Most enterprises treat Microsoft license reconciliation as an annual fire drill — a scramble in the weeks before true-up to count seats and hope the numbers roughly add up. That approach costs real money. Across our 500+ engagements, we consistently find that enterprises entering their annual true-up without a structured reconciliation process overpay by 18–34% compared to those with quarterly reconciliation in place.
Microsoft license reconciliation is not just a compliance exercise. Done properly, it is a continuous intelligence function that gives you precise visibility into your actual deployment position, identifies recoverable waste, and generates the data you need to negotiate from strength at renewal. This guide sets out the best practices that separate enterprises that control their Microsoft spend from those that simply react to it.
What Microsoft License Reconciliation Actually Involves
License reconciliation is the process of matching your contractual entitlements — what you have licensed under your Enterprise Agreement — against your actual deployment footprint. In principle, it sounds straightforward. In practice, it has four components that most enterprises handle inconsistently:
- Entitlement inventory: A complete, product-by-product record of what your EA authorises you to deploy, including base licences, add-ons, step-up rights, and any amendments.
- Deployment census: A current, authoritative count of active users and devices consuming each product, drawn from identity systems (Entra ID, formerly Azure AD) rather than procurement records.
- Gap analysis: A line-by-line comparison of entitlements against deployment, identifying both over-licensed products (waste) and under-licensed exposure.
- Remediation and reporting: Actions taken to close gaps — whether by recovering licences, adjusting deployments, or managing true-up submissions — and documented evidence of the process.
The reconciliation process feeds directly into your annual true-up submission and into the evidence base for your true-up preparation. Get it wrong — either direction — and the financial consequences are significant.
Why Annual Reconciliation Is the Wrong Model
The EA's annual true-up rhythm leads many organisations to reconcile only once a year. This is the single most expensive mistake in Microsoft licence management. Here is what happens in practice:
When reconciliation happens only at true-up, two problems compound each other. First, undeployed licences from joiners who never onboarded, leavers whose accounts were not deprovisioned, or product deployments that were authorised but never completed accumulate invisibly throughout the year. Second, actual deployments that exceed entitlements in specific product lines go undetected until the true-up forces a count — by which point Microsoft holds the pricing power for any incremental licences required.
Quarterly reconciliation changes the dynamic. When you identify a gap six months before true-up, you have time to either remediate the deployment (bring it back into alignment) or plan the incremental licence procurement strategically — outside the pressure of an imminent true-up submission.
The Quarterly Rhythm That Works
The reconciliation cadence that our highest-performing clients use follows a simple four-quarter structure:
- Q1 (Post-true-up): Full baseline reconciliation — refresh the entitlement register from the new EA term, reset deployment census, identify immediate remediation opportunities.
- Q2: Mid-year deployment review — identify product lines trending toward over-deployment, validate licence harvesting from departures, check add-on adoption rates.
- Q3: Pre-true-up intelligence — quantify likely true-up exposure by product, model scenarios, identify negotiation opportunities for incremental requirements.
- Q4 (True-up preparation): Final reconciliation, dispute preparation, submission review. This should be a validation of Q3 findings, not a discovery exercise.
Building an Accurate Entitlement Register
The entitlement register is the foundation of any reconciliation process. Most enterprises' entitlement records are fragmented across multiple systems — the Volume Licensing Service Centre (VLSC), email confirmations of EA amendments, third-party SAM tool databases, and procurement team spreadsheets that may or may not reflect the current EA state.
A reliable entitlement register requires four data inputs reconciled into a single source of truth:
1. EA Order Form and Amendments
The signed EA order form defines your base product pools and quantities. Every amendment — whether a true-up increment, an order for additional product lines, or a step-up from one SKU tier to another — must be reflected. In complex organisations with multiple affiliated entities under a single EA, amendment records are frequently incomplete or misattributed between affiliates.
Pull every amendment from VLSC and map it chronologically. The final column of your entitlement register is the cumulative entitlement position after all amendments.
2. Licence Mobility and Reassignment Rights
Software Assurance (SA) benefits include Licence Mobility rights — the ability to deploy on-premises licences in a service provider's infrastructure or reassign licences between users within 90 days. These rights are frequently unaccounted for in reconciliation exercises, leading to double-counting of obligations or, worse, missed cost avoidance opportunities. Understanding your SA entitlements is a prerequisite to accurate reconciliation.
3. Product-Level Entitlement Mapping
Microsoft's licence model means that a single product in your EA can authorise deployment across multiple platforms. An M365 E3 entitlement, for instance, includes Office desktop rights, Exchange Online, SharePoint Online, Teams, and a range of compliance tools. Reconciliation must operate at the feature level, not just the SKU level, to identify whether component features are being double-licenced through add-ons.
4. Expiry and Step-Down Tracking
Licences with annual step-down provisions — where entitlement quantities decrease in years two and three of an EA term — must be tracked against deployment trends. If deployment grows while entitlement steps down, you accumulate exposure without any visible trigger. This pattern causes approximately 22% of unexpected true-up invoices in our experience.
