An audit letter rarely arrives at a convenient moment. It lands in an inbox, gets forwarded twice, and by the afternoon three people have replied to the auditor with helpful but uncoordinated answers. That is the real risk in the first 48 hours. Not the letter itself, but the unmanaged response to it. What you do in these two days decides whether you negotiate from your evidence later or react to theirs.
This is a practical sequence for those first two days. It applies whether the letter announces a formal audit through a third party accounting firm, a self verification demand, or a SAM engagement dressed up as an optimization. If you are not yet sure which one you have received, start by reading who conducts a Microsoft audit, because the route changes how much room you have.
Hour zero to hour two: contain it
The single most damaging thing in the first hours is scattered contact. Multiple people answering the auditor, each volunteering a little, each guessing at numbers, builds a record you cannot unbuild. Contain the letter the moment it arrives.
- Name one owner for all contact with Microsoft and the auditor, and tell everyone else to forward, not reply
- Acknowledge receipt in a single short message that commits to nothing on scope, numbers, or timing
- Do not agree to a kickoff call date in the first reply, and do not accept a tool or a data request yet
- Pull general counsel in early, because correspondence run through counsel is handled with the care it deserves
In the first hours your job is not to answer. It is to make sure only one person can.
Hour two to hour twelve: read the letter properly
Read the letter for what it actually obliges, not for what it implies. The tone is designed to feel urgent. The contract underneath it is more specific than the tone suggests.
Identify the route. A SAM engagement is voluntary and sales led, which means you can decline the initial review. A self verification is a contractual demand you cannot decline, but you run it and therefore set its discipline. A formal audit runs through an accounting firm under the MBSA clause, which gives the firm authority to request records but does not make its first calculation final. Note the clause references, the named auditor if there is one, and any stated deadline. Treat a stated deadline as an opening position on timing, not a fixed date. How to move it is the subject of setting the audit timeline in your favor.
Hour twelve to hour twenty four: protect the evidence
Before anyone runs a query or exports a report, decide how evidence will be preserved. The auditor will eventually build an Effective License Position from Microsoft's counting methodology and Microsoft's data from Azure, Microsoft 365, and management tooling. You want your own picture captured cleanly and dated, so you can reconcile against theirs rather than accept it.
- Preserve the current state of deployment data before any change, so the position cannot be said to have moved
- Locate the full entitlement record, every agreement, transfer, and downgrade right, not just the latest order
- Do not delete, reinstall, or reconfigure anything in response to the letter, because that reads as concealment
- Keep your internal assessment separate from anything you share, so working numbers do not become commitments
This is also the moment to avoid the most common own goal. Running a SAM tool and sending the export to show good faith feels cooperative, but a SAM tool export is not audit defense. It uses different counting from Microsoft and can hand the auditor a number that is worse than the real position, which you then cannot retract.
Hour twenty four to hour forty eight: set the frame
With one owner in place, the route identified, and evidence preserved, the last stretch is about framing the engagement on your terms before the first substantive exchange.
The mistakes that set the number too high
Almost every inflated outcome traces back to something done in the first two days. The table below pairs the instinct with the discipline.
| Instinct | What it costs | Do this instead |
|---|---|---|
| Reply quickly to seem cooperative | Uncoordinated answers become the record | One owner, one acknowledgement |
| Send a SAM tool export early | Microsoft anchors on a worse number | Assess internally, share nothing yet |
| Accept the stated deadline | No time to build your position | Propose a workable timeline |
| Fix deployment before counting | Reads as concealment, loses good faith | Preserve state, then reconcile |
Why the first 48 hours decide the rest
The Effective License Position the auditor presents is an opening position, negotiated after the report. The clause that gives it weight is the 5 percent rule. If unlicensed use reaches 5 percent or more of total use, you reimburse verification costs and acquire licenses at 125 percent of price. Everything you do in the first two days either preserves your ability to stay under that line or quietly gives it away. Contain the contact, read the obligation, protect the evidence, and set the frame, and you arrive at the negotiation with your own number in hand.
For the complete sequence from letter to settlement, work through the Microsoft audit survival guide.
If the timeline is already running, our Microsoft audit defense team manages every exchange with the auditor on your behalf.