When a Microsoft audit lands on a server estate, the first thing many buyers picture is the server licenses themselves. In practice the larger and messier part of the finding is often the Client Access Licenses. A CAL is the licence that grants a user or a device the right to access a licensed server such as Windows Server, SQL Server in its server plus CAL model, Exchange, or SharePoint. The server is licensed, and then every user or device that touches it must also be licensed. Auditors know this is where estates drift, and they count CALs carefully.
This article explains how CALs are actually counted, where the rules trip people up, and how to build a clean CAL position before anyone else builds one for you. It pairs with the Effective License Position guide, which sets out the full reconciliation an auditor will run against your estate.
The two flavours: user CALs and device CALs
There are two ways to license access, and you choose per product, not per person. A user CAL covers one named user across all the devices they use. A device CAL covers one device used by any number of people. The two are not interchangeable inside a single counting exercise, and mixing them carelessly is one of the quickest ways to misstate your position.
- User CALs suit a workforce where each person uses several devices, a laptop, a phone, a desktop, because one CAL covers all of them
- Device CALs suit shared devices used by many people, such as a shift floor terminal, a clinical workstation, or a call centre seat run in rotation
- You can hold a mix across an estate, but for any given product and access scenario the model has to be chosen and counted consistently
A CAL licenses access, not installation. The software may sit on one server, but every user or device that reaches it has to be covered.
The reason the choice matters in an audit is arithmetic. An estate with many shared devices and a large headcount can be far cheaper on device CALs, and an estate with mobile staff on multiple devices can be far cheaper on user CALs. Auditors do not pick the cheaper model for you. They count what you hold against what you use, and any mismatch between the model you bought and the way you actually work shows up as either exposure or wasted spend.
How the count is actually built
The principle sounds simple: every user or device that accesses the server needs a CAL. The difficulty is defining access. Access does not mean an active session at the moment of counting. It means the right to access, which usually maps to the population that could reach the server, not just those who did on a given day. That distinction is where findings grow.
A directory with ten thousand enabled accounts will often be read as ten thousand potential users of a domain joined server, even if only a fraction log in regularly. Service accounts, disabled accounts left enabled, contractors, and dormant identities all inflate the apparent population. Building a defensible CAL count means reconciling the raw directory against the population that genuinely has access rights, and being able to evidence the difference.
| Counting input | What the auditor sees | What a clean count shows |
|---|---|---|
| Directory accounts | Every enabled account as a potential user | Active users with genuine access rights |
| Service accounts | Counted as users unless excluded | Identified and removed from the user population |
| Shared devices | Each device plus each user | Device CALs where rotation makes them cheaper |
| External users | Counted as CALs or flagged as a gap | Covered by an External Connector where it fits |
The External Connector, the piece people forget
When external users, customers, partners, or anonymous web visitors access a licensed server, buying a CAL for each of them is rarely practical. Microsoft provides the External Connector for this, a per server licence that covers all external users of that server instead of one CAL each. The trap is in two directions. Estates that serve external users without an External Connector and without per user CALs carry a real gap. Estates that bought External Connectors they no longer need, or that could cover their external access more cheaply, waste margin.
An auditor will look hard at any server exposed to people outside the organisation and ask how that access is licensed. Knowing in advance which servers face external users, and whether an External Connector or a CAL count is the right answer for each, closes a question that otherwise becomes a finding.
Where CAL counts go wrong
Most CAL exposure comes from a short list of recurring mistakes rather than from deliberate under licensing. Knowing them lets you check your own estate against the same list an auditor will use.
- Counting the wrong population, treating every directory account as a user without removing service and dormant accounts
- Holding device CALs for a mobile workforce, or user CALs for a shared device floor, so the model fights the way work happens
- Missing the External Connector on servers that face customers or partners
- Version mismatch, where CALs are an older version than the server they access, since a CAL must be the same version or newer
- Forgetting that some workloads need a specific CAL suite or additive CAL on top of the base CAL
The version point deserves emphasis because it is silent. A CAL must match or exceed the version of the server it accesses. Upgrade the server and the old CALs no longer cover it. An estate that upgraded its servers but not its CALs can look fully licensed on a headcount basis and still carry a real shortfall on version alone.
Build your CAL position before Microsoft does
The defensive move with CALs is the same as with the rest of the estate. Build the number yourself, on accurate data, before anyone hands you theirs. That means reconciling the real user and device populations, choosing the right model per product, mapping external access to External Connectors where they fit, and checking every CAL version against the servers it covers. Done well, this often reveals that an estate is closer to compliant than a raw directory count suggests, and sometimes that it is over licensed and paying for CALs it does not need.
CALs are detailed work, and they reward it. A clean CAL position removes one of the largest and most error prone parts of a server audit finding, and it does so quietly, before the finding exists. To see how the CAL count fits the wider reconciliation an auditor runs, and how an Effective License Position is assembled and defended, download the guide below.
If the timeline is already running, we take over the process through our Microsoft audit defense engagement.