Getting the Deployment Census Right
The deployment census is where most reconciliation exercises introduce their largest errors. Common failure modes:
| Failure Mode | Typical Impact | Root Cause |
|---|---|---|
| Counting licensed users rather than active users | 8–15% overcounting | Provisioned accounts that are inactive or duplicate |
| Relying on M365 Admin Centre active user report without filtering guests | 5–12% overcounting | Guest/B2B users counted as internal licensees |
| Missing shared mailboxes and resource accounts in Exchange count | 3–8% undercounting | Shared accounts that require Exchange Online licences |
| Failing to count Teams Rooms devices separately | Variable | Room licence requirements distinct from user licences |
| Using procurement data as deployment proxy | Up to 20% inaccuracy | Ordered licences ≠ deployed licences |
The authoritative source for user-based licence deployment is Entra ID (Azure Active Directory), filtered to active accounts — specifically, accounts with a sign-in activity within the last 90 days. Microsoft uses 90-day active user thresholds in their own licence assessment tools, so aligning your census methodology with theirs eliminates disputes at the point of submission.
Product-Specific Census Methodology
Different product categories require different census approaches:
- M365/Office 365: Entra ID active users (90-day threshold), excluding guests and service accounts, mapped against assigned licence groups rather than individual user assignments.
- Azure (MACC and EA commitment): Azure Cost Management consumption data, reconciled against committed spend levels and product family breakdowns.
- Windows Server / SQL Server: Physical and virtual core counts from SCCM/Intune inventory, validated against virtualisation platform records. Licence Mobility deployments on service provider infrastructure require separate tracking.
- Dynamics 365: Named user count from the Dynamics admin centre, with attention to base and attach licence eligibility — using an attach SKU without the qualifying base SKU is a compliance exposure that frequently goes undetected.
- Power Platform: Per-user and per-app assignment reports from the Power Platform admin centre, with Power Automate RPA bot counts validated separately.
In 78% of the reconciliation reviews we conduct, the deployment census based on IT-team estimates differs from the Entra ID–sourced count by more than 10%. The delta is almost always in the enterprise's favour — actual active users are lower than estimates because leaver deprovisioning is systematically incomplete. This is recoverable spend if identified before true-up.
Conducting the Gap Analysis
With an accurate entitlement register and deployment census in hand, the gap analysis is arithmetically simple but commercially complex. For each product line, you are calculating:
True-Up Exposure = Deployed – Entitled
Recoverable Over-Licence = Entitled – Deployed
The commercial complexity lies in what you do with those figures. Exposure — where deployment exceeds entitlement — needs to be either remediated (deployment reduced to match entitlement) or reported in the true-up with strategic pricing management. Over-licensing — where entitlement exceeds deployment — is the primary opportunity for cost recovery at renewal through licence count reduction.
Materiality Thresholds and Prioritisation
Not all gaps are equal. A reconciliation programme should apply materiality thresholds to focus effort on the gaps that matter commercially:
- High priority (immediate action): Any product where deployment exceeds entitlement by more than 5% or where the annualised cost of the gap exceeds £50,000.
- Medium priority (Q3 review): Products where over-licensing exceeds 10% and the recoverable annual cost exceeds £25,000.
- Low priority (annual clean-up): Minor discrepancies in low-cost product lines where the cost of remediation exceeds the savings.
For gaps in the high-priority category, the question of whether to remediate deployment or accept the true-up exposure is a commercial decision — not purely a compliance one. This is where the reconciliation process connects directly to your EA negotiation strategy.
Remediation and Documentation
Remediation has two components: fixing the actual gap and documenting the process. Both matter at true-up, because documented evidence of a systematic reconciliation programme gives you defensible grounds to challenge Microsoft's own licence assessment if it differs from yours.
Licence Recovery Actions
Over-licensed positions — where you have paid for more than you use — are recovered through:
- Account deprovisioning: Removing Entra ID accounts for leavers whose licences were not released at offboarding. In enterprises with more than 5,000 users, incomplete offboarding processes typically leave 3–8% of licences assigned to inactive accounts.
- SKU right-sizing: Replacing high-tier licences (E5) with lower-tier entitlements (E3) for user segments that don't use the premium features. This requires usage data from Microsoft 365 Usage Reports — not assumptions about role type.
- Add-on consolidation: Eliminating standalone add-ons (Defender for Endpoint Plan 2, Purview Information Protection) where the underlying user is already entitled to those features through a higher-tier M365 bundle.
- Frontline worker reclassification: Identifying users currently licenced on E3 or E5 who access only Teams and basic collaboration tools — candidates for F1 or F3 reclassification at significantly lower cost.
