The point in two sentences. For Subscriber Access License products, daily authentication and access logs are the primary evidence of who actually used the software each month. Capturing and sealing them is the difference between a defensible SAL count and an auditor's capacity estimate that reads high.
Why authentication is the SAL truth
A Subscriber Access License is counted per user or device with access to the product in the month. The cleanest evidence of access is authentication, the record that a given user or device actually signed in and used the workload. Provisioning shows who could have access. Authentication shows who did. In a SPLA audit that distinction is money, because capacity and provisioning counts include suspended, dormant, and administrative accounts that authentication logs let you properly exclude.
What the auditor uses if you do not have logs
Where authentication evidence is missing, the auditor falls back to whatever count is available, usually provisioning or infrastructure capacity. That count is almost always higher than real licensed use, because it cannot tell active users from inactive ones. Without your own daily authentication evidence, the auditor's high count stands by default. With it, you can reconstruct the real SAL figure month by month.
What good authentication evidence looks like
- Daily counts, not just monthly totals, so a month can be reconstructed and spot checked against any single day.
- Per product and per tenant granularity, so each reported SAL block maps to the customer it belongs to.
- Identification of administrative and service accounts, so they can be excluded where the use rights allow.
- Sealed and timestamped records, so the count cannot be altered after the fact and the auditor can rely on it.
- Retention across the full 36 month lookback, so every month in scope has its own evidence.
A worked example of the difference
| Source | Counted SAL | What it includes |
|---|---|---|
| Provisioning capacity | 1,000 | All accounts ever created, active or not |
| Sealed daily authentication | 760 | Accounts that actually authenticated in the month |
The figures are indicative, but the shape is typical. Roughly a quarter of a provisioning count can be inactive or administrative. Across 36 months, sealed authentication evidence is often the single largest correction in a SPLA reconstruction.
Building authentication capture into operations
The strongest position is to capture and seal daily authentication counts as a routine part of monthly close, not as a response to an audit. That means an automated daily export per product per tenant, a seal applied at capture, and retention that matches the lookback. Done routinely, it turns every month into a self proving record. Done in a crisis, it can only ever cover the months still within reach of your live systems.
How it feeds the audit defense
Sealed authentication evidence does two things in an audit. It sets the accurate base for back fees, which follow the reconstructed consumption and are not negotiable, so accuracy there is permanent value. And it stands as good faith evidence of disciplined reporting, which is exactly what argues the negotiable uplift of 25 to 125 percent down. Authentication discipline is therefore both a compliance control and a negotiation asset.
What to do next
If your SAL evidence today is provisioning rather than authentication, that gap is worth closing before any notice arrives. The full guide sets out the capture, sealing, and retention practices that make a SAL count audit ready.
If an auditor is already asking questions, our SPLA audit defense service manages the Big Four auditor on your behalf.