Microsoft licensing governance is the set of policies, processes, and controls that determine how your organisation acquires, deploys, manages, and retires Microsoft licences — and who is authorised to make decisions at each stage. Without governance, licence spend grows without accountability, audit exposure accumulates undetected, and the organisation arrives at EA renewal without the data needed to negotiate from a position of strength.
The problem with most Microsoft licensing governance frameworks is that they are designed by compliance teams as compliance instruments. They define what is permitted, establish reporting requirements, and set penalties for violations. They do not address the commercial dimension of licensing governance: ensuring that every licence acquired creates business value proportionate to its cost, and that the licensing programme is actively managed to reduce cost over time rather than simply remain compliant.
Effective Microsoft licensing governance is both a compliance framework and a commercial management discipline. This article covers both dimensions: the policies and controls that manage compliance risk, and the processes that make the framework commercially productive.
The Three Root Causes of Microsoft Governance Failure
Before building a governance framework, it is useful to understand why most organisations' Microsoft governance is inadequate. The problems are usually structural rather than attitudinal, and they recur predictably across different industry sectors and organisation sizes.
Fragmented Ownership
IT owns the technical deployment. Procurement owns the commercial agreements. Finance controls the budget. Business units request new capabilities. Legal reviews the contracts. No single function owns the Microsoft licensing programme end-to-end, which means decisions are made in silos without anyone tracking their cumulative effect on the overall licence position and cost.
The result is characteristic: IT deploys a product for a business unit that has not been included in the EA scope; procurement renews the EA without knowing what IT has deployed; finance approves the invoice without knowing whether the licence count is right-sized; and no one connects the dots between deployment decisions and commercial commitments until an audit or renewal forces the issue.
Decision-Making Without Licensing Context
The people who make licensing decisions — IT architects, department heads, project managers — typically do not have deep Microsoft licensing knowledge. They make choices about product deployment, user provisioning, and infrastructure configuration without understanding the licensing implications. A decision to deploy SQL Server on a VMware cluster without understanding core factor table rules creates unlicensed use. A decision to enable a Power Apps capability included in M365 E3 without understanding the seating requirements creates unexpected true-up obligations.
Governance cannot require everyone who makes technology decisions to become a licensing expert. It must create the checkpoints and approval processes that ensure licensing implications are considered before deployment decisions are finalised.
Reactive Rather Than Continuous Management
Most organisations' Microsoft licensing activity concentrates around two annual events: the true-up and the EA renewal. Between these events, licences are provisioned without tracking, products are deployed without authorisation checks, and Azure consumption drifts without review. The burst of activity at true-up and renewal is then consumed by catching up on what happened during the year, rather than managing the commercial outcome proactively.
Governance that operates continuously — with regular reporting, defined approval thresholds, and monthly licence position reviews — prevents the accumulation of unmanaged exposure that makes true-up and renewal so stressful and commercially suboptimal.
The Governance Framework: Six Core Policies
Licence Acquisition Authority
This policy defines who is authorised to acquire Microsoft licences and under what conditions. The absence of this policy is the single most common cause of licence sprawl in enterprise Microsoft estates.
The policy should define: which procurement channels are authorised (EA/VLSC only, or CSP/retail permitted under defined conditions); what approval is required before a new licence type is added to the EA scope; and what the maximum self-service provisioning threshold is for existing subscription licences before procurement approval is required.
- All new Microsoft product additions must be reviewed against the EA entitlement to determine if the product is already included
- Purchases outside the EA require procurement and licensing owner approval regardless of cost
- Azure consumption commitments (MACC increases) require finance and licensing owner approval
- CSP/direct purchases by business units are explicitly prohibited without central approval
Licence Provisioning Standards
This policy defines how licences are provisioned to users and devices, and what controls exist to prevent over-provisioning. In M365 environments, the primary risk is default provisioning of high-value SKUs (E3 or E5) to all new users without consideration of whether the full entitlement set is required.
The policy should define: the standard licence assignment for each user population segment; the approval process for assigning licences above the population standard; and the automated de-provisioning rules that apply when users become inactive, change role, or leave the organisation.
Automated de-provisioning is the most cost-effective provision of this policy. Every user who leaves the organisation with an M365 E5 licence still assigned represents £38/month of avoidable cost. At scale, the annual impact is significant. Systematic licence harvesting should be a defined governance process, not an occasional clean-up exercise.
Deployment Compliance Review
This policy establishes the checkpoints at which deployment decisions are reviewed against licensing requirements before implementation. The key trigger events that require a compliance review are:
- Any new server software deployment (SQL Server, Windows Server, SharePoint Server) — requires core count verification and virtualisation licensing review before deployment
- Any change to virtualisation environment (VMware cluster expansion, Hyper-V reconfiguration) — may affect SQL Server and Windows Server core count calculations
- Any change to data centre or hosting arrangements — may affect Software Assurance licence mobility eligibility
- Any developer environment setup that could inadvertently use production-licensed software
- Any BYOD or external user scenario using Microsoft products — may require additional CALs or external connector licences
The compliance review does not require a full licensing analysis for every deployment — it requires a structured checklist process that identifies scenarios where specialist review is needed before the deployment proceeds.
Microsoft Relationship and Communications Management
This policy defines how the organisation manages its interactions with Microsoft's account team and partner ecosystem. Without this policy, Microsoft account teams develop informal relationships with technical stakeholders who may disclose commercially sensitive information without understanding its implications.
