Microsoft conducts thousands of licensing audits annually. Most organisations that receive an audit letter treat it as a legal and compliance problem — which it partly is — but fail to recognise it as a commercial negotiation. That distinction is expensive. Organisations that approach Microsoft audits as pure compliance exercises typically settle for face-value findings, paying back-licensing costs they could have reduced or eliminated with proper preparation and independent representation.
Over 500 engagements managing more than $2.1 billion in Microsoft contract value, we have supported organisations through every category of Microsoft audit: SAM (Software Asset Management) engagements, contractual audits triggered by EA provisions, BSA (Business Software Alliance) referrals, and Microsoft-initiated true-up discrepancy investigations. This guide consolidates the most important lessons from that experience into a single reference framework.
Audit Defence Topic Guide
How Microsoft Licensing Audits Work
Understanding the mechanics of a Microsoft audit is essential before you can respond to one effectively. The audit process varies significantly depending on how it was initiated, who is conducting it, and what contractual basis gives Microsoft the right to audit you in the first place.
The Three Types of Microsoft Licensing Audit
1. SAM Engagement (Software Asset Management)
The most common form of Microsoft audit. SAM engagements are conducted by Microsoft-approved SAM partners — third-party firms retained by Microsoft to assess your licensing position. They are typically framed as a "free service" to help you optimise your licensing, but they are fundamentally a revenue-generation mechanism for Microsoft. SAM partner firms are compensated based on shortfalls they identify, which creates a structural incentive toward maximum finding rather than accurate finding.
SAM engagements begin with a letter from your Microsoft account team describing an "opportunity" to conduct a licensing review. They are technically voluntary — you can decline — but declining creates relationship friction that Microsoft may escalate to a formal contractual audit. Most organisations accept SAM engagements without independent legal review of their obligations to do so, which is typically the first mistake.
2. Contractual Audit (EA Section 6 Audit Rights)
Your Enterprise Agreement contains an audit rights provision — typically in Section 6 of the enrolment — that gives Microsoft the right to audit your licence compliance with advance notice (usually 30 days). This right is exercised through a formal written notice, not through the account team. The contractual audit is Microsoft's formal legal mechanism; it is more adversarial in posture than a SAM engagement and should trigger immediate legal involvement from your side.
The EA audit rights provision typically limits the frequency of audits (often no more than once per year) and requires Microsoft to provide reasonable notice. The scope is usually limited to products covered by the EA. Understanding exactly what your EA audit provision says — before you receive an audit letter — is a fundamental component of reading and managing your Microsoft EA.
3. BSA / Legal Referral
Business Software Alliance (now part of BSA | The Software Alliance) audits are the most serious category. They involve a legal letter from BSA's outside counsel, often citing statutory copyright provisions, and may seek information beyond what Microsoft's EA audit rights provide. BSA cases are driven by referrals — typically from disgruntled former employees, competitors, or partners. They are relatively rare for large enterprise customers who are already in an EA relationship, but occur more frequently with mid-market organisations without formal licence management programmes.
Who Conducts the Audit
| Audit Type | Initiated By | Conducted By | Risk Level | Your Leverage |
|---|---|---|---|---|
| SAM Engagement | Microsoft account team | Approved SAM partner | Moderate | High — can negotiate scope and methodology |
| Contractual EA Audit | Microsoft Legal | Microsoft or approved auditor | High | Moderate — EA terms define process |
| BSA Legal Referral | BSA / third party | BSA outside counsel | High | Low initially — requires immediate legal response |
| True-Up Discrepancy Review | Microsoft billing team | Internal Microsoft review | Lower | High — primarily a reconciliation process |
What Triggers a Microsoft Audit
Microsoft audits are not random. Understanding what triggers them allows you to assess your current risk profile and take preventive action before a letter arrives. Based on our engagement history, the most common audit triggers are:
High-Risk Triggers
- EA renewal gap periods: Organisations between EA renewals — after expiry and before new enrolment — are in a high-risk position. Any installation of Microsoft software during this gap is technically unlicensed, and Microsoft's systems can detect product activation patterns that do not align with an active EA.
- True-up under-reporting: If your annual true-up consistently reports fewer users or devices than Microsoft's telemetry data suggests are deployed, the discrepancy is flagged for review. This is particularly relevant for Microsoft 365 deployments where Microsoft can observe active users through the admin centre data.
- Former employee referrals: Disgruntled former IT staff are the single most common source of BSA referrals. An employee who left under adverse circumstances may have detailed knowledge of your licensing position and the motivation to report it.
