SAM Is Not an Audit — But It Can Become One
When Microsoft's account team proposes a Software Asset Management engagement, the framing is invariably helpful: a complimentary review of your licence estate, a chance to identify optimisation opportunities, a partnership exercise. The word "audit" is never used. The request appears voluntary. The materials Microsoft provides are branded as advisory services, not compliance enforcement.
This framing is accurate — to a point. A SAM engagement is not, contractually, a formal licence compliance audit under your EA terms. Microsoft does not have the right to compel your participation, and SAM does not carry the same formal notice requirements or third-party auditor qualification rules that apply to a formal audit. You can decline a SAM engagement without legal consequence.
What the helpful framing does not communicate is that SAM engagements are data collection exercises. The outputs of a SAM engagement — particularly the inventory analysis and licence position report — are available to Microsoft's account team and, in some circumstances, can inform the basis for a formal audit request if the data reveals significant non-compliance. Enterprises that participate in SAM without preparation, provide unrestricted access to software inventory tools, and accept Microsoft's SAM partner's assessment without independent verification regularly find themselves in worse commercial positions after the engagement than before.
This guide explains what a SAM engagement actually involves, how to respond to one, what data to provide and what to withhold, and how to manage the transition from SAM to formal audit if Microsoft escalates.
Why Microsoft Initiates SAM Engagements
SAM engagements are not random. They are targeted based on specific signals that Microsoft's account teams monitor. Understanding these triggers helps you assess whether a SAM proposal is genuinely advisory or a precursor to escalation.
Revenue Opportunity Identification
The most common SAM trigger is upsell potential. Microsoft's telemetry — gathered from cloud services, Entra ID, Microsoft 365 admin centre data, and usage reporting from EA-enrolled devices — can identify situations where your installed software footprint exceeds your licensed position, or where workloads running in Azure appear inconsistent with your EA coverage. A SAM engagement in this context is a structured way to surface and capture that revenue.
Renewal Preparation
SAM proposals frequently arrive 12–18 months before an EA renewal. The commercial logic is straightforward: a SAM engagement establishes a clean licence baseline before renewal negotiations begin, ensuring Microsoft has current data on your estate. For you, this timing carries significant risk — any shortfalls identified in the SAM engagement become known facts in the renewal negotiation, eliminating the ambiguity you might otherwise preserve.
Telemetry Anomalies
Microsoft's cloud-connected products generate significant usage telemetry. If your cloud service consumption patterns suggest on-premises deployments that are not reflected in your true-up submissions — for example, Azure Arc connected servers, Hybrid Use Benefit claims inconsistent with your SA coverage, or SQL Server deployments visible through Azure telemetry — a SAM engagement may be initiated to investigate. This is the highest-risk SAM scenario, because it suggests Microsoft already has evidence of non-compliance before the engagement begins.
Post-M&A Integration
Mergers, acquisitions, and entity restructuring are consistent SAM triggers. When your organisation's structure changes — particularly when you acquire entities with separate Microsoft agreements — Microsoft's account team may propose a SAM engagement to "consolidate" the licence picture. These engagements carry particular risk because acquired entities often have legacy installations that were never properly licensed under an EA framework.
The SAM Engagement Process: What Actually Happens
Microsoft typically delivers SAM engagements through authorised SAM partners — third-party organisations that Microsoft has certified to conduct inventory assessments and produce licence position reports. The engagement follows a consistent process across four phases.
Phase 1: Scope Definition
Microsoft or the SAM partner proposes an engagement scope covering specific product families, geographies, or entity types. The scope document is important: anything outside the defined scope cannot be collected or assessed during the engagement. Narrow the scope aggressively before agreeing to participate. Limit scope to your primary EA products and exclude server products, legacy installations, and acquired entities unless you are fully confident in your compliance position for those categories.
Phase 2: Inventory Collection
The SAM partner deploys software inventory tools — typically Microsoft MAP Toolkit or a third-party equivalent — across your environment to collect installation data. This is where most enterprises make their critical error: they provide the SAM partner with unrestricted administrative access to their environment, resulting in a comprehensive inventory that captures far more than the defined scope.
Restrict inventory tool access to the agreed scope. Do not provide domain administrator credentials to SAM partners. Deploy the inventory tool in a controlled manner, using your own IT team, and review the data collected before it is transferred to the SAM partner. You have the right to review and agree the inventory dataset before analysis proceeds.
Phase 3: Licence Position Analysis
The SAM partner compares your software inventory against your documented licence entitlements — your EA order forms, licence confirmation documents, and any additional licences purchased outside the EA. This comparison produces an Effective Licence Position (ELP) report showing your licence position as either a surplus or a shortfall for each product in scope.
ELP reports are not automatically accurate. SAM partners frequently apply conservative interpretations of licensing rules — using the most restrictive product use rights interpretation rather than the most permissive one. Before accepting an ELP, have it independently reviewed by a Microsoft licensing specialist who represents your interests, not Microsoft's.
Phase 4: Recommendation and Remediation
If the ELP identifies shortfalls, the SAM partner will propose remediation options — typically purchasing additional licences or adjusting your EA at the next true-up. Accept nothing at this stage without independent verification of the ELP findings and an assessment of whether formal audit action is probable. If the shortfall involves low-value or easily-remediable gaps, prompt remediation may be appropriate. If it involves significant server-side licence shortfalls or SQL Server coverage gaps, independent legal and commercial advice is warranted before any remediation agreement.
