Sales Snapshot
2
Azure Tenants Assessed
Parent Co. (mature Azure) + Acquired Co. (manual, lower maturity) — both Azure, vastly different maturity
71.6
Parent Co. Score (/100)
5-pillar WAF scorecard · 23 evaluation categories · Avg maturity 3.4/5
45.1
Acquired Co. Score (/100)
Avg maturity 2.0/5 · Manual ops · No IaC · No DR documentation
24 mo
Consolidation Roadmap
2-phase: Assess (done) → Implementation Planning · Potential to accelerate to 18 months
7
Deliverables Produced
Exec summary, consolidation deck, fit-gap assessment, 2 scorecard matrices, RACI, project plan
The Unique Angle — Post-M&A Cloud Consolidation
Every company that acquires another company inherits a cloud problem. The client is a $10B+ global healthcare company that acquired a hospital technology subsidiary for ~$10.5B. Four years later, two separate Azure tenants were still running — different governance, different tooling, different maturity levels, different compliance obligations. The question wasn't "should we consolidate?" — it was "how, and in what order, without breaking HIPAA and GDPR?"
We answered that question with data. A 5-pillar WAF scorecard across 23 categories produced a scored, evidence-based gap analysis: Global Healthcare & MedTech Company at 71.6/100 vs. Acquired Co. at 45.1/100. The most surprising finding: the recommendation was not to immediately merge the tenants. HIPAA and GDPR data residency requirements in the Acquired Co. environment meant a naive merge created compliance risk — instead, we designed a phased 24-month consolidation with separate AAD tenants through the remediation phase, adopting the parent's IaC and governance standards across both environments before the merge.
Use this engagement when selling to: Any healthcare, life sciences, or enterprise company that has completed or is preparing for an M&A event involving Azure-hosted workloads. The "scored assessment before consolidation" pattern applies universally — WAF-based scorecard, fit-gap analysis, phased implementation roadmap. Also strong for FinOps and IaC standardization conversations in post-merger integration contexts.
Business Problem the Client Was Solving
The Post-M&A Cloud Debt Problem
- 4 years post-acquisition, the acquired Azure tenant was still operating independently — separate governance, tooling, and security standards
- the acquired subsidiary running entirely on manual deployments — no IaC, no runbooks, no documented backup or DR standards
- Security and governance gap: Acquired Co. MFA partially enforced, role assignments not following least-privilege, no PIM
- Cost optimization broken in both tenants — RI coverage at ~20% vs. 50% target, no cost dashboards for engineers, no showback/chargeback
- Two different monitoring stacks, two cost models, two incident response approaches — growing operational complexity
- Executive pressure to consolidate to realize synergies from the $10.5B acquisition
The Compliance Complexity
- the acquired subsidiary's workloads include HIPAA-regulated patient data — data residency and access control requirements tied to specific Azure regions and identity boundaries
- GDPR data residency requirements add additional constraints on where Acquired Co. data can reside after a tenant merge
- A naive "just merge the tenants" approach would create compliance risk, not eliminate it
- Separate AAD tenants currently preserve identity isolation and blast radius boundaries — losing that without a clear remediation plan is high-risk
- Need: a scored, evidence-based consolidation plan that respects compliance obligations while delivering on the operational efficiency mandate
WAF Scorecard — Parent vs. Acquired Co. (5 Pillars, 23 Categories)
| Pillar | Max | Parent Co. | Acquired Co. | Parent Maturity | Acquired Maturity | Gap Driver |
|---|---|---|---|---|---|---|
| Security & Governance (P1) | 54.3 | 41.6 (77%) | 27.2 (50%) | 3.83 — Advanced | 2.50 — Developing | Acquired Co.: MFA partial, no PIM, RBAC not least-privilege |
