A Formal Audit Is Not the Same as Your True-Up
When Microsoft's account team contacts you about your "licence compliance" or your "deployment position," the first question you need to answer is: what exactly is being initiated? There are two fundamentally different processes at play in Microsoft's compliance programme, and they have completely different legal bases, procedural requirements, and response strategies.
The annual true-up is a self-reporting mechanism built into your Enterprise Agreement. You report. Microsoft processes. The process operates largely on trust, with your contractual honesty obligation as the backstop. A formal licence compliance audit is something else entirely — it is the exercise of a specific contractual right by which Microsoft (or a designated third party) independently examines your deployment without relying on your self-reported data. The audit right is in your EA. Its scope, limitations, and procedural requirements are contractually defined — and those definitions are your primary defensive tool.
Conflating these two processes is expensive. Organisations that respond to audit initiation as if it were an administrative true-up request — submitting deployment reports, opening system access, engaging without legal review — frequently create far more exposure than they need to. Understanding exactly what process is underway, what rights your agreement grants Microsoft, and what constraints apply to those rights is the foundational step in every audit response.
Microsoft's standard EA audit rights permit review of deployment going back to the agreement start date — up to three years. This is why audit findings frequently produce substantially higher financial exposure than the true-up: they capture historical under-licensing across the full term, not just the current anniversary year.
What Triggers a Microsoft Licence Compliance Audit
Microsoft does not randomly select enterprises for formal licence audits. Audit targeting is driven by a defined set of signals that Microsoft's compliance team monitors systematically. Understanding what triggers audit selection gives well-managed organisations both the intelligence to avoid triggering selection and the context to understand why they have been selected if an audit is initiated.
Trigger 1: Unusual True-Up Submission Patterns
True-up submissions that show static or declining deployment counts in an organisation that Microsoft's telemetry shows as actively using more Microsoft products than reported are a primary audit trigger. Microsoft's telemetry data — collected through M365 usage analytics, Azure subscription activity, and Microsoft 365 Admin Centre reporting — is available to Microsoft before your self-reported true-up arrives. Significant discrepancies between Microsoft's data and your submission trigger compliance review flags that can lead to formal audit initiation.
Trigger 2: M&A Activity
Acquisitions, mergers, and spin-offs are among the most reliable audit triggers. Microsoft monitors corporate action announcements for its largest enterprise accounts. When an organisation acquires another entity, the compliance question is straightforward: did the acquired entity deploy Microsoft products during any period when it was not covered by the acquirer's EA? The look-back period extends to the acquisition date — and sometimes earlier, if the acquired entity had its own Microsoft licences that were not transferred or reconciled.
Trigger 3: End of EA Term Without Renewal Signal
Organisations approaching the end of an EA term without having initiated renewal discussions are at elevated audit risk. Microsoft's account and compliance teams work in coordination: an account team flagging a renewal at risk can trigger a compliance review as a commercial pressure tactic. The formal audit right exists; using it as negotiation leverage is not outside Microsoft's standard commercial playbook.
Trigger 4: Significant Deployment of Products Not in the EA
Microsoft's cloud telemetry tracks product usage at the tenant level. If your organisation is running large deployments of products not reflected in your EA baseline — M365 Copilot during an informal trial, Dynamics 365 modules enabled without formal licensing, Power Platform premium flows across multiple business units — the discrepancy between what Microsoft can see in your tenant and what your EA covers is a potential audit trigger.
| Audit Trigger | Frequency in Our Practice | Typical Financial Exposure |
|---|---|---|
| True-up vs telemetry discrepancy | Most common | £200K–£2M depending on EA size and term |
| M&A activity (acquisition of licensed entity) | Common in mid-market | £500K–£5M depending on acquired entity size |
| Renewal resistance / no-renewal signal | Moderately common | Variable — used as commercial pressure tool |
| Large out-of-EA product deployment | Increasing (Copilot/Power Platform) | £100K–£800K for typical mid-scale deployments |
| Former employee or LAR complaint | Less common | Variable — depends on specifics of allegation |
Your Rights Under Standard EA Audit Terms
Your EA contains an audit rights clause. Read it before you respond to any audit initiation communication. The standard clause in a Microsoft EA defines both Microsoft's rights and the procedural constraints on those rights. The procedural constraints are your primary defensive tool in the early stages of an audit.
Microsoft Must Provide Written Notice
Standard EA audit rights require Microsoft to provide written notice of its intent to audit before the audit begins. The notice period in standard terms is 30 days. This notice period is not a formality — it is the window in which your legal and compliance teams should review the audit scope, engage external support if needed, and prepare your response strategy.
Some EAs — particularly those signed before 2020 — contain shorter or less specific notice provisions. Review your specific agreement language. If the audit initiation communication is informal (an email from your account team or LAR rather than a formal written notice), it may not constitute valid exercise of Microsoft's audit right. Do not begin preparing or providing information in response to informal requests — wait for the formal notice that triggers the contractual process.
Audit Must Be Conducted by a Qualified Third Party
Standard EA audit terms require that formal licence audits be conducted by a qualified independent third party — typically an accounting firm or specialist software compliance firm — rather than directly by Microsoft employees. The third party is designated by Microsoft, but your agreement may specify qualification requirements for that designation (CPA certification, independence from Microsoft revenue relationships, etc.). Review your specific clause language.