Participation Strategy: The Four-Option Framework
When Microsoft proposes a SAM engagement, you have four strategic options. The right choice depends on your confidence in your licence position, the timing relative to your EA renewal, and what you know about why the SAM was proposed.
| Option | When Appropriate | Key Risk | Commercial Impact |
|---|---|---|---|
| Full Participation | High confidence in licence position; SAM is genuinely advisory | Scope creep; conservative ELP interpretation | Opportunity to confirm compliant position; renewal credential |
| Scoped Participation | Moderate confidence; specific product areas of concern | Microsoft may view restricted scope as evasion signal | Limits data exposure; requires active scope management |
| Deferred Participation | Renewal >18 months away; remediation underway internally | Microsoft may escalate to formal audit if deferral reads as avoidance | Creates time to remediate before data is collected |
| Declined | High non-compliance risk; SAM appears to be audit precursor | May accelerate formal audit initiation; signals awareness of issues | Preserves legal position; avoids voluntary disclosure of shortfalls |
In practice, most enterprises should choose Scoped Participation — engaging with Microsoft's SAM proposal but actively managing scope, data access, and ELP review. Full declination is appropriate only where independent legal advice recommends it, typically in situations involving significant known non-compliance.
What Data to Provide and What to Withhold
The single most important decision in any SAM engagement is what data to allow the SAM partner to collect. The inventory phase sets the entire scope of the engagement — you cannot un-collect data once it has been extracted and delivered to the SAM partner.
Data You Should Provide
Installation data for products within the agreed engagement scope. Licence entitlement documentation: EA order forms, licence confirmation documents, volume licence certificates. True-up submission history for the current EA term. SA coverage documentation for Software Assurance benefits you are claiming.
Data You Should Control Carefully
Server-side installation data — particularly SQL Server, Windows Server, and any on-premises server products — should be collected by your own IT team and reviewed before delivery. These product families have complex licensing rules (per-core, CAL, virtualisation coverage) that SAM partners frequently misinterpret, and conservative interpretations of server licensing can produce large apparent shortfalls from ambiguous configurations.
Azure Arc connectivity data, Azure Hybrid Use Benefit claims, and any installation data for products not included in your EA should be explicitly excluded from the inventory tool deployment scope.
Data You Should Not Provide
Software installed on personally-owned devices. Software installed by acquired entities that have not yet been integrated into your EA. Trial or evaluation software where the licence terms are separate from your EA. Configuration data for products where you are uncertain about your licensing position — identify and resolve that uncertainty before the inventory is collected.
When SAM Escalates to Formal Audit
The transition from SAM engagement to formal audit is not automatic, but it is a documented Microsoft process. If a SAM engagement produces an ELP with material shortfalls — particularly in high-value product categories — Microsoft's account team may initiate a formal compliance review using the audit rights in your EA.
Formal audits under EA terms require written notice, typically 30 days. The auditor must be a qualified third-party (not the SAM partner). Audits can occur no more than once per 12-month period. These rights are contractual — enforce them.
If you receive formal audit notice following a SAM engagement, do not treat it as a continuation of the SAM process. A formal audit has different legal character, different data requirements, and different settlement implications. Our formal audit response guide covers the complete four-step response process, settlement framework, and prevention governance.
In one documented 2025 case, an enterprise participated in a SAM engagement without scope restriction, provided domain admin credentials to the SAM partner, and accepted the ELP without independent review. The ELP identified a SQL Server shortfall valued at £1.4M. Microsoft subsequently initiated a formal audit using the SAM data as the basis for its compliance position. The enterprise had no independent record of what data had been collected and could not contest the ELP's methodology. Settlement required £890K in remediation licence purchases and a restructured EA at unfavourable terms.
Prevention: The Governance Approach That Makes SAM Manageable
The most effective SAM engagement strategy is to maintain a current, accurate, independently-held Effective Licence Position at all times. Enterprises that know their own licence position — and can document it with clean data — approach SAM engagements from a position of strength. They can participate confidently, correct SAM partner misinterpretations with their own data, and use the engagement as a governance validation exercise rather than an exposure event.
The True-Up and Compliance pillar guide covers the quarterly governance framework — monthly 15-minute checks, quarterly 2-hour reconciliation sessions, and the six-week pre-true-up sprint — that maintains this position. Organisations with mature licence governance rarely face material SAM surprises because they have already identified and remediated their own shortfalls before Microsoft can surface them.
If your current governance is not at this maturity level, read our 2026 true-up preparation guide for the immediate remediation steps that establish a defensible licence position before engaging with any Microsoft SAM proposal.
1. Do not accept or decline before conducting an internal licence position assessment. 2. Obtain independent advice on your current ELP before any inventory tool is deployed. 3. Negotiate the engagement scope in writing — product families, geographies, and entity coverage. 4. Deploy inventory tools via your own IT team, not via SAM partner-controlled access. 5. Review the inventory data set before it is delivered to the SAM partner. 6. Have the final ELP reviewed by an independent Microsoft licensing specialist before accepting any findings. 7. Do not sign any remediation agreement without understanding the audit escalation risk of the identified shortfalls.