| Operational Excellence (P2) | 13.6 | 10.9 (80%) | 5.4 (40%) | 4.00 — Advanced | 2.00 — Developing | Acquired Co.: no IaC, no backup docs, no incident playbooks |
| Reliability (P3) | 9.1 | 6.6 (73%) | 3.6 (40%) | 3.67 — Advanced | 2.00 — Developing | Acquired Co.: no RTO/RPO standards, ad hoc backup ops |
| Cost Optimization (P4) | 15.8 | 8.1 (51%) | 6.3 (40%) | 2.57 — Developing | 2.00 — Developing | Both: RI coverage ~20%, no cost dashboards, weak tagging |
| Performance Efficiency (P5) | 7.2 | 4.3 (60%) | 2.5 (35%) | 3.00 — Defined | 1.75 — Initializing | Acquired Co.: no autoscaling, manual resource provisioning |
| Total | 100.0 | 71.6 | 45.1 | Parent Co. leads Acquired Co. by +26.5 pts across all pillars · Cost Optimization is the shared gap for both | ||
What We Delivered — Two-Phase Engagement
Phase 1 · Delivered May 2025
Azure Accounts Consolidation Assessment
Applied Advisory's weighted WAF maturity model to both Azure tenants across 5 pillars and 23 categories. Produced full maturity scorecard comparison, fit-gap assessment documenting specific technical and governance gaps in each environment, and key findings per pillar. Recommendation: consolidate the acquired tenant into the parent tenant — but remediate compliance, automation, and cost governance gaps first. Decision matrix, scorecard matrices v1 and v2, RACI draft, and executive summary delivered.
Phase 2 · Implementation Planning (Active)
24-Month Consolidation Roadmap
Detailed project plan for the full consolidation: Design (Unified Identity, IaC for Acquired Co., app discovery) → Wave 1 Migration (Entra ID cross-tenant sync, Global Healthcare & MedTech Company core infra deployment, Wave 1 workloads) → Wave 2 + Tenant Decommission → Post-Migration Optimization. FinOps workstream runs in parallel for full 24 months. Target: Acquired Co. HST tenant fully decommissioned, single Global Healthcare & MedTech Company Azure environment under unified governance. Potential to accelerate to 18 months.
Parallel · FinOps Workstream
Cost Governance Remediation (Both Tenants)
Cost Optimization is the weakest shared pillar — both tenants at developing maturity. FinOps workstream addresses: centralized cost governance under Cloud CoE, standardized tagging via Azure Policy, budget alerts and dashboards, automated shutdowns and right-sizing, RI/SP strategy alignment (current ~20% coverage vs. 50% target), Azure Hybrid Benefit audit, and showback/chargeback model rollout. Addresses the prerequisite before tenant merge is safe to execute.
Companion · Kidney Care Advisory
Business Unit Advisory (Executed SOW)
A separate executed SOW for Kidney Care Advisory reflects additional Advisory engagement with a regulated healthcare business unit — a dialysis and renal care therapy division. This is a strategically significant segment; the advisory work addresses cloud and operational strategy for this regulated healthcare product line. This expands the the engagement beyond pure infrastructure consolidation to BU-level strategic advisory.
Forward Opportunity
Implementation Execution
Phase 2 → 4 Active
24-month consolidation roadmap scoped and delivered. Advisory is positioned as the execution partner for IaC standardization, Entra ID cross-tenant sync, Wave 1 and Wave 2 migrations, and acquired tenant decommissioning. Full program execution TCV to be scoped in Phase 2 SOW.
FinOps Practice
RI + Cost Governance
Both tenants at RI coverage ~20% vs. 50% target. Full FinOps uplift — budget alerts, tagging enforcement, autoscaling automation, showback/chargeback, AHB audit — is a near-term opportunity independent of the consolidation timeline. Quick-win engagement to demonstrate ROI before the full migration program commitment.
Managed Services
Post-Consolidation MS
A merged, standardized Azure environment under unified parent governance is the ideal entry point for Advisory Managed Azure services — unified monitoring, security operations, IaC maintenance, and FinOps management. Managed services TCV becomes the long-tail revenue on a consolidation program.
