If you take one idea from this guide, take this: the number Microsoft presents is an opening bid. Customers lose money when they treat it as a verdict and start negotiating down from it. The work of defense is to build your own evidence first, so the conversation starts from a position you control rather than one the auditor handed you. Here is how the 2026 landscape works and what to do at each stage.
What changed in 2026
Audit selection is no longer a matter of bad luck. Microsoft now uses anomaly detection across licensing and telemetry to choose who to verify. A usage spike, an entitlement mismatch, or Azure Arc telemetry that reveals servers running without matching licenses all raise your risk score. Rapid cloud growth, a recent acquisition, and an approaching renewal are classic triggers. The practical consequence is that part of the case exists before any letter lands, assembled from the data Microsoft already collects through Azure, Microsoft 365, and its management tooling.
The three ways Microsoft verifies licensing
Microsoft checks compliance three ways, and the leverage is different in each. Confusing them is how customers give away their position early.
The SAM engagement
A Software Asset Management engagement is voluntary and sales led. It is offered as free optimization, often through your account team, and the data you hand over is used to find gaps and create a purchase. You can decline the initial review. Declining it to run your own internal assessment first is a recognized defensive move that keeps you in control.
The self verification
A self verification feels softer because you do the counting, but it is a contractual demand under your agreement and you cannot decline it. The trap is self reporting against Microsoft's methodology without challenging it, which hands over a number that becomes the floor of the settlement.
The formal audit
A formal audit is invoked under the MBSA audit clause and runs through a third party accounting firm. The auditor reconciles deployment against entitlement and produces an Effective License Position. To understand who that firm answers to and how its incentives shape the draft, read the role of the third party auditor.
The Effective License Position is negotiated
The ELP is the heart of the audit: deployment on one side, entitlement on the other, and the gap between them is your alleged shortfall. It is produced from Microsoft's counting methodology and Microsoft's data, and it is negotiated after the report, not handed down as final. A clean SAM tool output on your side can still differ from Microsoft's calculation, and Microsoft's calculation governs unless you contest it with better evidence.
The 5 percent clause and the 125 percent price
The audit clause carries a sharp consequence. If verified unlicensed use is 5 percent or more of total use, the customer reimburses Microsoft for verification costs and acquires the missing licenses at 125 percent of current price. The threshold is why the count matters so much. The difference between landing at 4 percent and 6 percent is the difference between a manageable purchase and a penalty, and it often turns on disputed editions, virtual core counting, and entitlements the draft did not credit.
| Position | Unlicensed share | 125 percent uplift |
|---|---|---|
| Auditor draft | 6.0% | applies |
| Defended ELP | under 5% | removed |
| Outcome | recounted | uplift avoided |
Indicative figures shown to illustrate the mechanics, not a quoted outcome.
The survival sequence
Defense is a sequence. These are the moves, in order, that protect a position.
- Do not reply to the first letter alone or in haste, and never concede a number early
- Decline the initial SAM review and run your own internal assessment first
- Rebuild a defensible ELP from your own records before accepting any count
- Credit every entitlement, downgrade right, and prior purchase the draft missed
- Keep the unlicensed share under the 5 percent line where the evidence supports it
- Document remediation so the record reflects a corrected, good faith position
The reason the first move matters so much is covered in why you should never reply to an audit letter alone. The full mechanics live in the Microsoft Audit Survival Guide pillar.
The next step
If a letter has arrived, the clock is already running, but the number is not fixed. The strongest position is to know your own Effective License Position before Microsoft sets theirs. Download the full guide and use it to map where you stand before you respond.
Know your number before Microsoft does.
Download the Microsoft Audit Survival Guide and walk into any verification already holding the evidence.
Download the Microsoft Audit Survival GuideIf the timeline is already running, our Microsoft audit defense service sits between you and the auditor from first letter to final settlement.