M&A Introduces Two Copilot Problems Simultaneously

Microsoft Copilot in an M&A context creates two distinct problems that most deal teams do not recognise until they are already in trouble. The first is Copilot as a data risk in the transaction: if either the acquirer or the target has Copilot deployed, M&A-related content that has been shared across the tenant — financial models, board presentations, legal documents, advisor communications — may be accessible to Copilot for any user with underlying permissions to that content. The second is Copilot as a licensing complication in post-close integration: EA assignment provisions, tenant consolidation, seat true-up mechanics, and the commercial treatment of Copilot seats across two organisations create a licensing exposure that is rarely modelled in M&A transaction cost planning.

Both problems are solvable — but only if they are identified and addressed before close, not discovered during integration. This article addresses both, starting with data risk management during the transaction and moving through the commercial structuring questions that belong in the Microsoft licensing workstream of every M&A due diligence process.

$2.1B
Combined Microsoft EA value managed across our client base, including licensing exposures identified in 40+ M&A transactions. In active M&A, unaddressed Copilot data risks and EA assignment complications routinely generate six- and seven-figure post-close surprises.

Copilot as a Data Risk in Active Transactions

The data risk problem is most acute on the target side. A target company being acquired typically has a Microsoft 365 tenant where M&A activity is underway — financial projections, legal documentation, advisor communications, board materials. If the target has Copilot deployed, and if that sensitive content is accessible to users with broad SharePoint or Teams permissions, Copilot can surface transaction-sensitive information in response to queries that seem entirely routine. A finance analyst asking Copilot to "summarise recent financial projections" may receive output that draws from M&A scenario modelling that was shared via a broadly-permissioned SharePoint folder. The data exposure is not a Copilot failure — it is a permissions failure amplified by AI.

The practical implication for M&A deal teams: any target with Copilot deployed should be treated as having AI-amplified oversharing risk until a data access review is conducted. This assessment belongs in the IT due diligence workstream, not as an afterthought in the security review. Specific questions to include in target due diligence questionnaires are: Is Microsoft 365 Copilot deployed? How many seats? What data governance controls are in place (sensitivity labels, DLP, Restricted SharePoint Search)? Has a data access governance (DAG) report been run? What is the M&A data room configuration — is it an isolated SharePoint site with tightly-scoped permissions, or is M&A content distributed across broadly-accessible locations?

Due Diligence Risk Alert

In three separate transactions from our 2025 client work, Copilot access to M&A content was confirmed through testing — employees querying Copilot for "recent board presentations" or "acquisition scenarios" received responses that drew from deal-sensitive documents. In each case, the documents were not intentionally broadly shared — they were accessible due to legacy SharePoint permissions that predated the transaction. The fix is straightforward (restrict access, use Restricted SharePoint Search during the process), but it must be identified before testing confirms the exposure.

Acquirer-Side Copilot Data Controls During a Transaction

Acquirers face a different but related risk: M&A strategy content on the acquirer's side may be accessible via Copilot to employees who have SharePoint or Teams access to project sites created for the deal. The governance response is the same — restrict M&A content to a tightly-permissioned SharePoint site with specific user access, not broad group membership; avoid using Teams channels with "all of finance" or "all of legal" membership as collaboration spaces for deal work; and if Copilot is broadly deployed across the acquirer tenant, consider enabling Restricted SharePoint Search for the M&A project site as an additional barrier. This is not Copilot disablement — it is targeted governance of the highest-sensitivity content on a per-site basis.

EA Assignment Mechanics: What the Contract Actually Says

Every Microsoft Enterprise Agreement contains assignment provisions that govern what happens to the EA in the event of a corporate transaction — acquisition, divestiture, merger, spin-off. Understanding these provisions before close is essential; discovering them after close, when Microsoft has leverage and the deal is done, typically results in suboptimal commercial outcomes.

Microsoft EA assignment rights are governed by Section 9 (or equivalent, depending on EA version) of the Enterprise Enrolment Terms. The key provisions are: the EA is not transferable without Microsoft's consent; a change of control at the Enrolled Affiliate (subsidiary) level does not automatically trigger an assignment requirement, but a change of control at the Agreement Holder level may; assignment rights are at Microsoft's discretion, and Microsoft can condition assignment consent on commercial terms including EA restructuring, early renewal, or seat volume adjustments.

