Hosters, managed service providers, and ISVs that deliver Microsoft software to external customers have long done so through SPLA, the Services Provider License Agreement. CSP, the Cloud Solution Provider program, offers a second route, and a growing number of providers are weighing a move. The two are not interchangeable. They differ in how you license, how you report, how you are audited, and where your margin lands. This article lays them side by side so you can see the trade clearly, without the sales gloss that usually surrounds the question.
The core difference in one sentence
SPLA is a usage based wholesale license you report and pay monthly for software you operate and deliver, while CSP is a subscription resale model where you transact Microsoft cloud services on behalf of customers who hold their own subscriptions. That single distinction drives almost every difference that follows. Under SPLA the obligation, and the audit risk, sit with you the provider. Under CSP much of the licensing relationship moves toward the customer subscription, which changes both who reports and who is exposed.
Reporting
SPLA is pay as you consume. Every month you apply the Services Provider Use Rights, the SPUR, to your deployment and report SAL or processor counts for what you delivered. Compliance is verified for every monthly cycle, not just your current position. That monthly obligation is the heart of SPLA and the source of most of its risk, because a mistake in any single month becomes a defect that an audit can find years later.
CSP shifts the rhythm. You transact subscriptions and seats through the program rather than self reporting consumption of software you operate. The monthly self reported count that defines SPLA largely goes away for the workloads that move to CSP. That does not make licensing effortless, but it removes the specific exposure created by self reporting an estate month after month.
Audit exposure
This is where the models diverge most sharply. A SPLA audit is conducted by a Big Four firm under the MBSA audit clause, with a 36 month lookback and broad authority to request deployment records, server configuration data, customer contracts, and usage logs. Because you self reported every month, the auditor reconstructs every month, and any shortfall becomes back fees at the price file rate, which are not negotiable, plus a penalty uplift of 25 to 125 percent.
CSP carries its own compliance obligations, but the structural exposure of a 36 month self reported lookback is materially reduced for workloads that genuinely move to the subscription model. For many providers this is the central reason to consider the move. It is also the reason the move must be timed and documented carefully, because leaving SPLA does not erase the lookback on the years you were in it.
Eligible products and fit
Not every workload maps cleanly from one model to the other. Some products and deployment patterns remain better suited to SPLA, particularly dedicated, operator run infrastructure. Others fit naturally into subscription resale. A realistic comparison has to be done product by product across your estate rather than as a single yes or no, because a provider almost always ends up with a mix rather than a clean switch.
A side by side summary
The table below summarizes the differences at a glance. It is a general comparison, not advice for a specific estate, and the right answer depends on your product mix.
| Dimension | SPLA | CSP |
|---|---|---|
| Model | monthly usage license | subscription resale |
| Who reports | the provider, monthly | transacted per subscription |
| Reporting cadence | every month, SAL or processor | at the subscription level |
| Audit lookback | 36 months, self reported | reduced self reported exposure |
| Auditor | Big Four under MBSA clause | program compliance |
| Primary risk holder | the provider | shifts toward the subscription |
Indicative comparison for orientation, not advice for a specific estate.
What the comparison does not settle
A side by side tells you how the models differ, not which one is cheaper or safer for you. Margin depends on your product mix and customer base, and the audit exposure you already carry in SPLA does not vanish the day you start using CSP. The years you operated under SPLA remain inside the 36 month lookback, which is why the migration question is really two questions: which model fits going forward, and how to close out the SPLA exposure cleanly on the way.
For the cost side of the trade, see cost modeling SPLA versus CSP, and for what actually changes operationally once you move, read what changes for hosters under CSP. Both sit alongside the migration guidance in the pillar.
The next step
Before you decide between the models, it is worth understanding the SPLA exposure you are carrying today, because that is what governs how safely you can move. The SPLA Audit Defense Guide explains how the lookback works and how a clean SPLA position makes any future migration far less risky.
Know your SPLA position before you move.
Download the SPLA Audit Defense Guide to understand the lookback you carry today and how it shapes a safe move to CSP.
Download the SPLA Audit Defense GuideIf you would rather not face that alone, we plan the exit through our SPLA to CSP migration work so compliance never lapses mid move.