Welcome to the second part of my series on mergers and acquisitions (M&A). This part focuses on how to enable secure communication and collaboration in your environment. My last article went over the importance of preparing for your Day One and taking care of identity management. Now let’s discover the next four steps!
As per my last article, there are six key items you need consider to ensure a successful merger. And, as always, the cloud is here to help! Let’s find out how.Â
#3 E-mail! E-mail everywhere!Â Â Â Â
Once you are done with the identity exercise, we need to focus on the collaboration elements between organizations. Collaboration here is a broad term. It covers the following:Â Â
- E-mailÂ Â Â
- Document accessÂ Â
- Application access.Â
Let’s briefly go through each of the above.
E-mail is king!Â Â
Yes… still king. Even with the recent availability of new communication tools (Slack, Teams), e-mail still has a special place in business. People will likely complain if that channel is not properly handled.
So that’s where we need to start. You will likely inherit two sets of separate email systems. Be it on-premise or in the cloud, it is unlikely that you’ll want to merge them on Day One. Why, you ask? Because e-mail migrations are complex, and we have much to accomplish on Day One. So, the first thing you need to deliver is address book synchronization. This let people can find each other in directories. By the way, it might surprise you to learn that Office 365 still does not deliver address book synchronization in the cloud.Â Â Luckily, there is an easy solution: use Microsoft Identity Manager Synchronization Service! It is free! Not all people know about it, but the synchronization engine of MIM is included with the Windows Server license, and you can use it.Â Â Â
What is MIM?Â
Microsoft Identity Manager (MIM) is a tool that handles the following:
- Contact list synchronization between directories. Once you sync it between AD on-prem, Azure AD Connect will bring it to Office 365, or you can synchronize it directly.
- Group membership synchronization (if required)Â Â Â
- Password synchronization (not needed for e-mail, but might come in handy in later cases, so good to know it is there).Â Â Â
You don’t need other tools. MIM is available, free and proven to accomplish this task.Â Â Â
Free & busy information exchangeÂ
This one is easy. It is built into Office 365 and provided as a service for Exchange on-prem. It only requires configuration on both sides.
This one is a bit tricky, and I can’t prescribe a solution in this article. Why? Because every situation is a little different. What you need to consider is the following:
- Which domain will be assigned to which users. Will they share a single e-mail space or continue with separate spaces?Â Â
- What will be the receiving end and how willÂ e-mail be routed between organizations?Â Â Â
- Who will send the outgoing mail for the shared domainÂ (if you share the e-mail domain)?Â Â Â
- What anti-spam / anti-virus solutions should be put in place? Do you pick one or use both?Â Â Â
- What DLP solutions are in place on both ends?Â Â Â
This is not a complex task, but it does require some planning.Â Â Â
#4 Cloud-enabled collaboration across the boundariesÂ Â Â
Now that we’ve taken care of e-mail, we can move on to document collaboration! In most M&A cases, you wont need full document access on Day One. (i.e. access to all file shares and libraries). The one requirement that we often see is one for a shared space accessible to users on both sides of the M&A.Â Â Â
With the identity scenario already solved with Azure AD, you are left with one easy-to-deploy option: SharePoint Online.
Keep in mind, this doesn’t need to be a full SharePoint deployment. You can create a shared space in one of the tenants of Office 365 or establish a tenant related to one of Azure AD’s for document collaboration.Â Â Â
From an access perspective:Â Â
- SharePoint Online is protected with Azure AD. Once AAD is in place, you already have a way to establish access for users to this service.
- If you have a separate Azure AD tenant between organizations, you can use Azure AD B2B to equip people with access to it.
- If needed, it can be secured with conditional access.