- Virtualisation environments: SQL Server and Windows Server licensing in virtualised environments (VMware, Hyper-V, multi-tenant cloud) is genuinely complex and frequently miscounted. Microsoft is aware of this complexity and audits virtualised environments at higher rates.
- M&A activity: Post-acquisition periods create compliance exposure as acquired entity software is brought into scope of the EA. Microsoft will often initiate a SAM engagement within 12 months of a significant acquisition being publicly announced.
Moderate-Risk Triggers
- Significant headcount growth not reflected in true-up additions
- Microsoft partner or reseller termination of relationship (former partner may have visibility into your licensing position)
- Industry-sector targeting (financial services, healthcare, and government are audited at higher rates)
- Known non-compliance in public forums or regulatory filings
For a detailed treatment of specific triggers, see our article on Microsoft audit triggers and risk assessment.
Receiving a Microsoft Audit Letter: The First 48 Hours
The decisions made in the first 48 hours after receiving an audit letter determine much of the outcome. Most organisations respond too quickly, too informally, and without independent expertise — which concedes leverage they will never recover.
Immediate Actions (within 48 hours)
- Preserve all communications: Forward the letter to legal counsel and IT leadership. Do not discuss the matter by email or Slack informally — create a communication channel that is prepared for potential legal privilege claims.
- Identify the basis of the audit request: Is this a SAM engagement invitation (voluntary), a formal EA contractual audit notice (your obligation to respond is defined by your EA), or a BSA legal letter (requires immediate legal counsel)? The category determines your obligations and leverage.
- Read your EA audit clause: Pull Section 6 of your EA enrolment. Note the notice period required, the scope definition, and any frequency limitations. Microsoft must comply with these terms — and they do not always do so perfectly.
- Do not start self-collecting data yet: A well-intentioned IT team that immediately runs a discovery scan and sends results to Microsoft has surrendered all negotiating leverage over the scope and methodology of data collection. Wait until you have independent expertise guiding the process.
- Appoint an internal audit response lead: This person is the single point of contact for all audit-related communication. All Microsoft and SAM partner communication goes through this individual. This prevents inconsistent responses and creates a clear decision chain.
Do Not Make These Common Mistakes
The most expensive mistakes in audit response happen in the first few days:
- Calling your Microsoft account team to "discuss" the audit letter — they are not on your side in this process and anything you share becomes part of Microsoft's information
- Voluntarily sharing deployment data beyond what your EA audit provision requires
- Accepting the SAM partner's proposed tool and methodology without negotiation
- Assuming the audit finding will be manageable and delaying professional engagement to "see how it goes"
For full guidance on the initial response, see our detailed article on how to respond to a Microsoft audit letter.
Your Rights in a Microsoft Audit
Many organisations do not know their rights during a Microsoft audit, which allows Microsoft and SAM partners to expand scope and collect data well beyond what is contractually required. Here are the rights most organisations fail to exercise:
Right to Review the Audit Scope
Your EA defines what Microsoft can audit: the products covered, the entities in scope, and the time period. You have the right to negotiate the scope definition before any data collection begins. Scope that is accepted by default is invariably broader than scope that is negotiated.
Right to Approve the Audit Methodology
For SAM engagements, you can negotiate which discovery tools are used, how data is extracted, what data leaves your environment, and how the results are interpreted. The SAM partner's default methodology is designed for maximum finding, not maximum accuracy. An independent licensing expert can identify where the proposed methodology overstates liability — but only if that review happens before data collection, not after.
Right to Challenge Audit Findings
Preliminary audit findings are not final. You have the right to review draft findings, provide counter-evidence, and dispute interpretations before the final report is issued. Most organisations treat preliminary findings as final because they do not know they have this right — or do not exercise it before the deadline passes.
Right to Limit Data Disclosure
You are entitled to provide the minimum data necessary to satisfy your contractual audit obligation. You are not required to give Microsoft or the SAM partner access to your entire IT environment, your procurement records beyond what the EA requires, or data about systems not covered by the EA.
Right to Independent Representation
You can — and should — have independent licensing expertise representing your position throughout the audit. The SAM partner represents Microsoft's interests, your own IT team may not have the expertise to challenge findings, and your legal counsel alone typically lacks the technical licensing depth to dispute complex methodology issues. Independent licensing representation closes this gap.
For more detail on audit rights, see our article on Microsoft audit rights in the EA.
