Streamlining Identity and Access Management Post Acquisition
A large consumer goods company engaged Oxford Computer Group to streamline the Mergers & Acquisitions processes associated with identities for the companies they acquire.
Oxford Computer Group created and implemented a reusable template for standardizing on a single identity as this customer makes additional acquisitions. Now, they can quickly integrate new companies into their collaboration platform and grant access to existing applications and the applications of newly acquired companies.
Challenge
This consumer goods company acquired a smaller manufacturing company, which continued to operate as an autonomous entity for several years. Operating autonomously with separate on-premises identity and email infrastructure led to difficulty and increased friction for users accessing applications hosted in the parent company’s tenant.
Collaboration and application access requirements led users at the acquired company to need three separate identities to perform their job functions. As part of the parent company’s digital transformation initiative, the acquired company needed to standardize on a single identity for collaboration and application access. They also needed to decrease the attack surface caused by multiple identities to help prevent phishing attacks -the most common form or security breaches.
Solution
Oxford Computer Group (OCG) created and implemented a proven template for integration to meet the goal of standardizing on a single identity for collaboration and application access. Key steps for this process are outlined below.
Identity Migration
- Azure AD Connect was setup in a Multi-Forest synchronization topology to add the acquired company’s forest for the purpose of synchronizing Users, Groups and Devices from their on-premises system to the parent company’s Azure AD and Office 365.
- Azure AD Dynamic Groups were setup for automatically assigning Application Single Sign-On, Automated Provisioning and Licensing.
- Azure AD Groups were setup for manually assigning Application Single Sign-On when automated criteria were not available.
Mailbox Migration
Exchange Hybrid was setup as an interim state for the migration of mailboxes from Exchange On-Premises to Exchange Online. Exchange Online was the destination for all migrated mailboxes and email notification workflows.
Delegated Administration
- Azure AD Administrative Units was setup to delegate administration of the acquired company’s users to IT in Azure AD.
- Microsoft Graph was utilized to automatically add new users and groups at the acquired company into the Administrative Unit.
Application Access
- Azure AD SSO was setup for users at the acquired company to utilize their single identity to access all the applications and collaborate with the parent company.
- Azure AD Provisioning Service was setup to automatically provision users into key ITSM and file sharing apps from Azure AD. Previously, this provisioning was done by Okta.
Collaboration
Microsoft Teams was utilized as the collaboration platform in Office 365, moving away from Skype for Business on-premises.
User Self-Service
Identities at the acquired company are now integrated into ServiceNow, allowing for access to self-service functions, requestable resources, and help desk services.
Benefits and Outcomes
- Streamlined identity and access processes, by implementing and providing a pattern of integration for consolidating multiple identities down to a single identity for application access and collaboration.
- Lower integration costs for mergers and acquisitions, by providing a proven template for integration which can be re-used immediately for existing and future mergers and acquisitions. Following this template will lead to streamlined application access and collaboration without the high technical debt of multiple disjoined identities.
- Improved user experience and collaboration, by providing users with a single identity that can be used across the two organizations for applications access and easy collaboration. The mailbox migration to Exchange Online provided a single unified Global Address List and free/busy calendar sharing.
- Improved security, by consolidating three disparate identities with different entitlements and account security to one single identity with MFA and conditional access.
- Standardized on a single identity platform, by migrating from Okta to Azure AD as the provider for identity, single sign-on to applications, and automated provisioning.
Next Steps
Now that the Identity and Exchange migration is complete and the acquired company is integrated into the parent company’s Azure AD/Office 365 tenant, OCG is working on the next acquisition migration project with a company purchased in the Asia-Pacific market. This company has its own tenant that will be migrated to the parent company’s Azure AD/Office 365 tenant.
The template created for the above project will provide a streamlined, efficient process for the new acquisition’s identity migration and will more quickly integrate the users into the corporate business processes. Since the parent company has a significant track record of growth through acquisition, we expect this approach will continue to provide significant value in the coming years by driving out costs associated with identity integration.
Related Resources
Webinar Recording: Overcoming Identity Challenges in Mergers & Acquisitions with Azure AD