Access management-wise, Office 365 with Azure AD B2B are proven to be a reliable way of establishing secure access before you fully merge the environments.Â Â Â
A note on inviting users to Azure AD B2B
When it comes to Azure AD B2B (we will get back to it in a moment), there is one requirement that you need to cover: invitations (or synchronization) of users across tenants for B2B collaboration. Â
Here are two things that simplify this:Â
- The standard Azure AD B2B scenario requires that a user redeem an invitation to a second tenant. This isn’t required. Instead, you can configure a scenario where users don’t have to interact with the service to redeem invitations and can start working right away!Â Â Â
- You still need to make sure that users are invited to each other’s tenants for collaboration. You can use MIM’s synchronization engine for this again. Remember, it is free, and with a bit of PowerShell, it can do magic!Â Â Â
What if you don’t have SharePoint Online and you don’t want to pay for a subscription? Â
There is a chance that you may not have, or want, SharePoint Online. Or still, you may have existing SharePoint on-premises and want to use it for collaboration. What to do then?Â
Our scenarios still apply. They make it easy and fast to establish collaboration because we have Azure AD:Â Â
- Azure AD provides an authentication service for users within a single tenantÂ Â Â
- Azure AD B2B enables users to work across organizational boundaries in a multi-tenant scenario.Â
We can use two additional elements to enable people to work in on-premises applications scenarios:Â Â
- Azure AD Web Application Proxy (WAP). It allows you to publish your on-premises applications to users on the other end of the M&A, and access them easily with a full SSO experience (plan your authentication scenarios!)Â Â Â
- Azure AD B2B scenario can be extended to the on-premises apps. Synchronize your AAD B2B guests from another tenant to your on-premises Active Directory, and together with Azure AD WAP, it enables access to on-prem apps.Â Â Â
If you’re wondering how to synchronize Azure AD B2B guests to your on-prem AD, then you probably already know the solution: use MIM’s synchronization engine. Synchronization of B2B guests is one of the built-in scenarios in this tool.Â Â Â
With these elements, you have enabled users to:Â Â
- Collaborate on e-mail;
- Exchange documents and data;
- Share applications online and on-premises.
You get all this without even touching on-premises networking or establishing trusts in AD on-prem. Fast and easy!Â Â Â
#5 Network connectivity needed? Azure to the rescue!Â
Sounds good, but what if we need to have some services that touch the network on both sides of the M&A? You’ll need to think about the following:Â Â
- AAD Connect synchronization of two forests in case you decide on a single Azure AD tenant scenarioÂ Â
- MIM synchronization ofÂ one or more AD on-premises for GAL synchronization, or B2B user synchronizationÂ
- â€¦ add your services here.Â Â Â
True. Sooner or later you will come to a point where you will need to establish network connectivity between organizations. But you don’t need to do it at the network infrastructure level, which might be tricky (think about network addressing, DNS namespaces, firewalls on both ends, etc.).Â We consistently find that using Azure IaaS networking will quickly establish network access. This simplifies and accelerates the whole process and provides a good level of control and security.Â Â
Azure provides all the required networking elements as a service. You need to complete the following:
- Establish an Azure subscription if you don’t have one already ;
- Establish a VPN gateway for both sides of the M&A within this subscription with the appropriate networking setupÂ
- Add services that need access over a network in Azure IaaS on virtual machines connected to these networks.Â Â Â
This approach is much faster compared to an attempting to deploy a new configuration with the network team and infrastructure on both sides of the network.
#6 Prepare for a long-term co-existenceÂ Â Â
Remember, the above steps enable you to spin up an early “Day One” environment and services and enable your M&A entities to collaborate early on in the process. The authentication and access layers are defined in Azure AD, as well as the the services you’ve deployed. Now it’s time for the hard work to migrate all users, mailboxes, and lastly, the one that causes all the issues – services and apps.Â Â Â
But with all the steps covered by this article, you are in good shape for it!
Once you have your early environment stood up using cloud services, it becomes much easier to manage data and users across the M&A. As for the users, nothing changes. They still access things in the same way. We just changed their location!Â Â Â
On-premises tools and migration process are well established. If you need to migrate and merge Office 365 – that’s a different story. There are many tools out there that make that whole process easier. But with proper planning, it can be done smoothly (we know! We’ve done it already!)
Plan, prepare, prevailÂ
M&As are not hard, but they require lots of planning and execution with a strong focus on end-user experience and making changes with little disruption of services.
What might not be obvious is that cloud solutions make this whole process a lot easier. Keep the following in mind:Â
- Proper configuration of identity services and authentication scenarios provides users with access to key services like collaboration, e-mail, information exchange and app access, which are detached from their network location or originÂ
- Access services based on Azure AD allow access to applications and data on-premises easily, without establishing direct trusts and network connectivity. They simplify Day One scenarios and again, provide access detached from user origin with a better user experienceÂ
- Cloud infrastructure, like Azure networking, simplifies merger scenarios. Instead of establishing a direct connection at network levels between organizations (which might become complicated because of address spaces), you can leverage Azure networking to establish connectivity. This approach is much faster to establish, easier to manage, no hardware extensions or purchases are required.Â Â Â
Don’t forget: if you need help with this process, you know whom to call? (No, it is not Ghostbusters!)