The Audit Response Process: A Step-by-Step Framework
Engage Independent Expertise
Before any substantive communication with Microsoft or the SAM partner. Independent licensing advisors — not your Microsoft account team, not your incumbent LSP, not the SAM partner — provide the only unaligned perspective on your position.
Build Your Internal Entitlement Position
Compile all Microsoft purchase records: VLSC data, EA licence records, CSP purchase history, perpetual licence certificates, Open licence records. Build a complete picture of what you are entitled to before any deployment data is shared. Entitlement gaps found at this stage can be remediated before they become audit findings.
Negotiate Scope and Methodology
Before accepting the SAM engagement or providing data for a contractual audit, agree in writing: which entities are in scope, which products are being audited, which discovery tools will be used, how virtualised environments will be counted, what data will leave your environment, and the process for reviewing and disputing findings.
Conduct Internal Discovery First
Using your agreed methodology (or equivalent), run your own internal discovery before the SAM partner runs theirs. This gives you a baseline to compare against their findings and identify where methodology differences — not genuine compliance gaps — are driving discrepancies.
Review Preliminary Findings Critically
When the SAM partner issues preliminary findings, do not treat them as final. For every finding, verify: Is the product correctly identified? Is the counting methodology correct? Is the virtualisation rule applied correctly? Are all entitlements (including SA benefit rights) properly credited? In our experience, 30–50% of preliminary findings contain material errors that reduce the final liability significantly when properly challenged.
Dispute Findings Before the Settlement Conversation
File formal written objections to any finding you dispute before entering settlement discussions. Once you have entered a settlement negotiation, the implicit baseline is the preliminary finding — dispute first, negotiate second.
Negotiate the Settlement Commercially
The audit settlement is a commercial negotiation. Microsoft wants to close the matter efficiently and convert any shortfall into future contract value. You want to minimise back-licensing cost, avoid punitive pricing, and prevent the settlement from creating a higher baseline for your next EA renewal. These objectives are not incompatible — but they require skilled negotiation, not just compliance acceptance.
Disputing Audit Findings: Where Errors Hide
Preliminary audit findings regularly contain errors in several categories. Knowing where to look is the first step to an effective challenge.
Virtualisation Counting Errors
SQL Server and Windows Server licensing in VMware environments is the single highest-frequency error category. The correct counting rule for SQL Server Standard in a VMware environment — where the licence covers two physical cores per licence, or alternatively the physical host if you licence all cores — is frequently misapplied. SAM tools often count deployed instances rather than applying the correct physical/virtual counting rule, generating findings that dramatically overstate liability. See our detailed articles on SQL Server virtualisation licensing rules and Windows Server virtual licensing.
Entitlement Crediting Errors
SAM tools count deployments. They frequently fail to correctly credit entitlements — particularly perpetual licence rights from historical EA enrolments, Software Assurance step-up rights, and licence mobility rights that allow on-premises licences to run in cloud environments. A deployment of SQL Server Enterprise on Azure may be covered by an Azure Hybrid Benefit licence rather than requiring a new cloud licence. If the SAM tool does not correctly apply AHUB eligibility, it overstates cloud licensing liability.
Dual-Use Rights
Many Microsoft licences include dual-use rights — the right to run both the current version and the immediately previous version simultaneously. Office 365 ProPlus (now M365 Apps) licences include downgrade rights. Windows Server licences include the right to run older versions. If the SAM tool counts separate installations of current and previous versions as separate licence requirements without applying dual-use rights, it will overstate shortfall.
Excluded Entities
SAM discovery tools often collect data from all systems in the network, including entities that are not covered by your EA enrolment. Subsidiaries formed after the EA enrolment date, recently acquired entities in a grace period, or entities in jurisdictions excluded by enrolment terms may not be within audit scope — but their deployment data will be included in SAM tool output unless scope is explicitly negotiated.
Developer and Test Environment Exemptions
SQL Server Developer Edition and Visual Studio subscriptions include rights to run certain Microsoft products in non-production environments without additional licences. These rights are frequently overlooked in SAM engagements, creating apparent shortfalls in test and development environments that are actually properly licensed. For more detail see our article on SQL Server Developer Edition audit defence.
For the full treatment of SAM partner methodology and how to dispute findings, see our article on how Microsoft audits work.
