M&A Due Diligence — Microsoft 365 Tenant Audit for Target Companies
The target's Microsoft 365 tenant is one of the largest hidden integration costs in any M&A deal. Standard financial and legal due diligence does not touch it. This is the EPC Group 5-10 day pre-close audit, refined across 216+ M&A engagements moving 1.83 million users (2023-2025 program).
The six deliverables
- License inventory + true-up estimate — every M365 SKU the target owns, entitled vs deployed seats, overage exposure at close.
- Security posture assessment — Secure Score baseline, active P1/P2 incidents, unresolved audit findings, Purview holds.
- Governance debt inventory — SharePoint EEEU permission exposure, sensitivity label state, DLP coverage.
- Copilot readiness gap — how far is the target from safely enabling Copilot post-close.
- Integration cost estimate — bounded range (small / medium / large) for consolidating into acquirer tenant.
- Post-close 30-day consolidation runbook — sequenced actions the integration team executes in the first month.
Frequently Asked Questions
Why does M&A due diligence need a Microsoft tenant audit?
Because the target's Microsoft 365 tenant is one of the largest post-close integration cost lines and one of the biggest risk surfaces — and standard financial + legal due diligence never touches it. A $50M acquisition can hide $500K-$2M of unbudgeted tenant integration cost (licensing overage, Purview retrofit, Copilot readiness gap, SharePoint permission cleanup, Power Automate flow rebuild). Worse: if the target's tenant has an active oversharing exposure, a security incident, or a regulatory audit finding, the acquirer inherits it at close. EPC Group's 5-10 day pre-close audit surfaces the integration cost and the risk surface before signing.
What does the audit produce?
Six deliverables in a single pre-close report: (1) License inventory + true-up estimate — every M365 SKU the target owns, entitled vs deployed seats, overage exposure at close. (2) Security posture assessment — Secure Score baseline, active P1/P2 incidents, unresolved audit findings, Purview holds in place. (3) Governance debt inventory — SharePoint EEEU permission exposure, sensitivity label taxonomy state, DLP policy coverage. (4) Copilot readiness gap — how far is the target from safely enabling Copilot post-close. (5) Integration cost estimate — bounded range (small / medium / large) for consolidating into the acquirer tenant. (6) Post-close 30-day consolidation runbook — the sequenced actions the integration team executes in the first month.
How long does the audit take?
5-10 business days. Small target (under 500 employees): 5 days. Mid-market target (500-2,500 employees): 7-8 days. Large target (2,500-10,000 employees): 10 days. Requires read-only Global Admin access to the target tenant during the audit window — provided under NDA and typically brokered by the target's CIO with acquirer legal counsel. EPC Group has run this audit on 216+ M&A engagements moving 1.83 million users across the 2023-2025 program window.
How does this fit into the standard M&A due diligence workstream?
Runs in parallel with financial + legal + operational due diligence, typically Weeks 4-6 of a 10-12 week diligence cycle. Report delivered to the acquirer M&A team + CIO + CISO 2-3 weeks before target close. Findings feed into: (a) the purchase agreement (representations and warranties around IT liability), (b) the post-close integration budget, (c) the Day 1 IT integration plan. For deals where the M&A tenant audit surfaces material findings, EPC Group has been engaged as the post-close M&A tenant consolidation partner — see /answers/ma-tenant-consolidation-microsoft-365 for the 5-day cutover playbook.
What do the top findings usually look like?
Three most common: (1) License overage — the target is paying for 500-2,000 seats it does not use, or is running M365 Business Premium where it should be E3. Post-close TCO improvement of $150K-$1.5M/yr. (2) Governance debt — the target has 60-90% of its SharePoint content permissioned to "Everyone Except External Users" and no sensitivity label taxonomy. Integration cost $150K-$500K for the cleanup + Purview rollout. (3) Copilot-blocked — the target is on M365 E3 without Purview eDiscovery Premium, sensitivity labels, or DLP policies, meaning Copilot rollout at the acquirer is blocked in the target org until $200K-$600K of remediation is complete.
Talk to a senior architect
Email contact@epcgroup.net or call 888-381-9725.
North America's oldest continuous Microsoft Gold Partner (2000 until Microsoft retired the program in 2022) — today holding all six Microsoft Solutions Partner Designations.
