The IT Due Diligence Checklist Nobody Gives You

Most IT due diligence checklists are written by consultants who don’t have to live with the results. They cover the obvious: server counts, user totals, a list of major applications.

They miss the things that actually blow up integrations.

This checklist is different. It’s built from post-mortems on integrations that went wrong — the undocumented dependencies, the hidden licensing liabilities, the identities nobody counted.

Before You Sign: The Non-Negotiables

These are the items where “we’ll figure it out post-close” is not an acceptable answer.

Identity Infrastructure

1. Complete Active Directory inventory — all forests, all tenants

Request: A single exported CSV covering every user account, service account, and computer object across every AD forest. Not a summary. Not a description. The raw export.

What to verify:

• User account count (including disabled, expired, guest)
• Service accounts — and whether their passwords are managed or expired
• Service principal names (SPNs) on every account with privileged access
• AD trusts — directional, transitive, forest-level, external
• OU structure — who has what permissions at each level
• Group policy links and which OUs they apply to

Red flag: Any environment that can’t produce this export in 48 hours doesn’t have control of their identity infrastructure.

2. Entra ID / Azure AD full tenant export

Request: Export of every user, group, application registration, service principal, and conditional access policy. Every. Single. One.

What to verify:

• Total user count vs. licensed seats — are you paying for ghosts?
• Application registrations — count and owner. Which ones have implicit permissions?
• Service principals with high-privilege roles (Global Admin, Privileged Role Admin, etc.)
• Conditional access policies — what’s actually enforced vs. what’s in “report-only” mode
• PIM (Privileged Identity Management) assignments — who has permanent vs. eligible access
• B2B collaboration and guest accounts — how many, from which domains

3. Identity consolidation map

For each identity in the target environment, you need to know:

• Is this person active or departed?
• What systems does this identity access?
• What is the account’s last sign-in date?
• Does the account have privileged access that nobody remembers granting?

Most targets can’t answer these questions without weeks of manual work. ACQI’s identity modules answer them in hours.

Licensing and Subscriptions

4. Complete SaaS subscription inventory

Request: Every SaaS application purchased on corporate cards, approved by IT, or running on company-issued credentials — including the ones the CFO doesn’t know about.

What to find:

• Shadow IT purchased on individual credit cards
• Proof-of-concept Azure/AWS resources still running from 2022
• Per-user SaaS licenses for employees who left 18 months ago
• Microsoft 365 licenses assigned to shared mailboxes and resource accounts
• Third-party SSO integrations with dormant app registrations

Red flag: More than 15% of licenses showing as “never signed in” suggests the target has no active license management process.

5. True M365 license utilization

Request: A license export showing every assigned license, every unassigned license, and every license assigned to non-user entities (shared mailboxes, resource accounts, rooms).

What to verify:

• E1 vs E3 vs E5 mix — are they paying for E5 when E1 would suffice?
• Teams Phone licenses vs. actual Teams usage
• Power Platform licenses vs. active Power Apps/Power Automate usage
• Defender for Endpoint — which devices are actually enrolled?

Security and Compliance

6. Conditional Access and security policy audit

Request: Every conditional access policy, every Intune compliance policy, every endpoint protection profile — with the enforcement status clearly marked.

What to verify:

• Any conditional access policy set to “report-only” instead of “on”
• Intune compliance policies set to “audit” mode instead of “enforce”
• Defender policies with exclusions that bypass scanning
• Any security group or role that’s explicitly excluded from DLP policies
• Expired SSL certificates on production systems

7. Data residency and cross-border data flows

Request: A map of where data lives, where it moves, and which regulations apply to each location.

What to identify:

• Personal data stored in the wrong jurisdiction (GDPR, FCA, MAS, SEC)
• Data subject access request (DSAR) processes and lag times
• Cross-border data transfer mechanisms (SCCs, BCRs, adequacy decisions)
• Retention policies — what’s kept, for how long, and where

Technical Debt

8. Infrastructure dependency map

Request: For any application flagged as business-critical, document:

• The servers/services it runs on
• Its authentication path (what identity, what domain)
• Its upstream dependencies (databases, APIs, file shares)
• Its downstream dependencies (what breaks if this breaks)

What you often find:

• Applications that depend on a service account in a domain that will be decommissioned
• Database connections hardcoded to an IP that will change post-migration
• Scheduled tasks running under accounts that have no documented owner

9. Decommissioned systems still running

Request: Any system that’s been “switched off” but is still reachable on the network.

This is more common than anyone admits. Old file servers that someone forgot to take offline. Legacy applications that were replaced but not removed. Test environments that are still joined to the production domain.

After Signing: The First 30 Days

The checklist above buys you a picture of what you’re inheriting. The first 30 days post-close are about building the map that lets you move things without breaking them.

Week 1-2: Discovery Sprint

Run ACQI’s complete module suite across the target environment. All 124 modules. Parallel execution. Every dimension scanned simultaneously. Do not sequence these — the value is in the cross-module correlation.

The correlation is where you find the real risks: the application that’s nominally “in scope for migration” but actually depends on a service account in a forest that’s not in scope. The conditional access policy that references a group that won’t exist post-consolidation. The shadow SaaS application that authenticates using credentials from an account flagged for deprovisioning.

Week 3-4: Risk Scoring and Dependency Mapping

Score every application and identity by:

• Business criticality (what breaks if this is wrong)
• Technical complexity (how many dependencies does it have)
• Risk exposure (does it touch regulated data, privileged access, or crown jewel assets)
• Migration difficulty (what does it depend on that might not survive the move)

Week 5-8: Wave Planning

Group applications, identities, and workloads into migration waves ordered by dependency. The goal: no wave should contain two items where one depends on the other — that creates a circular dependency that prevents either from moving cleanly.

The One Question That Predicts Everything

If you only have time for one question in due diligence, ask this:

“Show me every account that has privileged access to the systems you’re telling me are business-critical.”

If they can’t produce that list in 24 hours, they don’t have control of their security posture. If the list they produce includes accounts that are disabled in Active Directory but still active in Azure AD, you have a segregation of duties problem. If any of those privileged accounts have never had a password change in the past 90 days, you have a credential hygiene problem.

These are the accounts that will own your post-acquisition environment. Know who they are before you sign.

ACQI runs 124 discovery modules in parallel across cloud, identity, and infrastructure environments. Get a complete IT due diligence picture before your next acquisition. Request a demo →