What Health Systems Get Wrong About Microsoft Licensing After a Merger
By Christopher Strong
The deal closes, the press release goes out, and the C-suite celebrates. Then someone in IT pulls up the Microsoft licensing report and realizes the combined organization is paying for two of everything.
This happens more often than most health system leaders expect. According to Becker’s Hospital Review, hospital M&A activity remained elevated through 2024 and into 2025, with mid-size systems consolidating at a steady pace. What rarely makes the announcement is the IT integration work that follows, and the licensing waste that piles up while leadership focuses on clinical alignment and brand unification.
At Virteva, we work with enterprise health systems that represent a significant share of our practice. A pattern we see repeatedly: two organizations merge, both running Microsoft 365 tenants, and 12 to 18 months later they’re still operating in parallel. Duplicate licenses. Disconnected directories. Security policies that don’t match. And a growing pile of compliance risk that nobody is tracking closely enough.
Here’s what typically goes wrong and how to fix it before the costs compound.
The Dual-Tenant Problem Is Bigger Than the License Bill
Most health systems run Microsoft 365 E3 or E5 across their workforce. When two organizations merge, you now have two tenants, two sets of licenses, two Azure Active Directory (now Entra ID) environments, and two completely separate security postures.
The obvious cost is duplication. Microsoft’s own licensing documentation makes clear that per-user licenses don’t transfer between tenants. If Organization A has 4,000 E5 licenses and Organization B has 2,500 E3 licenses, you can’t simply combine them. You’re paying full price for both until you migrate users into a single tenant and reconcile the license pool.
But the less obvious cost is operational. Clinicians in the merged system can’t see each other’s calendars. Shared mailboxes don’t work across tenant boundaries. Teams channels fragment along the old organizational lines. For a health system where care coordination depends on communication, this isn’t an IT inconvenience. It’s a patient safety concern.
A 2023 HIMSS survey found that 67% of healthcare organizations cited interoperability challenges as a top barrier during post-merger integration. Microsoft tenant fragmentation is one of the most fixable contributors to that problem, yet it consistently gets deprioritized behind EHR consolidation and revenue cycle alignment.
The Licensing True-Up Nobody Wants to Do
Here’s the conversation that gets avoided: before you can consolidate tenants, you need to know exactly what you’re paying for and what you actually need.
Microsoft Enterprise Agreements are structured around committed seat counts, and they’re reconciled annually. If your merged organization has been running dual tenants for a year, you’ve likely been paying for licenses that aren’t assigned to anyone, licenses assigned to people who left during the transition, and premium SKUs for users who only need basic productivity tools.
According to Microsoft’s own documentation on Enterprise Agreement true-ups, organizations are obligated to report accurate seat counts annually. Getting this wrong in a merger scenario can mean overpaying by hundreds of thousands of dollars, or underpaying and facing a compliance issue during your next audit.
The true-up process for a merged health system should include:
- A complete license inventory across both tenants, mapped to actual users
- Role-based license assignment that reflects the combined org chart (not just copying whatever each legacy org had in place)
- Identification of redundant add-ons like Microsoft Defender for Endpoint, Intune, or Power BI Pro licenses that may exist in both environments
- A timeline for consolidation that aligns with your EA renewal date, because negotiating leverage looks very different when you’re combining two agreements versus renewing them separately
This is where having a Microsoft partner who understands healthcare licensing specifically matters. A general MSP will run the inventory. A partner with depth in health system environments (which is core to what we do at Virteva) knows that your clinical users, administrative staff, and contract workforce all have fundamentally different licensing needs, and that getting the mix wrong creates both waste and risk.
Entra ID Unification: The Security Work That Can’t Wait
If the licensing true-up is the cost problem, Entra ID unification is the security problem. And in a HIPAA-regulated environment, it’s the one that can trigger enforcement action.
When two health systems merge, their identity environments don’t automatically trust each other. Users in Tenant A can’t authenticate to resources in Tenant B without cross-tenant access policies, B2B guest accounts, or (the worst option) shared credentials passed through informal channels.
That last scenario sounds unlikely until you talk to the IT teams actually managing these transitions. In practice, clinicians who need access to both environments often end up with workarounds that bypass conditional access policies. Shared accounts for accessing the other tenant’s clinical applications. Personal devices enrolled in one Intune environment but not the other. Shadow IT that grows in the gap between what the merged org needs and what the fragmented infrastructure provides.