Talk Track — Using This as a Reference
Post-M&A Cloud Advisory Conversations
"We acquired a company 2 years ago and their Azure environment is still completely separate from ours. We need to consolidate."
We just went through exactly that with Global Healthcare & MedTech Company — a $10B+ global healthcare company that had acquired Acquired Co. four years earlier. Two separate Azure tenants, vastly different maturity levels. Our approach was to score both environments before recommending a consolidation path — applied our WAF-based maturity model across 5 pillars and 23 categories. The parent tenant scored 71.6 out of 100. The acquired subsidiary tenant scored 45.1. The most important insight wasn't the scores — it was what the gap analysis showed was blocking a clean merge: HIPAA and GDPR constraints meant the recommendation was actually to maintain separate AAD tenants through a remediation phase first, then consolidate on a 24-month timeline. Without that assessment, a rushed merge would have created compliance exposure. The client received a scored, evidence-based roadmap instead of a "just merge it" answer.
"Why do we need an assessment? We already know we need to consolidate."
I understand that instinct — but this engagement is a good example of why the assessment matters even when the direction seems obvious. Every stakeholder at the client knew a consolidation was coming. What they didn't know was the order of operations. When you score both environments against the same framework, you discover that the acquired tenant can't be safely merged yet — not because of technical complexity, but because of compliance gaps you didn't know existed. In Acquired Co.'s case: HIPAA data residency requirements that made a naive tenant merge an audit risk, and cost governance so immature that merging would have actually made the shared environment harder to manage, not easier. The assessment is the prerequisite, not the luxury.
"Can you do this in Azure? We're not AWS."
Absolutely — this engagement was entirely Azure. The framework we use maps to the Microsoft Well-Architected Framework and Cloud Adoption Framework directly — Security & Governance, Operational Excellence, Reliability, Cost Optimization, Performance Efficiency. We score against Azure-specific best practices: Azure AD PIM, Defender for Cloud, Terraform on HashiCorp Cloud, Azure Advisor, Entra ID cross-tenant sync, Landing Zones, VWAN. The parent environment was Terraform-native; the acquired subsidiary was portal-click manual. We produced the roadmap to bring Acquired Co. to the parent's IaC standard while keeping the tenants separate through the remediation phase.
My Role on This Engagement
Engagement Lead
Led Phase 1 assessment delivery — stakeholder engagement, assessment framework, and executive readout to client leadership
WAF Scorecard
Applied weighted maturity model to both tenants across 23 categories; produced comparative scorecard matrices v1 and v2
Fit-Gap Assessment
Authored the full Fit-Gap Assessment documenting pillar-by-pillar observations, WAF alignment gaps, and remediation recommendations
Consolidation Strategy
Designed the phased consolidation strategy — tenant separation recommendation, IaC adoption roadmap, and 24-month project plan
FinOps Analysis
Produced cost optimization workstream covering RI/SP strategy, tagging enforcement, autoscaling, AHB audit, and showback model
RACI + Project Plan
Produced RACI draft and phased project plan covering all consolidation phases from Design through acquired tenant decommissioning
Context & Reference Notes
Client profile: Global Healthcare & MedTech Company (NYSE: BAX) is a global medical device and healthcare company; Acquired Co. (Hill-Rom Holdings, ticker HRC) was acquired by Global Healthcare & MedTech Company in December 2021 for approximately $10.5B. The "HST" designation refers to the legacy Acquired Co. Azure tenant. Engagement: Phase 1 (Assessment) delivered May 2025. Phase 2 (Implementation Planning / Consolidation Execution) scoped for follow-on engagement. Executed SOW: "SOW-Global Healthcare & MedTech Company - Kidney Care Advisory-EXECUTED" is a separate advisory engagement for Global Healthcare & MedTech Company's Kidney Care / dialysis business unit. Compliance: HIPAA and GDPR constraints in the Acquired Co. environment drove the tenant separation recommendation — not a technical limitation but a compliance and risk management decision. Client name may be cited in healthcare vertical references; confirm with account team for proposal use.