It is tempting to think of an audit finding as something an auditor constructs against you. It is more accurate, and more useful, to see it as the output of a rulebook applied to your estate. The auditor takes the licensing rules that govern each product, maps them onto what they find deployed and entitled, and produces an Effective License Position from the result. The rules are largely fixed. What is not fixed is how each one is read when the facts are unclear, and the auditor's instinct is to read ambiguity in the direction that increases the position.
That is the whole game. If you know the rules the auditor applies and you understand where each one bends, you can meet the finding rule by rule rather than as a single intimidating number. This article walks through the rules that drive most findings, shows where the favourable reading is a choice and not a certainty, and explains how to contest each one. It builds on how Microsoft builds its own ELP and feeds directly into the Effective License Position guide.
Rule one: deployment counts unless you prove otherwise
The first rule is the heaviest. An auditor counts what is deployed and treats it as licensable use unless you demonstrate that it is not. A detected installation is assumed to be a productive, licensable instance. The burden of showing that an instance was decommissioned, was a non productive test or disaster recovery copy, or fell under a right that removes the need for a separate licence sits with you. If you cannot evidence the exception, the instance counts.
The auditor counts deployment and asks you to disprove it. The defensible position counts entitled, productive use and proves it.
This is why evidence, not argument, wins audits. Saying an instance was not in use does not move it out of the count. A change record showing it was decommissioned, a configuration showing it was a passive failover within the rights you hold, or documentation of its test status does. The contest on this rule is almost entirely about whether you can produce the record that converts an assumed productive instance into a proven exception.
Rule two: the counting metric is read at its highest
Most server products are licensed by a metric, cores, processors, or users and devices, and each metric has edges where the count can be read more than one way. Per core licensing is the clearest example. The rule sets a minimum core count and requires every physical core to be licensed in certain models, and virtualization adds another layer where the rights you hold determine whether you license the host or the guests. An auditor confronted with an ambiguous configuration will tend to apply the metric in the way that yields the larger number.
- Per core, the question is which cores must be licensed and whether minimums or full physical counts apply to your configuration
- Virtualization, the question is whether your rights let you license at the host level or require licensing every guest
- Users and devices, the question is whether the population counted is everyone who could access or only those entitled to
In every case there is a correct reading for your specific configuration and rights, and it is frequently lower than the auditor's first pass. Contesting this rule means establishing the actual configuration, the actual rights you hold, and the correct application of the metric to both, rather than accepting the metric read at its most expensive.
Rule three: credits apply only if you claim them
A licence position is deployment minus entitlement, and entitlement is larger than most estates realise because of the credits that attach to it. Downgrade rights let a newer entitlement cover an older deployment. Prior purchases, perpetual licences from earlier agreements, and rights granted under agreements the auditor may not have seen all reduce the gap. The rule is that these credits count, but the practical reality is that they count only if you bring them forward. An auditor will not go hunting through your purchase history to find entitlements that lower their own finding.
This is one of the most productive areas of any defence because it is pure arithmetic in your favour. Every credit you can evidence subtracts directly from the position. The work is assembling the full entitlement picture, including older and forgotten purchases, and applying every right that legitimately reduces the count. Estates that have been through mergers, divestitures, or multiple agreement generations almost always hold credits that the first reading misses.
Rule four: the version must match
Licences are version specific, and the rule is that an entitlement covers a deployment only if its version is equal to or newer than what is deployed, unless a right such as Software Assurance changes that. This is a quiet rule because an estate can look fully licensed on a count basis and still carry a version shortfall. Upgrade a server or a Client Access License environment without upgrading the underlying entitlements and the licences you hold may no longer cover what you run.
Auditors check version alignment carefully because it produces findings that headcount alone hides. Contesting it, or better, pre empting it, means matching every deployed version against the version of the entitlement that covers it and confirming that any upgrade right you rely on actually exists in your agreements.
Rule five: Microsoft's data governs over yours
The final rule is the one that catches buyers who think a clean internal report settles the matter. Microsoft uses its own counting methodology and its own data, drawn from Azure, Microsoft 365, and management tooling, and where its calculation differs from yours, its calculation governs the conversation. A SAM tool can produce a tidy Effective License Position, and Microsoft can still arrive at a different number using telemetry the tool never saw. The rule is not that Microsoft is always right. It is that you have to engage with Microsoft's data on its own terms to contest it.
| Rule applied | Auditor's reading | The contestable point |
|---|---|---|
| Deployment counts | Every detected instance is productive use | Evidence of decommission, test, or passive status |
| Metric at its highest | The most expensive reading of the count | Actual configuration and the rights you hold |
| Credits if claimed | Only the entitlements presented | Downgrade rights and prior purchases applied |
| Version must match | Newer deployments on older licences are gaps | Upgrade rights and correct version mapping |
| Microsoft data governs | Telemetry over your internal report | Reconciliation against the same data sources |
The 5 percent line that turns rules into cost
All of these rules feed one threshold that decides how expensive the finding becomes. Under the contract clause, if unlicensed use reaches 5 percent or more of total use, the customer reimburses Microsoft's verification costs and acquires licences at 125 percent of the current price. Every rule above is therefore also a lever on that threshold. Each instance you move out of the count, each credit you claim, and each metric you correct pushes the unlicensed percentage down, and crossing back under 5 percent removes the penalty pricing entirely. The rules are not just about the size of the gap. They are about which side of that line you land on.
Meet the finding rule by rule
The reason to learn the rules is that they turn an overwhelming number into a series of specific, winnable arguments. A finding is not a verdict. It is a calculation built from these rules, each applied at its most expensive, and each open to a more accurate reading once you bring the evidence and the entitlements the first pass ignored. A buyer side advisor does this work rule by rule: rebuilding the count on real data, claiming every credit, correcting each metric, aligning versions, and reconciling against the same sources Microsoft uses, then testing the whole position against the 5 percent line. Our guarantee stands behind it, we reduce your exposure or we reimburse our service fee, and gainshare means you pay only from verified savings.
If a finding has landed, or you want to know where these rules would place you before one does, the most useful next step is a focused conversation about your specific estate. Book a Strategy Call and we will walk the rules against your position and show you where each one bends in your favour.
If an auditor is already asking questions, we take over the process through our Microsoft audit defense engagement.