If Microsoft attempts to conduct the audit directly rather than through the required third party — which sometimes happens informally through "compliance reviews" initiated by the account team — this does not constitute valid exercise of the formal audit right. Participation in informal account team compliance reviews should be treated as commercial communication, not legal compliance obligation.
Once Per Year Maximum Under Standard Terms
Standard EA audit rights limit Microsoft to one formal audit per 12-month period. If you have been audited in the last 12 months and Microsoft is initiating a second audit, review your specific agreement language — this may not be permissible under your current terms. The frequency limit is also a negotiation point at EA renewal: buyers with significant leverage have successfully extended this to once per 24-month period, which meaningfully reduces Microsoft's ability to use audit initiation as commercial pressure.
SAM Engagements vs Formal Audits
Microsoft's Software Asset Management (SAM) programme deserves specific attention because it is frequently used as an informal precursor to formal audit proceedings, and because many enterprise buyers do not understand the distinction between a SAM engagement and a formal compliance audit.
A SAM engagement is nominally a consultative process in which Microsoft (or a Microsoft-authorised SAM partner) offers to help your organisation optimise its licence position. Microsoft presents SAM engagements as beneficial to the buyer — an opportunity to identify cost savings, improve licence governance, and ensure compliance. This framing is accurate as far as it goes, but incomplete. SAM engagements also serve as compliance intelligence-gathering for Microsoft: the detailed deployment data you provide during a SAM engagement can form the basis for a subsequent formal audit finding if the SAM review identifies under-licensing.
The critical point: a SAM engagement is voluntary. You are under no contractual obligation to participate in a SAM engagement. The formal audit right in your EA is the only mechanism through which Microsoft has a contractual right to examine your deployment. If you are invited to participate in a SAM engagement and there are any current or anticipated compliance concerns with your licence position, engage independent legal counsel before accepting.
In 2025 we advised a mid-market manufacturing organisation that had accepted a "complimentary SAM engagement" from a Microsoft partner. The SAM review identified deployment of Microsoft Dynamics 365 modules in a recently acquired entity not enrolled as an EA affiliate. The SAM findings were provided to Microsoft's compliance team. A formal audit was initiated three months later using the SAM data as its evidentiary basis. The eventual settlement was £1.4M — for a deployment that had existed for 11 months. Had the client sought independent advice before accepting the SAM engagement, the outcome would have been materially different.
How to Respond to a Formal Audit Initiation
If you have received a valid formal notice of audit initiation — a written notice meeting your EA's requirements — the response sequence is deterministic. Following it protects your commercial position; deviating from it, even with good intentions, creates risk.
First, do not respond substantively to the audit notice without legal review. Forward the notice to your internal legal team and, if your legal team does not have specific Microsoft EA audit experience, engage external counsel. The audit notice sets a response timeline; that timeline gives you days, not hours, to engage counsel.
Second, confirm that the notice meets your EA's formal requirements: it is in writing, it comes from the appropriate party (Microsoft directly, not an LAR), it specifies the scope of the audit, and the timing complies with your agreement's frequency and notice provisions. If any of these are not met, formally object and request clarification before proceeding.
Third, begin your own internal deployment assessment immediately. The audit process will eventually require you to provide deployment data. Having your own well-documented, independently produced dataset before Microsoft's auditors arrive gives you control over the process rather than responding to Microsoft's numbers. The true-up preparation guide describes the data gathering methodology — the same process applies to audit preparation, with greater urgency.
Fourth, designate a single point of contact for all audit communications. All requests from Microsoft or the third-party auditor go through this person, and all responses are reviewed before being provided. This control prevents the informal escalation and voluntary disclosure that frequently creates additional exposure during audits.
Audit Findings and Settlement
A formal licence audit that finds under-licensing does not automatically lead to a fixed liability. Microsoft's initial audit finding is a commercial opening position, not a final legal determination. The settlement negotiation that follows is where the real financial outcome is determined — and where independent advisory support pays for itself many times over.
Microsoft's standard approach in settlement negotiations is to present the full retroactive liability under list pricing as the starting position — the maximum possible exposure calculated using the highest applicable list price for the under-licensed period. From this position, Microsoft will negotiate based on: your organisation's commitment to EA renewal, the size and term of your renewal commitment, any mitigating factors in the counting methodology that reduce the technically defensible under-licensing number, and the commercial value of your account to Microsoft's enterprise segment.
Organisations that negotiate audit settlements without independent advisory support consistently achieve worse outcomes than those that do. The settlement mechanics require understanding both the contractual position (what liability genuinely exists under your specific EA terms) and the commercial position (what Microsoft will accept to close the matter and retain the renewal). These are different analyses requiring different expertise.
For the full settlement framework including escalation paths, acceptable settlement structures, and renewal linkage strategy, the Microsoft Audit Defense Playbook and True-Up Survival Guide are the primary references. For an active audit situation, our True-Up and Compliance advisory service provides direct engagement support.
Prevention: The Best Audit Defense
The audit response framework above assumes an audit is already underway. The better investment is prevention: building the continuous licence governance that reduces both audit risk and true-up exposure simultaneously. Organisations with mature licence governance programmes — consistent Entra ID hygiene, quarterly reconciliation, well-documented true-up histories — are both less likely to be selected for audit and better positioned to defend their position if they are.
The governance framework is described in detail in the Microsoft true-up compliance guide. The investment in governance — principally management time and appropriate tooling — is consistently less than the cost of a single audit or unplanned true-up surprise for any organisation above 1,000 Microsoft seats.