When Microsoft's compliance team contacts your organisation requesting a licence review, most enterprises respond as if the request carries unlimited authority. They grant access immediately, produce whatever data is asked for, and accept Microsoft's findings without challenge. This approach is commercially expensive and contractually uninformed. Microsoft's audit rights under the standard EA are specific, bounded, and significantly narrower than the language Microsoft's compliance team typically implies.

This guide provides a precise analysis of what Microsoft's audit rights clause actually says, what it permits, what it does not, and how to manage an audit request in a way that protects your commercial position without triggering escalation.

Important Note

This article provides commercial and contractual context — not legal advice. For any active audit or compliance review, engage qualified legal counsel familiar with Microsoft EA terms alongside independent licensing advisory. The value of understanding audit rights is that you ask the right questions of the right advisors from the outset.

What the Standard EA Audit Clause Says

The Microsoft Enterprise Agreement standard terms include an audit rights provision that, in the current standard form, grants Microsoft the right to verify the customer's compliance with the agreement. The key elements of the standard clause:

Core Audit Rights — Standard EA Terms

  • Microsoft may audit customer's use of the products licensed under the agreement
  • Notice must be provided before an audit commences (standard: 30 days' advance notice)
  • Audits must be conducted during normal business hours
  • Audit may be conducted by Microsoft or by a third party appointed by Microsoft (typically a "big four" audit firm or specialist licence compliance firm)
  • Customer must provide reasonable access to records and systems relevant to the products covered by the agreement
  • Audit costs are borne by Microsoft unless material non-compliance is found (in which case the customer bears the audit cost)
  • Frequency limitation: Microsoft may not conduct more than one audit in any 12-month period unless a prior audit found material non-compliance

Three features of this clause matter commercially. First, "reasonable access" is not unlimited access — it is scoped to records relevant to the licensed products. Second, the 30-day notice requirement is contractual, not advisory — Microsoft cannot commence an audit without meeting this threshold. Third, the cost-shifting provision creates a material incentive: Microsoft's compliance team is motivated to find non-compliance, because otherwise they bear the audit cost. This is relevant context for interpreting the scope of requests that arrive with an audit notice.

The Scope Limits Your EA Establishes

The most important word in the audit clause is "relevant." Microsoft is entitled to access records and systems relevant to the products covered by the EA. This has several practical implications that most enterprises fail to apply:

Scope Is Limited to EA-Covered Products

Microsoft's audit rights under the EA do not extend to products licenced under other agreements — whether a separate CSP arrangement, a Microsoft Online Subscription Agreement (MOSA), or open licence purchases. If your organisation licenses some products through the EA and others through a CSP, Microsoft's EA audit right covers only the EA products. Producing data for non-EA products in response to an EA audit request goes beyond what the contract requires.

Systems Access Is Not Unlimited

"Reasonable access to records" is not the same as direct access to your IT systems. In the standard EA, Microsoft does not have an automatic right to deploy scanning tools in your environment or connect directly to your directory services. What they are entitled to is data that demonstrates your deployment position — typically reports, exports, and records you produce from your own systems. Direct system access is something enterprises can legitimately decline to provide under the standard EA terms, offering instead to produce the data from their own management tools in the form Microsoft specifies.

Third-Party Audit Firms Are Bound by the Same Scope

When Microsoft appoints a third-party firm (KPMG and Deloitte are frequently used) to conduct the audit, that firm operates under the authority granted to Microsoft by the EA — not broader authority. Any request by the audit firm that would exceed the EA's audit scope can be challenged on the same grounds as a request from Microsoft directly. The presence of a professional services brand does not change the contractual scope.

Received an Audit Notice? Get Independent Guidance First.

Before responding to Microsoft's audit request, engage independent advisors who know exactly what the EA requires you to provide — and what you can legitimately manage. Early engagement typically reduces audit findings by 40–60%.

Request Audit Defence Support Download Audit Defence Playbook

The SAM Engagement vs. Formal Audit Distinction

Microsoft's compliance engagement strategy has two distinct tracks that enterprises frequently conflate, to their commercial disadvantage:

Software Asset Management (SAM) Engagement

A SAM engagement is a voluntary programme. Microsoft's SAM team — or a Microsoft partner appointed to conduct it — approaches the customer with an offer of a "free" licence review, typically framed as a cost optimisation exercise or renewal preparation activity. The customer is not contractually obligated to participate. There is no audit notice. The engagement is conducted under a separate SAM agreement that the customer signs voluntarily.

SAM engagements produce licence findings that can create commercial pressure at renewal. They are not neutral. Microsoft partners conducting SAM engagements are incentivised to find non-compliance because their compensation model includes a share of any incremental licence revenue generated. Agreeing to a SAM engagement without independent advisory support frequently results in findings that are commercially advantageous to Microsoft and difficult to challenge because the customer voluntarily provided the access and data.

Formal Audit Under EA Audit Rights

A formal audit under the EA audit rights clause is initiated by written notice from Microsoft, triggers the contractual provisions described in this article, and carries legal weight. Unlike a SAM engagement, the customer cannot simply decline — though they can and should manage the scope, timing, and process within the contractual framework.