Documentation Standards
Every reconciliation exercise should produce a documented audit trail:
- Date and methodology of the deployment census
- Data sources used (Entra ID query parameters, reporting tool versions)
- Reconciliation delta by product line
- Remediation actions taken and dates completed
- Sign-off from the responsible IT or Procurement owner
This documentation has dual value: it supports accurate true-up submissions and, in the event of a Microsoft licence compliance audit, it demonstrates systematic good-faith management of the licence estate — which materially improves your position in any audit negotiation.
Tooling for Reconciliation at Scale
The right tooling depends on the size and complexity of your Microsoft estate. There is no universal answer, but there is a clear framework for selecting the right approach:
| Estate Size | Recommended Approach | Key Tools |
|---|---|---|
| Under 2,000 users | Manual with M365 Admin Centre exports | M365 Admin Centre, Entra ID, Excel |
| 2,000–10,000 users | Native Microsoft tools + scripted data extraction | PowerShell, Microsoft Graph API, SCCM/Intune |
| 10,000–50,000 users | SAM tool with Microsoft connector | Snow Software, Flexera, ServiceNow SAM |
| 50,000+ users | Enterprise SAM platform + independent validation | SAM platform + independent advisory review before submission |
One important caution on SAM tooling: Microsoft's own SAM engagement — where Microsoft partners conduct a licence review on your behalf — is not a neutral reconciliation exercise. It is a commercial activity with different incentives from your own. Understanding how Microsoft SAM engagements work before agreeing to one is essential to protecting your position.
Using Reconciliation Data in Negotiation
The most sophisticated enterprises treat their reconciliation programme as a commercial intelligence system, not just a compliance one. Clean, well-documented reconciliation data that shows consistent deployment discipline and accurate reporting creates three negotiation advantages:
- True-up submission confidence: When your submission is backed by verifiable data sources and a documented methodology, you are in a much stronger position if Microsoft's assessment differs from yours — because the burden shifts to them to identify specific discrepancies rather than accepting their figure by default.
- Licence count reduction at renewal: Reconciliation data that shows a genuine reduction in active deployment across specific product lines is the evidence base for negotiating a lower base count in your next EA. Microsoft will resist count reductions without supporting data. Quarterly reconciliation history is that data.
- Overpayment dispute: Where you can demonstrate that you have consistently been paying for licences with zero or negligible deployment, you have a basis for a commercial credit discussion — particularly if you are renewing with significant incremental commitment elsewhere in the estate.
This connection between reconciliation discipline and commercial outcomes is explored in depth in our guide to using true-up data as negotiation leverage.
The Four Reconciliation Failures That Cost Enterprises Most
Across 500+ engagements, the failures that translate directly into unnecessary spend are consistent:
1. Using VLSC Download Data as a Proxy for Deployment
The number of licence keys downloaded from VLSC or products provisioned through admin centre is not the same as the number of active users. Downloads may never have been activated. Provisioned accounts may belong to employees who left before they ever signed in. Using provisioning data as a deployment proxy almost always overstates actual deployment — sometimes by 20% or more.
2. Ignoring the 90-Day Active User Threshold
Microsoft's standard for "active use" in the context of user-based licences is a sign-in event within the past 90 days. Users who have been on extended leave, have moved to a different role without offboarding, or have had accounts preserved for compliance purposes but are no longer active can legitimately be excluded from your deployment count under most EA terms. Not applying this filter adds unnecessary licences to your true-up submission.
3. Reconciling at the SKU Level Without Checking Feature Overlap
Many enterprises pay for both M365 E5 and standalone security add-ons (Defender for Office 365, Purview, Entra ID P2), not realising that E5 already includes those features. Without reconciling at the feature level, you maintain double spend until someone notices. In estates with complex security requirements, we regularly find £200,000–£800,000 in annual add-on spend that E5 entitlements already cover.
4. Not Documenting the Process
An undocumented reconciliation — even if the numbers are correct — provides no protection against Microsoft's own assessment. If you cannot show your working, you cannot challenge their working. Documentation is not optional; it is the difference between a position you can defend and one you cannot.
The Reconciliation Best Practice Summary
Effective Microsoft license reconciliation comes down to six non-negotiable practices: run it quarterly not annually; source deployment data from Entra ID with the 90-day active user filter applied; maintain a complete entitlement register updated after every EA amendment; reconcile at the feature level not just the SKU level; document every step with data-source provenance; and connect the output to your EA negotiation strategy — not just your true-up submission.
Enterprises that do this consistently do not experience true-up surprises. They walk into their annual submission with a pre-validated position, they negotiate renewals from a position of documented cost discipline, and they recover over-licensing systematically rather than discovering it years later. The enterprises that do not do this pay for it — reliably, predictably, and entirely avoidably.
For the specific mechanics of what happens when your reconciliation reveals under-licensing, see our guide to disputing Microsoft true-up assessments. For the broader compliance framework, the True-Up & Compliance Defence service page sets out how we work with enterprises to build and maintain ongoing licence governance programmes.