read-only external auditor role. No anonymized tenant export you can hand to a deal team. Compliance Manager, Microsoft Purview, and Secure Score all require an active admin role in the target tenant before they’ll return anything.

So what does a buyer’s due diligence (DD) team really get?

  • A signed NDA(Non-Disclosure Agreement)
  • A limited set of shared documents (virtual data room)
  • About 2 to 4 weeks to review
  • Help from the seller’s IT team (who may not fully highlight problems)

All other important details, like number of users, mailbox sizes, license usage, security level, compliance status, shadow IT, hidden Power Platform usage, and integration complexity, come from what the seller reports.

The Four Phases of Pre-Deal M365 Due Diligence

Pre-deal due diligence is not just one step. It happens in four overlapping phases. The same issue can have a very different impact depending on when it is found.

Phase

What’s Happening

Access

Stakes

A – Pre-LOI / Target ID

The Corporate Development team estimates the cost to integrate the company estimate that shapes the bid range

No formal IT access; public signals only

This helps decide the initial bid range

B – LOI to Technical DD

NDA signed, data room opens; 2–5-person DD team gets read access for 2–4 weeks

Access is limited to documents and planned interviews from the seller

Goal is to understand system complexity and risks

C – DD to Signing

Findings feed SPA reps and warranties; escrow is sized; the TSA gets negotiated

Same as Phase B

Purchase price, walk-away decision

D – Signing to Close

Regulatory approvals take about 30–180+ days; a small “clean team” starts working; and planning speeds up.

Expanded but restricted operational access

Faster work here reduces time and cost after the deal closes

The Five Categories of Pre-Deal Risk

Before diving into constraints, it helps to classify the risk surface. The five categories below are the anchors every downstream finding maps back to.

Visibility risk – what exists in the tenant that the buyer cannot see and the seller cannot or will not disclose. Shadow Power Platform flows running payroll. Orphaned service principals with production-level Graph permissions. Legacy SharePoint 2013 workflows embedded in business processes.

Inherited liability – obligations that transfer with the tenant whether you know about them or not. Active litigation holds that Microsoft will natively block cross-tenant migration for (throwing ErrorCrossTenantSourceUserIsInHoldOrRetentionPolicyAppliedPermanentException). In-flight eDiscovery cases. DSR backlogs. Microsoft licensing true-up exposure. Regulatory record-keeping commitments. Data residency obligations.

Cost estimation risk – Estimates based on incomplete information often end up being 3 to 6 times higher in complex deals.

For example, one 600-user migration had about $230K in extra licensing costs over six months. In another case at a large company, they had to spend $1.8M on urgent consulting to fix a payroll workflow found just 48 hours before the deal closed.

These costs were not included in the original deal estimates.

TSA timeline risk – TSAs (Transition Service Agreements) are usually negotiated by legal and finance teams, and IT teams are often not involved to check if the timeline is technically realistic.

Because of this, the time given for migration is often too short. For example, one company was given only 4 months under the TSA, even though the actual migration needed around 12 months.

If the TSA deadline is missed, the penalties or fines can be so high that they may cost more than the entire migration project budget.

Cultural and organizational risk – This includes politics around admin roles, relying too much on a few key people, and whether the IT team will stay after the deal.

The Six Structural Constraints Every DD Team Runs Into

Microsoft 365 due diligence is difficult not because deal teams are careless, but because the process is structurally limited.

Even strong IT diligence teams run into the same six constraints.

1. No admin access to the target tenant

They usually do not receive Global Admin, Security Reader, or even Global Reader roles in the seller’s Microsoft 365 tenant. Instead, they work from seller-provided documents, license inventories, Secure Score summaries, exported reports, and scheduled interviews.

That means the DD team cannot run Purview reports, scan the tenant with Microsoft365DSC, query Microsoft Graph directly, or independently verify key configurations.

Microsoft 365 does not provide a dedicated “due diligence mode.” There is no short-lived, read-only role designed to show configuration risk without exposing user content.

So, the buyer is forced to evaluate a tenant they cannot directly inspect.

2. Time-boxed DD windows

IT due diligence usually has only two to four weeks.

That window often gets compressed further as legal, tax, financial, and commercial diligence compete for the same timeline.

Two to four weeks is not enough time to deeply assess every Microsoft 365 workload, thousands of users, hundreds of Power Platform assets, years of permission changes, and years of configuration drift.

As a result, diligence becomes a checklist exercise.

The team can confirm what the seller provides. They can ask targeted questions. But they usually cannot perform a deep investigation across the full tenant.

That makes post-close surprises more likely.

3. Data room depth limitations

Virtual data rooms usually contain summaries, not raw tenant evidence.

The seller may provide license counts, user exports, security summaries, architecture diagrams, and compliance statements. But those materials are curated. They do not show the full configuration, telemetry, or dependency map.

This creates a blind spot.

The seller answers the questions the buyer asks. But the buyer often does not know what to ask because they cannot see the environment.

That is how common surprises appear after close: undocumented service principals, forgotten guest accounts with elevated access, shadow Power Automate flows running business processes, retention policies that look complete on paper but miss Teams private channels, and compliance tools that are configured but not actually enforcing.

The data room shows what was prepared. It does not show everything that matters.

4. Seller disclosure gaps and incentive misalignment

Sellers don’t always fully understand their own Microsoft 365 setup. This is common in mid-sized companies where IT teams are small, outsourced, or have high staff turnover. The original admins may have left, documentation may be missing or incomplete, and important processes may be handled by business teams instead of central IT.