The HHS Office for Civil Rights (OCR) has been clear that merger activity does not reduce HIPAA obligations. A 2024 OCR guidance bulletin reinforced that covered entities must maintain minimum necessary access controls throughout organizational transitions. Running two identity environments with inconsistent conditional access policies is a textbook example of a compliance gap.
The consolidation playbook for Entra ID in a healthcare merger looks like this:
Phase 1: Cross-Tenant Trust (Weeks 1-4)
Establish Entra ID cross-tenant access settings so users can collaborate without workarounds. Configure B2B direct connect for Teams interop. This is the pressure release valve that keeps clinicians productive while the full migration is planned.
Phase 2: Policy Alignment (Weeks 4-8)
Audit conditional access policies in both tenants. Healthcare environments typically require device compliance checks, location-based access restrictions, and MFA enforcement for any system touching PHI. These policies need to match before you start moving users, or you’ll create windows where migrated users have weaker protections than they had before.
Phase 3: Tenant-to-Tenant Migration (Weeks 8-20)
Move mailboxes, OneDrive data, Teams channels, and SharePoint sites from the secondary tenant into the primary. Microsoft provides native tenant-to-tenant migration tools for Exchange Online and OneDrive, but they have limitations around Teams data and SharePoint site structures that require planning.
This is also where EHR integration becomes critical. If your Epic or Cerner environment uses Azure AD (Entra ID) for single sign-on, changing a user’s identity provider mid-migration can break their clinical application access. The migration sequence has to account for downstream authentication dependencies, which means IT and clinical informatics need to be in the same planning room.
Phase 4: Decommission and License Reconciliation (Weeks 20-26)
Shut down the secondary tenant, reconcile the combined license pool, and negotiate your consolidated EA terms. This is where the cost savings actually materialize, and where most organizations realize they should have started this process nine months earlier.
The HIPAA-Specific Risks During Migration
Beyond the identity and licensing challenges, tenant migration in a healthcare environment carries risks that don’t exist in other industries.
Data residency and BAAs. Your Microsoft Business Associate Agreement covers specific services and tenants. When you migrate data between tenants, you need to confirm that your BAA covers the destination environment. This is not automatic, and Microsoft’s BAA documentation requires that covered services be explicitly identified.
Audit logging continuity. HIPAA requires that access to PHI be logged and auditable. During a tenant migration, there’s a transition period where audit logs may exist in two places, or where log continuity is broken if mailboxes are moved without proper planning. The compliance team should define audit log retention requirements before migration begins.
Clinical workflow disruption windows. Every health system we’ve worked with has at least one clinical workflow that depends on a Teams channel, a shared mailbox, or a SharePoint site for coordination. Migrating those resources without advance communication to clinical staff creates disruption that goes beyond inconvenience. If a care team can’t access a shared resource during a critical handoff, the risk is clinical.
When to Start (Hint: Before You Think You’re Ready)
The most common mistake is treating Microsoft tenant consolidation as a Phase 2 or Phase 3 integration workstream. By the time it gets prioritized, you’ve already accumulated 12 or more months of duplicate licensing costs, your security posture has drifted, and your clinicians have built workarounds that are now entrenched.
Virteva’s recommendation, based on the pattern we see across our health system clients: start the licensing audit and Entra ID assessment within the first 60 days post-close. You don’t have to migrate immediately, but you need to know what you’re working with. The organizations that handle this well are the ones where IT leadership has a seat at the integration planning table from day one, not the ones where IT gets looped in after the brand and org chart decisions are made.
We’ve seen health systems referred to us by other health systems specifically because of how their Microsoft consolidation was handled post-merger. That kind of referral only happens when the work is done right: on time, within compliance requirements, and without disrupting clinical operations.
Get Ahead of the Integration Curve
If your health system is in the early stages of a merger or acquisition, or if you’re 12 months in and still running dual tenants, Virteva’s healthcare IT practice can help you build the consolidation roadmap. Our Microsoft cloud expertise is built around the specific challenges that regulated healthcare environments face, and our M&A integration practice exists because we’ve seen how often this work gets deferred until the costs are impossible to ignore.
Reach out to our team for a healthcare IT consultation. The licensing savings alone usually justify the conversation.
