Scaling Security through M&A: How Opal Simplifies Access Management for Growing Organizations
Migrations during M&A can get messy. Opal empowers you to migrate piecewise, including cherry-picking fields from multiple Identity Providers.
Date
Jul 9, 2025
Author
Murad Akhundov
Topics
PRODUCT
Share this post
Mergers and acquisitions are the lifeblood of growth for many organizations. But with each new company often comes a new identity provider, a different security architecture, and a unique set of access management challenges. What starts as strategic growth can quickly become an operational nightmare when you're trying to manage users across Okta, Microsoft Entra, Google Workspace, and legacy systems—all at once.
The traditional approach? Force everyone onto a single platform. The reality? That migration can take years, disrupt operations, and often fails to account for the next acquisition already on the horizon.
There's a better way.
The Hidden Complexity of M&A Security
When Company A acquires Company B, the security team inherits more than just new employees. They inherit an entire identity ecosystem: Company B's Okta instance with 10,000 users, custom SAML integrations, role structures built over years, and business-critical applications that can't afford downtime.
Meanwhile, Company A runs on Microsoft Entra. The board wants integration complete in 90 days. The security team knows that forcing a migration that fast risks breaking critical workflows, alienating new employees, and creating security gaps during the transition. To make matters worse, the same person often exists in both systems with different email addresses—john.smith@companya.com in Entra and jsmith@companyb.com in Okta—creating identity resolution nightmares when trying to provision access or maintain compliance.
This scenario repeats with each acquisition. Soon, you're managing a patchwork of identity providers, each serving as a source of truth for different user populations. Manual processes multiply. Audit trails fragment. Security policies become inconsistent across the organization. The very growth strategy meant to strengthen the company now threatens its security posture.
Embracing Architectural Diversity
The most successful M&A-heavy organizations have learned an important lesson: fighting architectural diversity is a losing battle. Instead of forcing standardization, they're building security infrastructure that thrives on heterogeneity.
This approach recognizes several realities of modern M&A:
Multiple Sources of Truth Are Inevitable Each acquired company brings its own authoritative user directory. Sales might live in Salesforce, engineering in GitHub, corporate users in Entra. Rather than declaring war on this diversity, modern security platforms work with it.
Upstream and Downstream Complexity Is the Norm Your identity architecture isn't just about where users live—it's about where they need to go. An acquired company might use Okta as their IDP (upstream) but need to provision users into your Entra environment (downstream) while maintaining their existing Google Workspace access. These multi-directional flows are standard in M&A scenarios.
Different Architecture Models Coexist Some acquisitions bring centralized identity models. Others have federated approaches. Still others might have application-specific user stores. Forcing immediate standardization often breaks more than it fixes.
The Vendor-Neutral Advantage
This is where Opal's approach shines. Instead of requiring organizations to standardize on a single identity provider, Opal acts as an intelligent orchestration layer above your existing infrastructure.
Here's how it works in practice:
Universal Integration Without Standardization Opal connects to Okta, Entra, Google, and other identity providers simultaneously. When Company A (Entra) acquires Company B (Okta), both systems continue to function as they always have. Opal simply bridges them, creating a unified access management layer without forcing migration.
Intelligent Source of Truth Management Rather than declaring one system as the sole source of truth, Opal allows different systems to remain authoritative for different user populations or attributes. Your acquired fintech subsidiary can keep Okta as their source of truth while your main corporate entity uses Entra. Opal manages the complexity of synchronization and access decisions across both.
Flexible Architectural Support Whether an acquired company uses SAML federation, OIDC, or direct LDAP connections, Opal adapts to their existing architecture. This means security teams can focus on policy and governance rather than technical integration battles.
Architecture Deep Dive: Deployment Models for M&A
When it comes to implementing unified access management across acquisitions, organizations typically adopt one of two architectural patterns. Understanding these models helps security teams choose the right approach for their specific M&A strategy.