SAM Engagements vs Contractual Audits: Different Strategies
The strategy for a SAM engagement and a contractual EA audit is meaningfully different:
SAM Engagement Strategy
Because SAM engagements are framed as voluntary and advisory, you have more commercial flexibility. You can negotiate the scope to cover only the products of highest compliance risk (reducing the chance of surprise findings in lower-risk areas). You can influence the timeline — slowing the process gives you more preparation time. And you can use the SAM engagement as an opportunity to demonstrate licence governance maturity to Microsoft, which can reduce the probability of a follow-up contractual audit.
The primary goal in a SAM engagement is to complete it cleanly, with findings that accurately reflect your position — not Microsoft's widest interpretation of it — and at a settlement that converts any shortfall to future EA value rather than back-licensing penalty pricing.
Contractual Audit Strategy
A contractual audit has less flexibility in terms of whether to participate — your EA requires it. The strategy focuses on: ensuring Microsoft complies precisely with the audit notice and scope requirements in your EA, challenging any procedural deviation, and preparing a robust position on all likely findings before the data collection process begins. The settlement conversation at the end of a contractual audit often involves direct negotiation with Microsoft Legal, which is a more formal environment than a SAM settlement conversation.
See our Microsoft audit defence guide for detailed strategy by audit type.
Building a Microsoft Audit-Resilient Organisation
The best audit outcome is an audit that never happens, or one you can resolve in days rather than months because your licence position is documented and defensible. Here is the prevention framework:
1. Maintain Continuous Entitlement Records
Your VLSC data, EA purchase records, and CSP licence history should be aggregated into a single entitlement register that is updated at every purchase event. Organisations that can produce a complete, auditable entitlement record at 24 hours' notice are in a fundamentally different audit position than those who reconstruct their entitlements reactively under audit pressure.
2. Run Annual Internal Discovery
An internal licence reconciliation — comparing deployment discovery against your entitlement register — conducted annually, before any audit is initiated, closes compliance gaps proactively. Findings from an internal review can be remediated at standard pricing; the same findings from a Microsoft audit carry the risk of penalty pricing. The Microsoft SAM programme framework provides the structure for this process.
3. Document Virtualisation Environments Thoroughly
The highest-risk area in almost every enterprise environment is the virtualisation layer. Maintain a current, accurate record of: every virtual machine running Microsoft software, the physical host it runs on, whether it is covered by per-core or Server+CAL licensing, and whether Hybrid Benefit is applied. This documentation should be updated every time the VM estate changes.
4. Manage True-Up Accuracy
Consistent, accurate true-ups are the most effective signal to Microsoft that your organisation has strong licence governance. Organisations that under-report at true-up or submit estimates rather than counts create exactly the discrepancy pattern that flags accounts for audit review. True-up accuracy is not just a compliance requirement — it is an audit risk management practice.
5. Train Your IT Procurement Interface
The most common source of compliance exposure is not malicious — it is purchasing decisions made without licensing knowledge. Software deployed without a licence check, departmental purchases of on-premises software made alongside an existing cloud subscription, or server deployments that breach virtualisation counting rules all happen because the people making the decisions do not have the context to make them correctly. Regular licensing training for IT procurement and engineering teams is a genuinely high-ROI compliance investment.
Under Audit? Or Want to Be Ready When It Happens?
We provide independent audit defence — from the first letter to the final settlement. And we help organisations build the programme that means the next audit finds nothing worth finding.
Audit Response Support
Independent expert support from day one — scope negotiation, findings review, dispute preparation, and settlement negotiation. Not aligned to Microsoft.
Engage ImmediatelyAudit Readiness Assessment
Pre-audit assessment of your current licence position, entitlement records, and virtualisation documentation — before Microsoft asks.
Request AssessmentAudit Defence Playbook
Download the Microsoft Audit Defence Playbook — response templates, rights checklist, and findings dispute framework.
Download PlaybookRelated Audit Defence Articles
This pillar article provides the strategic framework. The sub-pages in this cluster go deeper on specific aspects:
- How Microsoft Audits Work — the mechanics, the people, the process from first contact to settlement
- Microsoft Audit Triggers — what puts you in the queue and how to assess your current risk profile
- How to Respond to a Microsoft Audit Letter — the step-by-step response framework for the first critical days
- Microsoft Audit Defence Guide — defence strategy by audit type
- Microsoft Audit Rights in the EA — what your EA actually says about audit rights and how to use it
- Microsoft SAM Engagement Guide — navigating SAM engagements from invitation to settlement
- SQL Server Virtualisation Licensing Rules — the most frequently disputed area in Microsoft audits
For the complete compliance framework beyond audits, see the Microsoft True-Up Compliance Guide and the Microsoft licence compliance programme guide.