There can also be incentive issues. Seller teams may focus on closing the deal, avoiding deep review, or not highlighting technical problems that could reflect badly on them.

This doesn’t mean the seller is being dishonest. But it does mean buyers should not assume the seller’s information is complete. The person who knows the most about the system’s risks may not be available, willing, or able to explain them during due diligence.

5. NDA and data location limits on due diligence tools

Even if the seller is cooperative, they often can’t allow third-party SaaS scanning tools in their Microsoft 365 tenant. Laws and rules like GDPR, HIPAA, FedRAMP, and industry-specific data location requirements can block this, especially in regulated industries or cross-border deals.

Because of this, how deep the assessment can go depends on the seller’s existing tools, not the buyer’s preferred standards.

6. No single, complete view of everything

Even with full admin access, there’s no built-in Microsoft tool that shows every service, connector, dependency, and third-party app in one place. Microsoft 365 is made up of many separate services, like Exchange, SharePoint, OneDrive, Teams, and others. Each one has its own admin portal, tools, and APIs, so there’s no single unified inventory.

Because of this, some things stay hidden during due diligence. For example, one energy company later found duplicate libraries and broken permissions across thousands of files after the deal closed, all caused by issues that weren’t visible during the review.

What This Means in Real Costs

These limits aren’t just theory; they turn into real costs that buyers often miss when signing the deal:

  • About $230,400 in extra license costs for 600 users over six months (example estimate, not a fixed standard)
  • Migration costs of $12–$25 per mailbox in M&A deals, about 2–3 times higher than normal migrations
  • Around $1.8M in urgent consulting in one Fortune 500 case, just to fix a payroll workflow found two days before closing
  • 2–3% profit loss (about $200K per $10M CSP business) due to billing mismatches between EA (Enterprise Agreement) and CSP (Cloud Solution Provider) agreements
  • Helpdesk tickets increasing 3–5 times for 2–4 weeks after migration, often not planned in the budget
  • Large Microsoft license audit costs (hundreds of thousands) caused by M&A changes-this risk transfers to the buyer after acquisition

In short, these issues can quietly add significant, unexpected costs after the deal closes.

How to Work Around These Limits

You can’t remove tenant isolation, but you can handle it in a structured way:

  • Ask the seller’s IT team for clear reports: license list, Secure Score history, admin roles, Conditional Access policies, and Purview hold details
  • Use a “clean team” setup, third-party consultants (under extra NDAs) run scans for the seller and share only the results with the buyer
  • Use Microsoft365 DSC to export configurations. It runs with the seller’s admin account and captures settings without exposing user data
  • Run due diligence work in parallel (identity, compliance, licensing, Power Platform, Teams) instead of one after another
  • Verify what the seller says using outside sources like breach history, regulatory filings, and employee reviews
  • Ask for change history, not just the current state, who made admin changes, what policies changed, and when
  • Talk to different levels of the seller’s IT team, not just the CIO
  • Include strong legal protections (reps and warranties) with escrow holdbacks, so any hidden technical risks found later are still the seller’s responsibility

The Opportunity Hidden in These Limits

The same lack of visibility that creates risk can also create value.

  • Cleaning up licenses (removing duplicates or unused ones) can save enough money to pay for the whole migration. In one case, savings from duplicate Power BI licenses covered the entire project
  • Doing early checks on compliance and identity, like reviewing litigation holds and setting a Secure Score baseline, helps avoid costly surprises after the deal closes
  • If you design your data room requests based on real due diligence risks, you can find about 60–70% of integration issues before signing, when they can still affect pricing
  • Some private equity firms now set minimum Secure Score targets (like +20 points) in the deal terms, using technical findings to adjust the purchase price

What Shifts the Moment the Deal Closes

Post-deal problems (like migration issues or cutover failures) are well known. But pre-deal problems are very different. Here’s how things shift:

  • You are limited by what the contract allows you to access, not by what technology can do
  • Costs are handled in the deal price and TSA terms, not in normal project budgets
  • Issues appear as deal risks or unexpected costs, not as helpdesk problems
  • You can only address problems using legal protections (reps, warranties, escrow, TSA), not by fixing them technically

Once the deal closes, the playbook changes. For what breaks after signing and how to manage the TSA clock you just inherited, read the post-signing companions: M&A Microsoft 365 Migration Risks Under TSA Deadlines , The Real Cost of Microsoft 365 Tenant Consolidation in M&A, and The M&A M365 Migration Hub for CXOs.

The Rest of This Series

This section is the foundation of a pre-deal series made for Corporate Development teams, IT due diligence advisors, legal deal teams, CISOs at the term-sheet stage, and M&A integration leaders working before signing.

Each part focuses on one important, high-impact issue:

Migrate Everything to Microsoft 365

Exchange Online SharePoint Online OneDrive For Business Microsoft Teams Microsoft Planner Viva Engage (Yammer) Microsoft Bookings Microsoft Forms Power Automate Microsoft Power BI Exchange Online SharePoint Online OneDrive For Business Microsoft Teams Microsoft Planner Viva Engage (Yammer) Microsoft Bookings Microsoft Forms Power Automate Microsoft Power BI
  • No Data Loss
  • Zero Downtime
  • ISO-Certified Protection

Get Started

Start your free 15-days trial today !

4.5 out of 5

Bot Logo

Apps4.Pro Bot

Hey!👋 Ready to make your Microsoft 365 migration journey easier? Tell me what you’re looking.

What gets migrated?
I have a sales question
I'm here for tech support
Learn about Apps4.Pro