Hub-and-Spoke Model
The hub-and-spoke model establishes a central identity authority while treating acquired systems as downstream spokes. This approach works particularly well for organizations with a strong corporate identity infrastructure and a clear integration roadmap.
How It Works In this model, your primary organization maintains a central hub—this could be your corporate Okta instance, Microsoft Entra tenant, or even an HRIS like Workday. Some organizations use multiple systems as their hub, such as Workday for employee HR data and Okta for other information. The acquired company's IDP (whether it's Google Workspace, another Okta instance, or legacy Active Directory) becomes a downstream spoke that receives user provisioning from the hub.
The Power of Identity Resolution The magic happens through Opal's secondary email functionality. When an employee from an acquired company needs access to resources, Opal intelligently resolves their identity across systems. For example:
John Smith exists in the corporate Entra directory as john.smith@parentcompany.com
The same John Smith exists in the acquired company's Okta as jsmith@acquiredcompany.com
Opal links these identities, allowing John to request access through a single interface regardless of which email he uses to authenticate
This creates a seamless experience where users maintain their familiar login credentials while gaining access to the broader organization's resources. They see one unified access request portal, one approval workflow, and one place to manage their permissions—even though the underlying systems remain separate.
Benefits of Hub-and-Spoke
Clear governance model with central oversight
Gradual integration possible—no "big bang" migrations
Acquired companies can maintain operational continuity
Simplified compliance and audit trails through the central hub
Natural path toward eventual consolidation if desired
Multi-Source Model
For organizations pursuing aggressive M&A strategies or operating acquired companies as independent subsidiaries, the multi-source model offers maximum flexibility. This approach acknowledges that different identity providers will continue to govern their respective user populations indefinitely.
Distributed Sources of Truth In this model, each IDP remains the authoritative source for its user lifecycle:
The parent company's Entra manages corporate employees
Acquired Company A's Okta manages their 5,000 users
Acquired Company B's Google Workspace manages their 3,000 users
A separate Okta instance manages 10,000 contractors and external users
The corporate HRIS might serve as another source for employee metadata
Each system continues to handle user provisioning, deprovisioning, and attribute management for its population. There's no forced consolidation or hierarchical relationship—each IDP operates as a peer.
Intelligent Conflict Resolution The complexity emerges when users exist in multiple systems. Perhaps a contractor in the external Okta instance becomes a full-time employee in the corporate Entra. Or an employee from an acquired company needs temporary access through the contractor system.
Opal handles these scenarios through configurable conflict resolution policies. Administrators can define:
Which system takes precedence for specific attributes
How to handle users who exist in multiple directories
Rules for identity matching across systems
Attribute synchronization preferences
For example, if Jane Doe exists in both the corporate Entra (as an employee) and the contractor Okta (from her previous consulting work), administrators can specify that Entra takes precedence for her primary identity while maintaining her contractor access for specific legacy systems.
Benefits of Multi-Source
Maximum autonomy for acquired companies
No disruption to existing operations
Supports complex organizational structures
Preserves specialized workflows and integrations
Opal's Enterprise-Ready Features for Complex Architectures
Managing identity across multiple acquisitions requires more than just basic integration—it demands sophisticated capabilities that can handle the messy reality of enterprise M&A. Opal was built from the ground up to address these complexities, with features that turn multi-IDP chaos into manageable, secure operations.
A Single View Across Multiple Systems
One of the most immediate benefits of Opal's approach becomes visible in the unified catalog and inventory. Instead of logging into multiple systems to understand what access a person has, security teams get a consolidated view of all resources across every connected IDP. When viewing any user's profile, administrators might see applications from the parent company's Okta instance alongside resources from an acquired company's separate Okta environment—even though these are completely different systems with different configurations and user bases.
