Shadow deployments are the installs no one tracked. Here is how they surface in a Microsoft audit, why telemetry now finds them, and how to bring them under control.
Shadow deployments are the Microsoft software that runs without anyone deciding to license it. A team spins up a server, a project clones an environment, a contractor installs a tool, and none of it reaches the asset register. For years that was invisible. In 2026 it is not, because the same telemetry that runs the modern estate also reports it, and an audit reads every untracked install as unlicensed use.
A shadow deployment is any use of Microsoft software that your own records do not account for. It is rarely deliberate. It is the residue of how fast estates change.
Each one consumes a license. None of them appear in a register that was last reconciled by hand. That gap between what runs and what is recorded is the exposure.
The reason shadow deployments are an audit risk today, and were a quieter one before, is visibility. Microsoft builds its view from Azure signals, Azure Arc connected servers, Microsoft 365 and identity activity, and management tooling. Azure Arc is the decisive change, because it extends visibility to servers running on premises and in other clouds. A server that never appeared in your inventory can still report itself through telemetry, and once it is visible to Microsoft, it is part of the deployment side of your Effective License Position whether you tracked it or not.
The danger of a shadow deployment is no longer that it exists. It is that Microsoft can see it and you cannot. Telemetry has closed the gap that hidden installs used to hide in.
Shadow deployments do two things to your risk. They create exposure directly, because untracked installs are counted as unlicensed use. And they raise the chance of being selected, because in 2026 Microsoft uses anomaly detection across licensing and telemetry to choose targets. A workload that shows in telemetry but never in your reporting is exactly the kind of mismatch that lifts a risk score. The shadow deployment is both the finding and the reason the auditor came looking.
An untracked deployment lands on the part of the calculation that hurts most. When a formal audit finds unlicensed use at 5 percent or more of total use, the contract clause requires you to reimburse verification costs and to acquire licenses at 125 percent of the current price. A handful of forgotten servers can be the difference between sitting under that threshold and crossing it, which turns a tidy position into a penalty.
| Source of shadow use | How it is counted | The control that removes it |
|---|---|---|
| Orphaned project servers | Full licensed use until decommissioned | Lifecycle tracking and decommission discipline |
| Cloned test environments | Production use unless rights are proven | Document and separate non production rights |
| Migrated workloads | Counted on every host they touch | Map licensing to movement |
| Unmanaged installs | Unlicensed use by default | Reconcile telemetry against the register |
The figures are indicative in concept and show how each source converts into exposure, not real client data.
Shadow deployments are a risk you can retire before it becomes a finding, but only if you look with the same visibility Microsoft has. The pillar on Microsoft audit triggers sets out the full risk picture, and the related articles below cover why renewals raise that risk and how to handle an audit once it turns into a negotiation. Book a strategy call and we will reconcile your telemetry against your records before the auditor does it for you.
If an auditor is already asking questions, we take over the process through our Microsoft audit defense engagement.
Book a strategy call and we will reconcile your telemetry against your records. Fixed Fee from $18,000 or Gainshare, both backed by our guarantee.
Book a Strategy CallWeekly intelligence on Microsoft and SPLA audit moves and the buyer side defenses that work.