In practice, Microsoft uses EA assignment consent requests as a commercial opportunity. The most common scenarios and their commercial implications are as follows:

M&A Scenario EA Assignment Requirement Typical Microsoft Position Commercial Risk
Acquirer buys 100% of target (asset or share deal) Target EA must be assigned to acquirer or terminated Consent given with EA consolidation discussion Medium — integration timeline pressure
Acquirer acquires a subsidiary of target Enrolled Affiliate change — may require notification only Notification accepted; potential seat true-up required Low-medium — depends on carve-out scope
Spin-off or divestiture creating a standalone entity New EA required for divested entity; transition period needed New EA at market terms; no inherited pricing High — divested entity loses historical discount
Merger of two EA customers (both have existing EAs) EA consolidation into surviving entity Structured consolidation; Microsoft seeks larger commitment High — Microsoft uses consolidation to reset pricing
Acquisition during active EA term (both have 1+ years remaining) Options: consolidate, terminate one, or run in parallel Consolidation preferred by Microsoft; termination fees possible High — Copilot seats on both EAs create true-up complexity

Copilot Seat Portability in Transactions

Microsoft 365 Copilot and GitHub Copilot seats are Online Service subscriptions under the EA. Their portability in M&A transactions is governed by the same assignment provisions as the underlying EA, but with important nuances in a post-close integration context.

If the target has Copilot seats under an EA that is being assigned to or consolidated into the acquirer's EA, those seats become part of the surviving EA's true-up obligation. The commercial implication: if the acquirer's EA renewal is 18 months away, the target's Copilot seats run until the consolidated EA renewal, at which point they are true-up incorporated into the surviving EA at the acquirer's contracted price — which may be higher or lower than the target's contracted rate. The pricing basis that survives EA consolidation is a negotiated term, not an automatic outcome, and it should be addressed explicitly in the EA consolidation negotiation rather than left to default.

A specific risk in acquisitions where the target has Copilot deployed and the acquirer does not: post-close, if the target's employees are migrated into the acquirer's tenant, their Copilot licences technically lapse unless the acquirer's EA covers Copilot. This creates a productivity disruption for employees who were actively using Copilot, and a re-procurement exercise at the acquirer's EA terms. Modelling this disruption cost (and the potential commercial opportunity — negotiating a Copilot expansion at EA terms as part of the integration) belongs in the M&A integration cost model.

M&A Microsoft Licensing Review
We review Microsoft licensing exposure in M&A transactions — EA assignment provisions, Copilot seat portability, true-up risk, tenant consolidation costs, and post-close commercial strategy — independently of Microsoft.
Request M&A Review

Using Copilot as a Due Diligence Acceleration Tool

Beyond the risk management dimension, Microsoft 365 Copilot is increasingly used by deal teams as a due diligence acceleration tool — and understanding its appropriate application in that context is commercially relevant.

The highest-value Copilot due diligence applications are in document analysis workflows: summarising data room documents, extracting key terms from contracts, cross-referencing representations and warranties against supporting documentation, and synthesising financial data room disclosures into executive summaries. For due diligence processes involving large document sets (hundreds of contracts, multiple years of financial information), Copilot-accelerated review can meaningfully reduce advisor time and transaction cost.

The critical governance requirement for using Copilot in due diligence document review is data isolation. Due diligence document sets typically include confidential third-party information (customer contracts, supplier agreements, regulatory correspondence) that must not enter the general Copilot data scope of the deal team's organisation. The correct architecture is a dedicated Microsoft 365 tenant or a tightly-isolated SharePoint environment with Copilot access restricted to authorised reviewers and Restricted SharePoint Search enabled to prevent due diligence content from appearing in non-authorised users' Copilot results. Without this isolation, due diligence content becomes accessible to any Copilot-enabled user with broad SharePoint permissions — a confidentiality breach risk in pre-close transactions.

