Microsoft 365 feels like the easy part of the estate. Every licence is a subscription, every subscription is assigned to a named user in the admin centre, and the portal shows you exactly how many of each plan you hold. Compared with counting cores on a server or reconciling Client Access Licenses, it looks clean. That cleanliness is also why it is underestimated. The per user model is simple to read and surprisingly easy to misapply, and in 2026 Microsoft has rich telemetry on exactly how every assigned licence is being used.
This article sets out how Microsoft 365 licensing actually works, where the count quietly diverges from what you think you hold, and how to build a defensible position before that telemetry is read against you. It pairs with the Effective License Position guide, which shows how the cloud picture and the on premises picture combine into the single position an auditor reconciles.
The unit is the assigned user, not the active user
The foundation of Microsoft 365 licensing is the per user subscription. A plan such as a Microsoft 365 E3 or E5, or a Business Premium, is assigned to one named user, and that assignment grants that user the rights in the plan across their devices. You need one subscription per user who needs the service, full stop. The complication is not the rule. It is the difference between licences assigned, licences required, and licences consumed, three numbers that are rarely the same.
- Licences assigned is what your admin centre shows, the count you are paying for
- Licences required is the number of users who genuinely need the service and its rights
- Licences consumed is what the telemetry shows people actually using, feature by feature
In Microsoft 365 the risk is rarely a missing licence. It is a licence assigned to the wrong plan, or a workload used beyond what the plan grants.
Pure under licensing, a user with no subscription at all, is uncommon in a tenant because the service simply stops working without an assignment. The exposure in Microsoft 365 is subtler. It comes from users sitting on a plan that does not cover the features they use, from add ons that should have been bought, and from access paths that put unlicensed identities onto licensed services. Microsoft can see all of this, because the service runs on its own infrastructure and reports usage back to it.
Plans, add ons, and the suites underneath
A Microsoft 365 plan is a bundle, and the bundle boundary is where most quiet exposure sits. A base plan grants a defined set of services and capabilities. Step beyond that set, into advanced security, advanced compliance, telephony, analytics, or certain management features, and you are either inside a higher tier plan or you need a specific add on. Using the capability without the entitlement is a gap, and it is one the telemetry surfaces cleanly because feature usage is logged against the user.
| Scenario | What it looks like | The exposure |
|---|---|---|
| Feature beyond the plan | Users on a base plan using advanced security or compliance | Needs a higher tier or a specific add on |
| Add on not assigned | A capability switched on tenant wide without per user add ons | Each user of the capability needs the add on |
| Mixed estate | Some users on E3, some on E5, capability assumed for all | E5 features used by E3 users are unlicensed |
| Over assignment | Premium plans assigned to users who do not need them | No compliance risk, but wasted margin |
This table cuts both ways, which is the point. The same review that finds users consuming features above their plan also finds users holding plans far richer than they use. A clean Microsoft 365 position protects you from a finding and almost always recovers spend at the same time, because the per user model makes over assignment easy and invisible.
Shared mailboxes, service accounts, and access paths
A recurring source of confusion is the shared mailbox. A shared mailbox does not need its own licence as long as it stays within its size limit and is accessed by users who are themselves licensed. Cross either line, grow the mailbox beyond the limit or have an unlicensed identity log into it directly, and a licence is required. Estates accumulate shared mailboxes over years, and the conditions that kept them licence free can drift without anyone noticing.
The same care applies to service accounts, automation identities, and any path where a system rather than a person touches a Microsoft 365 service. Each needs to be checked against how it is actually used and whether the way it is licensed still matches. These are not exotic edge cases. They are the everyday plumbing of a tenant, and they are exactly where a careful auditor looks once the headline plan counts reconcile.
Why Microsoft sees more than you think
The decisive difference between Microsoft 365 and a traditional on premises product is visibility. The service runs on Microsoft's own infrastructure, so usage data does not have to be discovered through an audit tool. It is already there. Feature usage, active users, sign in patterns, and add on consumption are all measured. In 2026 Microsoft applies anomaly detection across this telemetry to flag mismatches between what an organisation holds and what it uses, and those mismatches are part of how audit targets are chosen.
This is why a SAM tool report is not a defence on its own. A tool reads your view of the tenant. Microsoft reads its own, and its calculation governs. Building a Microsoft 365 position that holds up means reconciling against the same usage reality Microsoft can see, not against an assignment list that looks tidy in the portal.
Build the position the way Microsoft will read it
A defensible Microsoft 365 position starts from usage, not from the licence list. Pull the actual feature consumption per user, match it to the plan and add ons each user genuinely needs, find the users consuming above their plan and the users holding far more than they use, and clean up the shared mailbox and service account paths. Done properly this produces two outcomes at once: the gaps that could become a finding are closed, and the over assignment that wastes budget is recovered.
Microsoft 365 rewards this discipline because the data is unambiguous. There is little room to argue about usage when the vendor measures it directly, so the win comes from getting the entitlements right before the conversation starts rather than from disputing numbers afterwards. To see how a Microsoft 365 position folds into the full Effective License Position an auditor reconciles across cloud and on premises, download the guide below.
If an auditor is already asking questions, our Microsoft audit defense service sits between you and the auditor from first letter to final settlement.