The policy should define: who is authorised to discuss commercial terms with Microsoft (typically procurement and the licensing owner only); what information is approved for disclosure to Microsoft account teams without prior review; what approval is required before accepting any Microsoft commercial proposal; and how Microsoft-initiated commercial requests are routed and responded to.
This policy directly supports the strategic vendor relationship management framework. It converts vendor management from an individual practice to an organisational discipline.
True-Up Management Process
This policy defines how the annual true-up is managed: who owns the process, how the licence position is compiled, what verification steps apply before submission, and what commercial review occurs before any incremental licences are accepted and paid.
Key elements of the policy:
- The licence position must be compiled from internal discovery data, not solely from Microsoft's telemetry or LSP reports
- Any discrepancy between internal count and Microsoft's count must be resolved before submission, not accepted and paid
- Incremental true-up counts above a defined threshold (e.g., 10% of committed count) trigger commercial review and, where appropriate, negotiation
- True-up submissions must be reviewed and approved by the licensing owner and procurement before transmission to Microsoft
- All true-up communications and agreed positions are documented in writing
EA Renewal Governance
This policy defines the governance structure for the EA renewal process — arguably the most commercially significant event in the organisation's Microsoft relationship. The EA renewal typically involves multiple stakeholders (IT, procurement, finance, legal) with different interests and limited coordination, which is why most enterprises achieve sub-optimal renewal outcomes.
The policy should define: the renewal start date (minimum 12 months before expiry); the internal approval authority for the new agreement; the role of independent advisors in the renewal process; the information the renewal team must assemble before entering negotiation; and the commercial approval thresholds at each stage of the negotiation.
The most important element of renewal governance is the 12-month start trigger. See our EA renewal preparation guide for the full programme structure. Organisations that begin their renewal process less than 6 months before expiry consistently achieve worse commercial outcomes than those that start 12–18 months out.
The Governance Operating Calendar
Policies without a maintenance calendar become paper documents. Effective Microsoft licensing governance requires a structured annual operating calendar that makes governance activities routine rather than reactive.
| Cadence | Activity | Owner | Output |
|---|---|---|---|
| Monthly | M365 licence usage review — inactive assignments, provisioning queue, new user additions | IT / Licensing Owner | Harvesting actions; updated licence position |
| Monthly | Azure cost review — consumption vs MACC burn rate, AHUB application, savings plan coverage | Cloud/FinOps Team | Optimisation actions; updated forecast vs commitment |
| Quarterly | Licence position reconciliation — entitlements vs deployments across all product areas | Licensing Owner | Gap and waste report; commercial actions |
| Quarterly | Microsoft relationship review — commercial issues, outstanding commitments, intelligence gathered | Licensing Owner + Procurement | Relationship management actions; intelligence log update |
| Annual (pre-true-up) | True-up preparation — full licence position, verification against Microsoft's count, commercial position | Licensing Owner + Procurement | True-up submission and negotiation position |
| Annual (12+ months pre-renewal) | Renewal programme initiation — policy trigger, team assembly, intelligence gathering start | Licensing Owner + Procurement + Finance | Renewal programme plan; independent advisor engagement |
| Annual | Policy review — governance framework currency, licensing rule changes, policy effectiveness assessment | Licensing Owner | Updated governance framework; training plan |
Governance Ownership: Who Should Own Microsoft Licensing
The governance framework described above requires a defined owner. The licensing owner role is not IT, not procurement, and not finance — although it works in close coordination with all three. It is a distinct function that requires both technical licensing knowledge and commercial acumen.
In most organisations above £2 million annual Microsoft spend, the licensing owner should be a dedicated role (or a significant portion of a senior person's time) rather than a secondary responsibility of the IT manager or procurement director. The licensing owner's primary accountability is the cost and compliance performance of the Microsoft estate.
The responsibilities that must be clearly owned are:
- Maintaining the entitlement repository and licence position accuracy
- Operating the deployment compliance review checkpoints
- Managing the Microsoft account team relationship commercially
- Owning the true-up management process
- Leading the EA renewal programme (or coordinating with independent advisors who lead it)
- Reporting licensing cost and compliance performance to senior stakeholders quarterly
The Split Ownership Problem
The most common governance failure we encounter in client engagements is split ownership between IT (who own the technical deployment) and procurement (who own the commercial agreements), with neither party having visibility of the other's activities. IT deploys products outside the EA scope; procurement renews agreements without knowing what is deployed. The licensing owner role exists precisely to bridge this gap — and without it, both the compliance and commercial performance of the Microsoft estate will remain suboptimal regardless of how many policies are written.
Governance Maturity: Where to Start
Most organisations cannot implement all six policies and the full operating calendar simultaneously. The practical question is where to start to achieve the best initial return on governance investment.
The highest-return first steps are typically:
- Establish the licensing owner role — one person with clear accountability for the Microsoft licensing programme, even if part-time. Without ownership, nothing else works.
- Implement the acquisition authority policy — prevent new licence sprawl immediately by establishing that all Microsoft product additions require central approval. This prevents the accumulation of new governance failures while the programme catches up on historical ones.
- Start monthly M365 usage reviews and licence harvesting — this generates immediate cost savings that fund further governance investment and creates the data foundation for the broader licence position picture.
- Establish the true-up management process — ensure the next annual true-up is managed with internal data and commercial review rather than simply accepted as submitted. This is where most organisations first recover significant cost from governance investment.
The Microsoft SAM programme guide provides the technical tooling and process complement to this governance framework. The two should be designed together: governance defines the policies and decision rights; the SAM programme provides the data and operational processes that make governance work in practice.