Cloud and Azure Compliance · End customer

The cloud migration compliance checklist

Published November 25, 2025Updated February 9, 2026Track End customerReading 11 minutesLevel Practical

A cloud migration is one of the most common moments a licensing gap opens, because the estate changes faster than the licensing position keeps up. This checklist walks the compliance steps before, during, and after a migration so the move strengthens your position instead of becoming a finding.

Cloud migrations are planned with enormous care on the technical and financial sides. Architecture is reviewed, costs are modeled, cutover is rehearsed. Licensing compliance is the dimension that most often gets left to assumption, and that omission is expensive, because a migration is precisely the kind of large, fast change to an estate that opens gaps and draws attention. Workloads move to new hosts with different core counts, owned licenses are assumed to travel when they do not, benefits that applied in the old location are relied on in the new one, and the telemetry that Microsoft uses to select audit targets sees all of it. None of this is hard to prevent, but it has to be planned in rather than discovered later. This checklist organizes the compliance work into three phases, before, during, and after the migration, so the move is defensible at every stage.

For how audit risk is selected and what raises it, the Microsoft audit triggers pillar sets out the landscape. Here we turn that into a practical sequence for a migration.

Before the migration: establish the baseline

The work that matters most happens before a single workload moves, because you cannot manage a migration's licensing impact if you do not know where you started. The goal of this phase is a clear baseline: what you run, where it runs, what you are entitled to, and where you already stand. A migration started from an unknown position simply carries that uncertainty into a more complex environment, and a migration started from a clean baseline can be managed move by move.

01
Inventory the workloads in scopeList every Microsoft workload that will move, with its current host, core count, and the access requirements attached to it.
02
Establish entitlements and Software Assurance statusConfirm what you own and which licenses carry active Software Assurance, since that determines which rights can travel.
03
Assess your current position honestlyKnow where you already stand before the move, so the migration does not bury an existing gap inside a larger change.
04
Decide the licensing model for the destinationFor each workload, decide whether to use owned licenses through mobility, license natively in the destination, or buy fresh, and document the choice.

During the migration: treat each move as a licensing event

The migration itself is where gaps open in real time, because the technical move and the licensing consequence happen together but are usually handled by different people. The discipline here is to treat the licensing of each workload as a step in its migration, not a reconciliation to be done afterward. A workload is not migrated until it is licensed correctly for where it now runs.

A workload is not migrated until it is licensed correctly for where it now runs. The technical move and the licensing consequence happen together and have to be handled together.

  • Recount cores against the destination host, which is often larger than the source
  • Establish mobility properly where owned licenses move into a provider cloud, including the process step
  • Confirm that any benefit relied on in the old location actually applies in the new one
  • Check whether the destination uses shared or dedicated hardware, since the rules differ
  • Record the licensing decision for each workload as it moves, so the position stays current

After the migration: reconcile and keep it living

When the technical migration is declared complete, the licensing work is not finished, because the estate is now both larger and more dynamic than before. The aim of this phase is to confirm that the post migration position is clean and to put in place the discipline that keeps it clean as workloads continue to move.

05
Reconcile the new estate against entitlementsAfter cutover, confirm that every migrated workload is fully licensed where it now runs, with no assumed rights left unverified.
06
Reconcile against your own telemetryUse your management tooling to find any workload that does not reconcile, before Microsoft's telemetry surfaces it.
07
Retire or repurpose freed licenses deliberatelyDecide what happens to licenses freed by the move, so they are not double counted or quietly wasted.
08
Make licensing a standing step for future movesBake the licensing check into how workloads move from now on, so the estate and the position never drift apart again.

A worked illustration of the difference

Consider the same migration handled two ways. The labels are indicative and used only to show what the checklist prevents.

ElementNo compliance planChecklist followed
BaselineUnknown starting positionClean, documented baseline
Core countsCarried over from sourceRecounted against destination
MobilityAssumed to travelEstablished with the process step
Post moveGaps surface in an auditReconciled, telemetry checked

The migration is identical in scope and technical outcome in both columns. The difference is entirely in whether the licensing was managed as part of the move or left to be discovered. The first path turns a routine migration into an audit finding. The second turns it into a clean, documented position that demonstrates exactly the diligence that lowers a finding if an audit ever does come.

Why this is defense, not just hygiene

It would be easy to read this as good housekeeping, but it is more than that. A migration handled with this discipline produces contemporaneous records of every licensing decision, which is precisely the evidence of good faith that pulls a finding toward the bottom of the penalty band if an audit follows. It keeps the estate out of the telemetry anomalies that select audit targets in the first place. And it means that if a self verification or formal audit does arrive, you are responding from a known, documented position rather than scrambling to reconstruct one under pressure. The checklist is not only about avoiding gaps. It is about being the prepared, credible party that an auditor finds little to work with.

Where this leaves you

A migration changes your estate faster than almost anything else, and the licensing position has to keep pace or a gap opens. Handled as three phases, establishing the baseline before, treating each move as a licensing event during, and reconciling and sustaining after, a migration becomes a moment that strengthens your position rather than weakening it. The cost of doing this work in sequence is small. The cost of skipping it surfaces later as a finding built on assumptions nobody checked. The buyers who migrate well are the ones who treated licensing as part of the project, not a reconciliation for afterward.

If a migration is underway or planned and you want the compliance dimension managed alongside it, the time to build the plan is before the first workload moves. Book a Strategy Call to map the licensing of your migration phase by phase and keep the move defensible.

If you would rather not face that alone, our Microsoft audit defense team manages every exchange with the auditor on your behalf.

Keep reading
Microsoft audit triggers Licensing workloads across clouds Compliance for Copilot at scale

Plan the licensing before the first workload moves.

Book a Strategy Call to map the compliance steps of your migration phase by phase, so the move strengthens your position instead of becoming a finding.

Book a Strategy Call
Get a Quote · Book a Strategy Call · The Audit Brief · About · Pricing · Blog · Contact · Privacy · Terms · New York · London Not affiliated with Microsoft Corporation. Independent buyer side advisory only.