The key distinction: a SAM engagement is an invitation; a formal audit is a contractual trigger. Many organisations receive what appears to be a SAM engagement request that escalates to an audit notice if declined. Understanding which track you are on at the point of first contact determines your options. Our guide to Microsoft SAM engagement covers the strategic responses available at the invitation stage.

Your Rights When You Receive an Audit Notice

When a formal audit notice arrives, you have several contractual protections to exercise immediately:

1. Verify the Notice Meets the Contractual Requirements

The notice must come from Microsoft (not a third-party firm acting on its own authority), must be in writing, and should specify the scope of the audit. A notice that is vague about scope or that does not provide the 30-day lead time required under most EA versions can be formally responded to requesting clarification and compliance with the notice requirements.

2. Establish the Scope Before Providing Any Data

Your first substantive response to an audit notice should establish, in writing, the agreed scope of the audit. This should confirm: which products are in scope (EA-covered products only), the time period under review, the format in which data will be provided (your reports, not direct system access), and the process for any disputes about findings.

Scope establishment before data production is not obstruction — it is contractual compliance. Providing data before scope is agreed creates unnecessary exposure because it signals willingness to produce whatever is requested rather than what the contract requires.

3. Conduct Your Own Internal Compliance Review First

The 30-day notice period is your window to conduct a full licence reconciliation and identify your actual deployment position before the audit begins. Any under-licensing identified in this review can be addressed — either through licence procurement or deployment reduction — before the audit commences, removing it from the finding scope.

This is not document destruction or obstruction. Correcting actual deployment positions before an audit — through legitimate commercial actions — is standard practice and is expressly contemplated by the existence of a notice period. The notice period serves no purpose other than giving the auditee time to prepare.

4. Control the Data Production Process

Produce your own data, from your own systems, in formats you control. Do not grant auditors direct access to Entra ID, SCCM, or other management tools. Instead, produce the reports those tools generate and provide them as structured data deliverables. This ensures you have a complete record of everything provided and that the data is formatted to minimise methodological ambiguity.

Advisory Insight

In every audit engagement we have managed over 10 years, the single most important factor in outcome was how quickly independent advisors were engaged after the notice arrived. Enterprises that call us within 48 hours of audit notice consistently achieve better outcomes — typically 40–60% reductions in initial findings — than those who engage us after they have already provided data and accepted preliminary findings.

When Findings Differ from Your Records

Microsoft's audit findings frequently differ from the auditee's own records. Common sources of discrepancy:

  • Methodology differences: Microsoft may count licences on a different basis (total assigned users vs 90-day active users). The EA terms determine which methodology applies — this is a contractual dispute, not simply a data disagreement.
  • Scope creep: Findings that include products not covered by the EA, or time periods before the current EA term commenced, may be outside the legitimate audit scope.
  • Double-counting: Shared accounts, service accounts, and resource accounts are frequently counted as individual user licences by automated scanning tools but may not require user-based licences under the EA terms.
  • SA benefit misattribution: Deployments made under Licence Mobility rights or Dual-Use Rights may appear as out-of-scope deployments if the audit does not account for the SA benefits that authorise them.

Every discrepancy between audit findings and your own records is disputable before you accept any settlement. The process for disputing Microsoft true-up and compliance assessments applies equally to audit findings — and the same principle holds: accepting findings without challenge is a commercial decision, not a legal obligation.

The Commercial Framework After an Audit

If an audit establishes genuine non-compliance — under-licensing that cannot be legitimately disputed — the commercial resolution is a negotiation, not a fixed obligation. Microsoft will typically present a "catch-up licence purchase" proposal. This is an opening position, not the final word.

The parameters of the settlement negotiation include:

  • The pricing applied to the catch-up licences (list price vs EA-discounted price)
  • Whether historical exposure is included or only current-term exposure
  • The treatment of the non-compliant period — whether interest or penalties are applied
  • The structure of the remediation commitment — immediate purchase vs a compliance programme with defined milestones
  • The impact on your renewal negotiation — audit findings used as a baseline for future commitments are a separate commercial concern

Enterprises that enter the settlement discussion with independent advisors who understand Microsoft's commercial incentives — and who know the settlement benchmarks from comparable engagements — consistently achieve better outcomes than those who accept Microsoft's initial proposal. The Microsoft Audit Defence Playbook at our research library covers the settlement framework in detail, and our True-Up & Compliance Defence service provides direct advisory support through the full audit and settlement process.

Understanding Your EA's Audit Clause Is Not Enough

Knowing what your contract says and knowing how to apply it under commercial pressure are different skills. Our senior advisors have managed hundreds of Microsoft audit and compliance engagements — from first notice through to final settlement.

Engage Our Audit Defence Team Download True-Up Survival Guide

Preventing the Audit from Being Commercially Significant

The most effective audit defence is not reactive — it is the continuous compliance programme that eliminates material non-compliance before any audit notice arrives. Enterprises with quarterly licence reconciliation processes, active usage tracking, and documented governance records enter audits with a defensible position from day one. The audit becomes, at worst, a validation of a position you already hold — not a discovery exercise that surfaces surprises.

The specific audit triggers that our enterprise compliance guide identifies — mergers and acquisitions, irregular true-up submissions, significant licence count changes between terms — are all situations where proactive compliance documentation is especially valuable. If your organisation is approaching any of these situations, it is the right moment to invest in a compliance baseline before you receive a notice rather than after.