One of the hardest things for a buyer to absorb in a Microsoft audit is that the strongest evidence against them is their own. Microsoft uses its own counting methodology and its own data, much of it drawn from your Azure tenancy, your Microsoft 365 estate, and the management tooling that watches both. That telemetry feeds directly into the Effective License Position. It is granular, time stamped, and hard to wave away. But it is not the same thing as entitlement, and it is not always right. Understanding how telemetry becomes an ELP line is the first step to defending the lines that are wrong.
Why Microsoft leans on telemetry
Telemetry has one quality that makes it central to a modern audit: it is observed rather than self reported. Where an older audit depended on what a customer disclosed, Azure and Microsoft 365 generate a continuous record of what was actually provisioned, signed in, and run. In 2026 Microsoft also uses AI anomaly detection over this licensing and usage telemetry to select audit targets, flagging usage spikes, entitlement mismatches, and Azure Arc telemetry that reveals servers Microsoft did not know were there. By the time an audit opens, the data already points at the areas of interest.
How telemetry enters the ELP
The ELP reconciles deployment against entitlement. Telemetry feeds the deployment side. Azure activity establishes which services and instances were provisioned and active. Microsoft 365 sign in and assignment data establishes which users consumed which products. Management and inventory tooling, including signals surfaced through Azure Arc, extends that visibility to servers and workloads outside the cloud tenancy. Each of these becomes a measured quantity of use that the ELP sets against your entitlement. Where measured use exceeds credited entitlement, the ELP shows a shortfall, and that shortfall drives the 5 percent clause and everything after it.
Where telemetry misreads an estate
Telemetry is powerful precisely because it counts everything, and that is also its weakness. It counts activity without understanding context, and context is where entitlement lives. The recurring misreads are consistent across estates:
- Active signals from non production, test, or temporary environments counted as production use
- A workload counted in two places because it appears in both cloud and inventory telemetry
- Sign in activity attributed to a product the user was not actually licensed against or did not truly consume
- Passive or failover instances read as active because they emitted a signal
- Entitlement and rights that the telemetry simply cannot see, because telemetry measures use and not your agreements
None of these are exotic. They are the ordinary friction between a measurement system that observes activity and a licensing world that is governed by contracts, rights, and intent. Every one of them moves the ELP against the customer, and every one is contestable with the customer's own records.
A worked illustration
The figures below are indicative and chosen only to show how a telemetry misread moves the ELP, not to quote any real outcome. Picture one product counted from raw telemetry and then corrected.
| Measure | Raw telemetry | Reconciled |
|---|---|---|
| Active instances observed | 1,000 | 1,000 |
| Test and non production removed | 0 | 120 |
| Double counted across sources | 0 | 60 |
| Chargeable use | 1,000 | 820 |
| Effect on shortfall | maximized | reduced to the real position |
Indicative illustration of how reconciliation corrects raw telemetry, not a quoted outcome.
How to contest a telemetry driven ELP
You do not argue with telemetry by denying it. You argue by giving it context it lacks. The defense is to reconcile the observed activity against your own authoritative records: what is production versus test, which instances are the same workload seen twice, which sign ins reflect genuine licensed consumption, and which entitlements and rights the telemetry never captured. A SAM tool ELP alone will not do this for you, because Microsoft's calculation governs and a clean internal number that Microsoft's data contradicts simply loses. The reconciliation has to meet Microsoft's telemetry on its own terms and correct it line by line.
For the wider picture of how this data is turned against you, see how auditors use your own cloud data against you, and for the full inventory of inputs behind a position, read the data sources behind an ELP. Both sit under the pillar guide.
The next step
Because Microsoft's telemetry arrives detailed and confident, the only effective answer is a reconciliation that is equally detailed and built before the audit hardens. The Effective License Position Guide covers how telemetry feeds the ELP and how to reconcile it against your own records so the count reflects your real position, not raw activity.
Your telemetry is the evidence. Reconcile it first.
Download the Effective License Position Guide to see how Azure and Microsoft 365 telemetry enters the ELP and how to correct what it misreads.
Download the Effective License Position guideWhen the exposure is real, our ELP exposure modeling service builds your own defensible position first.