This guide is part of our M365 Migration Series.
Explore every step of the tenant-to-tenant migration journey below:
Mergers and acquisitions often bring the challenge of consolidating multiple M365 tenants into a single environment. especially when organizations require expert IT Services Mergers and Acquisitions to guide the process.
Beyond mailboxes, Teams, and file storage, you must ensure that security and compliance controls are reconciled between the tenants. Microsoft Defender plays a critical role here, particularly in safeguarding email and collaboration workloads.
This blog explores the steps and strategies for reconciling Defender configurations during an M&A, with a focus on the core security features related to M365: anti-phishing, anti-spam, Tenant Allow/Block List (TABL), Safe Links, and Safe Attachments. We will also briefly talk about the license implications of a potential move from E3 (or A3 or F3) to E5 (or A5 or F5), or E5 to E3.
Why Migrating Defender Matters
Email remains the number one attack vector in enterprise environments. During a migration, attackers will often try to exploit the chaos of change new domains, unfamiliar addresses, and shifting policies can all create blind spots as the two tenants try to coexist.
A well thought-out and implemented migration plan for Microsoft Defender can keep the walls up to prevent phishing, spam, and malware from slipping through during the migration process.
Chances are, when two organizations merge, their tenants will have different security configurations. For example, one may enforce strict Safe Links policies, while the other allows more flexibility. Reconciling these differences is not just a technical exercise; it’s also a risk management decision that impacts both sides of the newly merged entity.
Licensing Considerations: E3 vs. E5
For the purposes of this blog, we’ll assume both tenants are licensed at the same level — either E3 or E5. This simplifies the migration, as feature parity ensures that policies can be recreated without any change in capabilities.
If the tenants are not at the same license level, and especially if the acquiring tenant is E3 and the acquired tenant is E5 (i.e. stepping down in license), you will need to take special care that all compliance requirements of the acquired org can be met at the new licensing level.
- E3 licensing: provides baseline security features, including anti-phishing, anti-spam, Safe Links, and Safe Attachments. However, advanced capabilities such as Automated Investigation and Response (AIR), Threat Explorer, and advanced hunting are limited.
- E5 licensing: unlocks the full suite of Microsoft Defender features, including enhanced reporting, threat investigation, and automation.
Potential Issue if Licensing Differs: If Org A is on E5 and Org B is on E3, you can face a feature gap. For example, the Safe Attachments feature is available at both license levels, but automated remediation workflows are not. This can create a gap in security posture post-migration if Org A requires these workflows to meet a compliance requirement.
You must decide whether to upgrade licenses for parity or accept reduced functionality in the consolidated tenant. You have to decide if downgrading from E5 to E3 introduces any compliance risks, and how those risks are best mitigated.
Core Features to Address in Migration
1. Anti-Phishing Policies
- Inventory the existing anti-phish policies rules in both tenants.
- Identify any differences in impersonation protection (e.g., executives, domains).
- Recreate or add entries to the acquiring tenant in order to consolidate policies.
2. Anti-Spam Policies
- Compare spam filtering thresholds, send limits, and bulk mail handling.
- Compare settings for quarantining messages.
- Reconcile the policies into a new, combined policy that meets the requirements of the new org. If this means one side is going to end up with stricter policies than before, be sure to communicate with those clients ahead of time.
3. Tenant Allow/Block List (TABL)
- Export allow/block entries from both tenants.
- Consider taking this opportunity to consolidate the allow/block items in your anti-spam policies to the TABL.
- Consolidate into a single list and resolve any conflicts (i.e. one tenant blocks a domain that the other allows).
4. Safe Links and Safe Attachments
- Compare Safe Links and Safe Attachments policies.
- Reconcile them into new, combined policies that meet the requirements of the new org. If this means one side is going to end up with stricter policies than before, be sure to communicate with those clients ahead of time.
Reconciling Stricter vs. Looser Rules
One of the most common challenges in M&A migrations is that one org is stricter than the other org. For example, Org A may enforce strict Safe Links scanning with no bypass, while Org B allows user overrides for productivity reasons.
General Guidance:
- In most cases, plan that you will take the stricter policy set during migration.
- Conduct a risk assessment with the new org in mind to determine if the looser rules can be applied.
- If you have to adopt the stricter policies, pilot them first with a subset of users affected users to measure impact before full rollout.
Example: Org A blocks all external domains in TABL except for a small allowlist. Org B has a permissive policy, allowing most external domains. In the merged tenant, you should plan like you are going to adopt Org A’s stricter stance initially, then gradually expand the allowlist based on validated business needs. This helps to reduce exposure during the transition period.
High-Level Migration Steps
- Inventory Policies
- Document anti-phish, anti-spam, TABL, Safe Links, and Safe Attachments settings. You can use PowerShell to do most of the work on this one.
- Compare & Analyze
- Identify and reconcile overlaps, gaps, and conflicts.
- Assess the risk implications of stricter vs. looser policies.
- Define Target Baseline
- Establish a unified security baseline for the merged tenant.
- Align this new baseline with organizational risk and compliance requirements.
- Pilot Migration
- Apply consolidated policies to a small group of users, especially if they are stricter for one side of the merger.
- Monitor impact on productivity and threat detection.
- Full Rollout
- Deploy policies across the acquiring tenant.
- Be sure to communicate with clients about any changes that could impact productivity.
- Monitor & Adjust
- Use reporting within Defender to track the effectiveness of the new policies.
- Adjust policies as needed based on client feedback.
Recommended Strategy
- Baseline First: establish a good, reconciled security baseline before migrating users.
- Wave-Based Migration: migrate clients to the new policies in waves, applying consolidated policies to small sub-sets of users before deploying wide. This can reduce disruption and allow for adjustments if needed.
- Communication: inform users about any changes that could impact productivity. Pay special attention to spam handling (anti-spam policies), link scanning (Safe Links), and attachment blocking (Safe Attachments).
- Compliance Alignment: make sure that the new policies meet regulatory requirements (GDPR, HIPAA, etc.) before moving out of the pilot stage.
- If this merger crosses international boundaries, be sure you are up-to-speed on regulations in the new country.
- Post-Migration Review: conduct a security posture assessment after consolidation to validate that you are still in compliance for your industry and locale.
Risks to Watch
- Feature Gaps: if licensing differs, critical features may be lost, which could mean that you are out of compliance for your industry or locale.
- User Disruption: stricter policies can frustrate users if not communicated beforehand.
Final Thoughts
Migrating Microsoft Defender configurations during a merger critical to making sure that the new org is compliant with industry standards and regulations. For organizations undergoing complex transitions, leveraging the right IT Services Mergers and Acquisitions can help streamline policy reconciliation and ensure nothing is overlooked.
Start by inventorying and comparing policies, then establish a unified baseline that meets regulatory needs.
Pilot changes with a small group, communicate any changes with your clients, monitor the impact, and refine policies as needed. Address licensing gaps early to mitigate any risk with a step-down in licenser.
With careful planning, your organization can achieve a secure, resilient M365 environment.
Modernize Your Business With a Seamless Microsoft 365 Migration
Simplify your move to the cloud with expert planning, native tools, and proven M&A migration strategies that ensure zero disruption.
Talk to Our Migration Experts