This unified inventory doesn't just list resources; it associates them with the actual human behind multiple digital identities. Whether someone accesses ADP through their corporate Okta account or has Datadog permissions in an acquired company's Okta instance, Opal presents a complete picture. Security teams can instantly see permanent access grants, temporary elevations, group-based permissions, and direct assignments across all systems. Notice how resources are clearly tagged with their source (like "Okta - XYZ Corp" versus "Okta - Acme Corp"), maintaining clarity about which system governs each permission while presenting them in a single view.
The unified catalog also serves as the foundation for consistent access reviews and compliance reporting. Instead of conducting separate reviews for each IDP—and hoping you've correctly matched identities—you can review all of a person's access holistically, regardless of which system originally granted it. This transforms what once required switching between multiple admin consoles and manual correlation into a single, authoritative source for access governance.
Reliable ABAC Through Tag Isolation
One of the most overlooked challenges in multi-IDP environments is maintaining reliable attribute-based access control (ABAC). When different systems define attributes differently—or worse, use the same attribute names for different purposes—traditional synchronization approaches create a mess.
Opal's Access Rules solve this by keeping tags from different sources of truth separate. Instead of attempting to merge or normalize attributes across systems, Opal maintains the integrity of each source's tag namespace. This means:
No Attribute Confusion The "engineering" tag from your Okta instance remains distinct from the "engineering" tag in your acquired company's Entra. This prevents access control decisions from being corrupted by naming collisions or different attribute definitions across systems.
Reliable ABAC Controls Security policies can reference specific attributes from specific sources. For example, you can grant access based on "department:engineering" from your corporate Entra while simultaneously checking "clearance:secret" from your government contractor's specialized IDP. Each attribute maintains its authoritative source and meaning.
Protection from Upstream Issues When identity resolution fails or upstream systems have synchronization problems, your ABAC policies don't break. Tags remain associated with their source systems, so a sync failure in one IDP doesn't cascade into access control failures across your entire environment.
This approach transforms ABAC from a fragile synchronization nightmare into a robust, scalable access control mechanism that actually works in complex M&A scenarios.
Unified Group Management Across Systems
Opal brings intelligence to cross-system group management. The platform automatically detects when groups are managed by an upstream IDP and lets admins label them accordingly, making it easier for end-users to know which group to request.
Beyond detection, Opal enables true cross-connection functionality. You can create nested groups that combine members from multiple IDPs—like building a "Global Engineering" group that includes your Entra engineers, an acquired company's Okta developers, and contractor accounts from a separate system. Groups from one IDP can be assigned resources in another, with memberships syncing automatically. When someone joins the "Product Managers" group in an acquired company's Okta, they can automatically gain access to resources in your corporate Entra based on your policies. This transforms isolated identity silos into a unified access management fabric.
Building for the Next Acquisition
The most powerful aspect of this vendor-neutral approach? It prepares you for acquisitions you haven't made yet. When your next target company walks in with their own unique identity architecture, you're ready. No more emergency integration projects. No more forced migrations. No more security gaps during transitions.
Instead, you have a security infrastructure that grows stronger with each acquisition, turning what was once a liability into a competitive advantage.
Organizations that excel at M&A security understand that each acquisition is an opportunity to expand their security capabilities, not a burden to standardize. They've built infrastructure that welcomes architectural diversity rather than fighting it, creating resilient security ecosystems that adapt to whatever comes next.
The Path Forward
M&A will continue to be a critical growth strategy for ambitious organizations. The question isn't whether you'll face identity architecture complexity—it's how you'll handle it.
The organizations winning at M&A security share a common approach: they've stopped fighting architectural diversity and started embracing it. They've invested in vendor-neutral platforms that turn heterogeneity from a weakness into a strength.
Because in the end, security shouldn't slow down growth—it should enable it. And that's exactly what modern, vendor-neutral access management delivers: security that scales with your ambitions, not despite them.. If you and your team are planning an upcoming merger or acquisition, consider scheduling a demo to see why the best security teams choose Opal.
