Microsoft verifies licensing three ways, and they are not the same. Knowing which one you face decides what you are obliged to do and how hard you can push back.
When Microsoft wants to check your licensing, the approach can arrive in one of three forms. They look similar from the outside, a request to review your deployment, but they carry very different obligations and very different risks. Treating all three the same way is the most common and most expensive mistake buyers make. Here is how to tell them apart and how to respond to each.
A Software Asset Management engagement is presented as a free service. Often it arrives through a partner, framed as an optimization review that will help you tidy up your estate and maybe even save money. It is voluntary. You can decline it.
What it actually is, is a sales motion. The program is measured on outcomes that benefit Microsoft: gaps found, licenses sold, cloud commitments made. The reviewer is not neutral, and the tooling is configured to surface deployment that exceeds entitlement. The data you share in a friendly review can become the evidence base for a harder demand later. None of this is hidden, it is simply the design. The error is treating it as neutral help.
A self verification is a demand under your agreement. Microsoft asks you to assess your own deployment against your entitlement and report back. You cannot decline it the way you can decline a SAM engagement, because the right to request it is written into the contract.
What you can control is how you respond. A self verification is still your assessment, built from your data, on a timeline you negotiate. The discipline that matters here is accuracy and evidence. You are producing a position that Microsoft may later test, so it should be one you have built carefully, can explain, and can support. This is exactly where an independent buyer side reading pays for itself, because the difference between a defensible self verification and a careless one can be the difference between a correction and a formal audit.
A formal audit runs through a third party accounting firm under the audit clause in the Microsoft Business and Services Agreement. This is the most adversarial of the three. The auditor has broad authority to request deployment records, configuration data, and usage information, and they produce an Effective License Position, the reconciliation of what you deployed against what you are entitled to.
The Effective License Position is not the final sentence. It is an opening position, and it is negotiated after the report. The auditor's draft tends to compound every gap and read every ambiguity against you. That is normal. Your job, with help, is to rebuild the evidence and bring the number down.
The clause that gives the formal audit its teeth. If unlicensed use is found at 5 percent or more of total use, you reimburse Microsoft's verification costs and acquire the licenses at 125 percent of the current price. Staying under that threshold with an accurate position is worth real money.
| Dimension | SAM engagement | Self verification | Formal audit |
|---|---|---|---|
| Can you decline | Yes | No | No |
| Who runs it | Microsoft or partner | You | Third party accounting firm |
| Penalty clause | Not directly | Indirect | Yes, the 5 percent clause |
| Your main lever | Decline or scope | Accuracy and timeline | Rebuild the ELP, negotiate |
Across all three, the strongest defensive move is the same: know your real Effective License Position before anyone outside sees your data. SAM tool output alone is not enough, because Microsoft counts with its own methodology and its own telemetry from Azure, Microsoft 365, and management tooling, and Microsoft's calculation governs. A position you have built and can defend gives the opening number somewhere to land.
Identify which verification you face before you respond. Decline or control the SAM engagement. Treat the self verification as a serious assessment, not a form. Meet the formal audit with your own rebuilt position. In every case, the buyer side advantage comes from preparation, not from speed. For the full mechanics and a first response checklist, download the survival guide.
If you would rather not face that alone, our SAM engagement response service handles the outreach so you never overshare.
The survival guide covers all three, with a first 72 hours checklist. Fixed fee or gainshare from there, both backed by our guarantee.
Download guideWeekly intelligence on Microsoft and SPLA audit moves and the buyer side defenses that work.