This guide is part of our M365 Migration Series.
Explore every step of the tenant-to-tenant migration journey below:
Mergers and acquisitions often bring the challenge of consolidating multiple M365 tenants into a single environment. Beyond mailboxes, Teams, and file storage, you must ensure that security and compliance controls are reconciled between the tenants. During a M&A especially when guided by experienced IT Services Mergers and Acquisitions the compliance and governance layer powered by Microsoft Purview is equally critical.
Purview defines how all your data is retained and protected. During a M&A, overlooking these controls can expose the new organization to regulatory risk and data loss. This blog explores the high-level steps for migrating Purview configurations and focuses specifically on the retention, eDiscovery, data loss prevention (DLP), and information protection modules within Purview.
Why Migrating Purview Matters
When two organizations merge, they likely bring different compliance obligations, or at least different setups and interpretations of compliance. One tenant may enforce strict retention policies to meet SEC requirements, while the other operates under GDPR. Reconciling different configurations is not optional – it’s essential to ensure the merged entity remains compliant in all jurisdictions to avoid penalties.
For M365 environments, Microsoft Purview provides the toolset to manage data: retention policies to control data lifecycle, eDiscovery to support legal investigations and data holds, DLP to prevent sensitive data leakage, and information protection to classify and secure your data. In a M&A migration, the configurations for these items must be carefully inventoried, compared, and reconciled.
Licensing Context: E3 vs. E5
For the purposes of this blog, we’ll assume both tenants are licensed at the same level — either E3 or E5. This simplifies the migration, as feature parity ensures that policies can be recreated without any change in capabilities.
- E3 licensing: provides baseline compliance features, including retention policies, basic eDiscovery, and sensitivity labels.
- E5 licensing: includes advanced capabilities such as Advanced eDiscovery, Insider Risk Management, Communication Compliance, and enhanced DLP analytics.
There can be potential issues if the two tenants are at different licensing levels, especially if the acquiring tenant is at a lower licensing level. Â If Org A is on E5 and Org B is on E3, there may be a feature gap. For example, Advanced eDiscovery workflows may not be available, forcing the new org to use basic search and export. Similarly, if advanced DLP analytics were used in Org A, those will analytics will be unavailable.
You must decide whether to upgrade licenses for parity or accept reduced functionality in the new tenant. In regulated industries, downgrading from E5 to E3 could introduce compliance risks, and you should know how you are going to mitigate those risks.
Core Features to Address in Migration
1. Retention Policies
- Inventory existing policies by documenting the retention labels and policies in both tenants.
- Identify any key differences in coverage in the major M365 components (Exchange, SharePoint, OneDrive, and Teams).
- Reconcile retention periods to meet the regulatory requirement of the new combined org.
- Create or modify the retention policies in the acquiring tenant as needed.
2. eDiscovery
- Export active cases to preserve ongoing investigations in both tenants.
- Recreate cases, custodians, and searches in the acquiring tenant.
- Ensure audit logs are exported to maintain the chain of custody.
- Â
3. Data Loss Prevention (DLP)
- Inventory the DLP policies for all M365 components (Exchange, SharePoint, OneDrive, and Teams) in both tenants.
- Reconcile the policies and determine what these should be for the combined org.
- Create new, combined DLP policies that reflect the needs of the combined org.
- Pilot the new policies with a subset of users, especially if the new policies will be more restrictive than they may be used to.
4. Information Protection
- Inventory the labels and policies in both tenants.
- Reconcile the labels and determine what the new labels for the combined org will be.
- If necessary, create new unified labels in the combined tenant.
- Once data is migrated, apply new labels to the migrated content (see part 6 for an automated method for this).
Reconciling Stricter vs. Looser Rules
As with Defender, policy differences is a common challenge. Org A may enforce strict retention (seven years for all email), while Org B allows user-driven deletion after one year.
General Guidance:
- In most cases, plan that you will use the stricter policy set during migration.
- Conduct a compliance risk assessment that considers the structure of the new org to determine if looser rules can be applied.
- If you go with stricter policies, pilot them with a subset of users to measure impact.
Example: Org A enforces DLP rules that block transmission of Social Security Numbers outside the organization. Org B only warns users. In the merged tenant, you should adopt Org A’s stricter blocking stance initially, then evaluate whether warnings are sufficient based on business needs and regulatory requirements.
High-Level Migration Steps
- Inventory Policies
- Export the Purview configurations from both tenants.
- Document the settings for retention, eDiscovery, DLP, and information protection.
- Compare & Analyze
- Identify overlaps, gaps, and conflicts.
- Assess compliance implications of stricter vs. looser policies.
- Define Target State
- Define a unified compliance baseline for the merged tenant.
- Align with any new regulatory requirements that are applicable to the combined org (GDPR, HIPAA, SEC, etc.).
- Pilot Migration
- Apply consolidated policies to a small group of users.
- Monitor impact on productivity.
- Full Rollout
- Deploy policies across the merged tenant.
- Communicate changes to end users (e.g., stricter retention or DLP rules).
- Monitor & Adjust
- Use reporting within Purview to track the effectiveness of the new policies.
- Adjust policies as the needs of the new org evolve.
Recommended Strategy
- Baseline First: establish a good compliance control baseline (retention, DLP, sensitivity labels) before migrating users.
- Wave-Based Migration: move users in waves, applying consolidated policies incrementally.
- Communication: inform users about changes in retention, DLP, and labeling, especially if it involves stricter rules for anything.
- Compliance Alignment: ensure policies meet the regulatory requirements of the new org before migration.
- Post-Migration Review: conduct a compliance posture assessment after consolidation to make sure you are in compliance for your industry and locale.
Risks to Watch
- Feature Gaps: licensing differences may result in loss of advanced capabilities.
- User Disruption: stricter retention or DLP rules can frustrate users if not communicated effectively.
- Regulatory Exposure: looser rules may violate compliance requirements.
- Data Loss: failure to preserve eDiscovery cases or audit logs can compromise chain of custody and put the new org at legal risk.
Final Thoughts
Migrating Microsoft Purview policies during a merger is critical to making sure that the new org remains in regulatory compliance. For many organizations, leveraging structured IT Services Mergers and Acquisitions helps streamline the process and ensure that nothing is overlooked. By inventorying policies, reconciling differences, and implementing a unified baseline, you can ensure that the merged org is compliant. Licensing parity simplifies the process, but even when tenants differ, effective planning and communication can bridge the licensing gap. With careful planning, your organization can achieve a compliant, resilient M365 environment.
Modernize Your Business With a Seamless Microsoft 365 Migration
Simplify your move to the cloud with expert planning, native tools, and proven M&A migration strategies that ensure zero disruption.
Talk to Our Migration Experts
