Microsoft 365 Migrations | Part 4: Legal and organizational obstacles and pitfalls

The project organization is in place. The collaboration platform has been set up and populated. The project participants are on board and ready to go. Now we can get started! Or maybe not…?

It would be one thing if such a project involved only technical and organizational aspects. In many cases, however, “political” aspects also come into play, which can cause significant delays. Therefore, it is advisable to consider these as well at the outset. This way, appropriate preparations can be made in advance. If any of these situations arise, they can ideally be addressed quickly.

Internal contracts and policies

The following chapters outline several types of contracts and provisions between companies that may be relevant in the context of such a project.

Control agreement

A control agreement is typically entered into between a parent company and a subsidiary, with the aim of granting the parent company direct authority to issue instructions. As a result, for example, the management of the subsidiary must comply with these instructions, even if they are detrimental to the company. In this case, the interests of the corporate group or conglomerate take precedence over the individual interests of the separate companies.

In the case of a merger of Microsoft 365 environments, this agreement is helpful because the management of the company to be integrated cannot refuse the merger. Conversely, if such an agreement does not exist, management can express opposition to the decision by citing corporate interests.

The same applies to the spin-off of a company from the shared environment.

Data Processing Agreement (DPA)

A Data Processing Agreement (DPA) is an agreement between a company and an external service provider. It is mandatory when the service provider gains access to personal data. This requirement arises inevitably during a Microsoft 365 migration, as user objects in particular must be processed and transferred.

A special situation may arise if the company being integrated or spun off designates its parent company as an external service provider. In this case, an DPA must also be concluded.

The image on the right shows an example of an DPA. The specific components must be drafted by the company itself in accordance with applicable regulations.

Non-Disclosure Agreement (NDA)

A Non-Disclosure Agreement (NDA) is an agreement between two parties. It governs the exchange of sensitive and confidential information between the parties.

The primary purpose is to ensure that trade secrets are protected. In the context of a merger or spin-off, this is typically required when external service providers are engaged.

The image shown here is an example of an NDA. The specific terms must be drafted by the company itself in accordance with applicable regulations.

Operational service provider of the company to be integrated

In the event of an integration, the company being acquired may use an external service provider to operate its cloud environment. In this context, the service provider is initially responsible for ensuring stable operations and for receiving and resolving issues. Accordingly, a coordination meeting should be scheduled to inform the service provider of the upcoming changes and to clarify the general approach.

Coordination of cooperation through to integration

A Microsoft 365 migration and the associated preparations represent a significant disruption to the environment. Errors can lead to disruptions and/or outages, for which the service provider would then be held responsible. For this reason, from the service provider’s perspective, it is initially critical to grant another company comprehensive access rights to the environment.

Therefore, key points must be addressed for the period leading up to integration, such as:

• Are the employees responsible for migration preparation and execution permitted to change settings independently, or should a dual-control principle be established?
• At what point do employees receive which access rights (e.g., read-only access during analysis, limited roles during preparation, full rights for the migration)?
• How are disruptions and outages handled that occur during the migration preparation period?

Authority to issue instructions

In addition, it may be the case that certain services—such as the management of the public DNS zone—fall under the service provider’s authority, and the company itself does not have access rights to them. In such cases, the company can and should grant the project participants the authority to issue instructions, thereby enabling direct communication between the project team and the service provider.

This usually results in significant time savings, as the company does not have to relay every request first.

External requirements and guidelines

The following sections list some external requirements and guidelines that may be relevant in the context of such a project.

Preparing a communication for partners/customers

Company employees typically communicate with external contacts using meeting platforms such as Teams or traditional email. For this purpose, each employee is assigned a unique email address that reflects the company’s branding (e.g., john.doe@microwsoft.com). Depending on the planned approach and strategy, different challenges may arise during an integration or carve-out.

Integration

There are two possible scenarios for an integration:

1. The employees of the acquired company retain their existing contact information. This constitutes a technical integration, and the acquired company remains in existence as a separate entity.
2. The employees of the acquired company are assigned new contact information from the acquiring company. In this scenario, the acquired company is dissolved.

Carve-out

There can also be several options for a carve-out:

1. If the company has previously operated under its own name, all employees can transfer and retain their existing contact information.
2. If a new company is created as part of the spin-off, all employees will be assigned new contact information as part of the process.

Communicating changes

If the merger or spin-off results in significant changes, a brief announcement can be included in the email signature, for example with information such as

• “We'll soon be serving you under a new name!…”
• “ATTENTION: My email address will change starting on…”

This can be tailored to the company’s needs by an existing marketing department, if one is available. However, this does not replace a comprehensive announcement, which must be provided to all external contacts (especially customers!) with sufficient advance notice. This announcement should be proactively communicated to contacts and should be delivered in a format that is guaranteed to be noticed (e.g., in writing via mail).

Typically, the recipient addresses used previously remain available for a transitional period. This ensures that emails will continue to reach the recipient, even if they are now using a new address.

Registration in the Commercial Register

If the company is dissolved as part of the integration process or a new company is formed as part of a spin-off, this must be updated accordingly in the commercial register. This process requires sufficient lead time. It must be legally clarified when the company may operate under the new name (typically only after the update has been completed).

Since this also represents a significant cost factor, it may influence the decision as to whether the company should remain in its current form or must actually be restructured.

Liked this article? Share it!

• Share on LinkedIn
• Share on Bluesky
• Share on Facebook
• Email this Page
• Share on Reddit