playbook

The M&A IT Integration Checklist: 47 Items Before Day One

The definitive pre-close IT integration checklist — organized by Identity, Data and Apps, Network, and Security. 47 items that prevent Day-One failures.

Luna ·
checklist integration day-one due-diligence m-and-a

This is the checklist. 47 items. It covers the four domains that cause Day-One failures: Identity, Data and Apps, Network, and Security.

Run through it before Day 1. For each item, assign an owner and a completion date. If any item is red on Day 1 minus 2 weeks, escalate.

Identity (12 items)

AD / Azure AD

  1. Both companies’ AD forest structures documented (OUs, trusts, GPOs)
  2. SID History enumerated on all accounts in the acquiring-forest post-migration
  3. All service accounts in both forests identified, password status checked, blast radius mapped
  4. Service account password expiration dates extended or rotated for all accounts expiring within 90 days
  5. Azure AD Connect configuration documented and validated for source and target tenants
  6. Conditional Access policies from both tenants merged into consolidated policy set
  7. Named Locations in Entra ID updated to cover both companies’ office IP ranges
  8. MFA coverage: 100% of privileged accounts have MFA enabled in consolidated tenant

M365 9. [ ] All shared mailboxes, their permissions (full-access, send-as), and their owners identified 10. [ ] All OAuth application registrations in both M365 tenants inventoried, categorized (migrate / retire / coexist) 11. [ ] M365 tenant cutover plan documented with rollback procedure and user impact window 12. [ ] Teams external access policy reviewed and configured to allow inter-tenant communication post-merger

Data and Apps (15 items)

Application Inventory 13. [ ] Full application inventory complete (ACQI’s SaaS discovery output) — no unknown apps 14. [ ] Each application tagged by: criticality (1-5), owner, authentication method, data sensitivity 15. [ ] Application migration path assigned (migrate, retire, coexist, replace) for each app 16. [ ] Application dependency graph complete (what app depends on what database, middleware, identity)

Data Migration 17. [ ] All data stores (SQL Server, file shares, SharePoint sites, OneDrive) inventoried and sized 18. [ ] Data migration tool selected and tested for each data type 19. [ ] Data migration windows scheduled, communicated to users, and documented in IT calendar 20. [ ] Post-migration data validation checks defined (record count, file hash, sample verification)

SaaS / Cloud 21. [ ] All SaaS applications migrated to acquirer tenant (or re-authorized with acquirer credentials) 22. [ ] All cloud storage (AWS S3, Azure Blob, Google Drive) ACLs and permissions migrated 23. [ ] Database connection strings updated for all applications pointing to old environment 24. [ ] Power Automate workflows migrated or rebuilt — all active workflows tested post-migration 25. [ ] Power Apps migrated — all active apps tested, data connections updated 26. [ ] Salesforce / Dynamics / ERP SSO migrated to acquirer Azure AD tenant

Network (8 items)

  1. DNS zones documented for both companies — cutover plan defined and tested
  2. VPN configurations updated (or replaced) to terminate at consolidated network
  3. SSL certificates on internal apps inventoried — internal CA certificates replaced before CA decommission
  4. Print server migration complete — client machines verified to point at new print servers
  5. WiFi networks reviewed — separate BYOD network established, corporate WiFi using target AD for auth
  6. Conference room AV systems inventoried — all calendaring integrations verified post-migration
  7. Firewall rules between the two company networks defined and documented before Day 1
  8. Network path validation test run — can users in both companies reach critical systems post-merger?

Security (12 items)

  1. Endpoint protection coverage: 100% of discovered endpoints have active EDR agents
  2. SIEM / log management: consolidated tenant is receiving security logs from both environments
  3. Identity protection: Azure AD Identity Protection policies active in consolidated tenant
  4. Privileged Identity Management (PIM): all permanent privileged roles converted to just-in-time access
  5. Backup verification: all critical systems’ backups confirmed operational, last restoration test < 30 days
  6. Vulnerability scan run on all discovered endpoints — critical/high findings remediated or formally accepted
  7. Penetration test run on external attack surface — findings remediated or formally accepted
  8. Data loss prevention (DLP) policies reviewed for both companies’ data classification schemes
  9. GDPR / regulatory compliance: all SaaS processors have DPAs in place in consolidated tenant
  10. Access review completed: all user accounts in both forests reviewed, orphan accounts removed
  11. Service account audit: all service accounts in both forests have designated owners and rotation schedules
  12. Incident response plan: updated to reflect merged entity, contacts verified, runbook documented
  13. Security score measured for both companies pre-merger — post-merger target score defined

The 2-Week Rule

The integration checklist should be 100% complete at Day 1 minus 2 weeks. Any item not complete at that point should be escalated to the integration steering committee and the deal team.

The reason: two weeks is the minimum time to execute a rollback if something goes wrong. Items incomplete at Day 1 minus 2 weeks don’t have a rollback option — the team is committed to the cutover, whatever the state of the preparation.

Running an integration right now?

The research is clear: discovery-first integrations deliver on time. ACQI has the modules to get you there in weeks, not months.

See ACQI in action Talk to the team