Copilot for M&A Document Analysis: What Works

Based on deal team deployments, the Copilot due diligence use cases with clearest productivity value are: contract abstraction (extracting change of control clauses, assignment provisions, material adverse change definitions across large contract sets); regulatory filing summarisation (synthesising multi-year regulatory submissions into risk assessment summaries); financial data room cross-referencing (comparing disclosed figures against audited accounts, identifying reconciliation items); and integration planning document generation (using Copilot to draft workstream status documents, integration project plans, and RAID logs from meeting notes and email correspondence).

Copilot does not replace legal, financial, or technical due diligence judgement. It accelerates the document processing and summarisation work that currently consumes disproportionate advisor time. A well-structured Copilot-assisted due diligence process can reduce advisor-hours spent on document analysis by 25–40% — but only if the data governance architecture is correct, the prompting approach is disciplined, and outputs are reviewed by subject matter experts rather than taken at face value.

Post-Close: Tenant Consolidation and Copilot Integration

Tenant consolidation — migrating the target's Microsoft 365 tenant into the acquirer's — is the most commercially significant Microsoft activity in a post-close integration. It is also where Copilot creates the most complex interactions, because Copilot's data scope changes dramatically as two organisations' data estates merge.

The key risks in tenant consolidation for Copilot-enabled organisations include: oversharing amplification — when the acquired organisation's users are added to the acquirer's tenant, their Copilot access scope expands to include acquirer SharePoint content that is broadly permissioned. If the acquirer's tenant has pre-existing oversharing (which 68% of enterprises do), the combined post-consolidation data access risk is significantly larger than either organisation's pre-merger exposure. Sensitivity label schema conflicts — if the two organisations have different sensitivity label taxonomies (different label names, different encryption configurations), the consolidation process requires a label migration that should be planned before users are migrated. Post-migration, Copilot's response to sensitivity labels depends on the surviving taxonomy being applied consistently.

The practical sequencing for post-close Microsoft tenant consolidation in a Copilot-active environment is: first, run data access governance reports on both tenants before any migration; second, establish a combined sensitivity label taxonomy and map both organisations' existing labels; third, complete priority oversharing remediation in both tenants before the migration window; fourth, configure Restricted SharePoint Search in the target tenant to contain integration content during the migration period; and fifth, expand Copilot scope progressively as site access governance reviews confirm each workload is clean.

For the broader Microsoft licensing context in M&A transactions, see our white paper on Microsoft licensing in mergers and acquisitions. The EA commercial architecture during consolidation is covered in detail in our EA negotiation complete guide. For Copilot governance independent of M&A context, see our Copilot governance and data security framework.

Pre-Close Microsoft Licensing Assessment
Before your deal closes, we identify EA assignment exposure, Copilot data risks, tenant consolidation cost, and post-close commercial strategy — giving your deal team complete Microsoft cost visibility before signing.
Arrange Pre-Close Review

M&A Copilot Due Diligence Checklist

Use this checklist for both acquirer and target assessment in any transaction where Microsoft 365 is a significant part of either organisation's technology estate.

  • Confirm whether target has M365 Copilot, Copilot for Security, or GitHub Copilot deployed
  • Obtain target's Copilot seat count, tier, and EA term remaining
  • Assess target's data governance maturity — sensitivity labels, DLP, oversharing controls
  • Run or request DAG report on target tenant to identify material oversharing exposures
  • Verify whether M&A-related content (data room, board materials, advisor comms) is in broadly-permissioned locations accessible to Copilot
  • Review target's EA for assignment provisions and change-of-control clauses
  • Model post-close EA consolidation options (assign, consolidate, parallel run, terminate) with commercial implications of each
  • Assess tenant consolidation timeline and identify Copilot data scope expansion risks at migration
  • Include Copilot seat continuation or re-procurement in integration cost model
  • Confirm acquirer's Microsoft account team is notified of pending transaction (required under EA notification provisions)
  • Negotiate EA consolidation terms as part of deal structuring, not post-close under time pressure
  • If using Copilot for due diligence document review: confirm data isolation architecture is in place before uploading any third-party confidential content