Microsoft verifies licensing through a SAM engagement, a self verification, and a formal audit, and they are not the same thing. Knowing which one you are in, and what you can decline, decides how much leverage you keep.
Most teams react to a Microsoft licensing approach by rushing to count software. That is the wrong first move. The first question is not how many licenses you have. It is which of the three verification routes you are standing in, because each one carries a different obligation and a different amount of room to maneuver. Treat a voluntary review as if it were binding and you give away leverage for free. Treat a binding demand as if it were optional and you create a contractual problem.
A Software Asset Management engagement is voluntary and sales led. It is usually presented as a free optimization, often delivered through a partner. The framing is friendly, and that is the point. Its commercial purpose is to find gaps and turn them into a sales conversation, sometimes ahead of a renewal.
Because it is voluntary, you can decline the initial review. Declining it, and instead running your own internal assessment with independent help first, is a recognized defensive move. It lets you understand your own position before anyone else does, so that if a formal process follows, you respond from preparation rather than surprise.
A self verification is different in kind. It is a contractual demand under your agreement, and it is not optional. Microsoft asks you to verify your own deployment and report back. The obligation to respond is real, but the way you respond is still yours to shape.
The risk is that teams treat it as an honesty test and simply export whatever a tool produces. That hands Microsoft a number built on your tool's assumptions rather than one you have checked against Microsoft's own methodology. You can meet the obligation while still controlling how the count is produced, reviewed, and presented.
A formal audit runs through a third party accounting firm under the MBSA audit clause. The auditor is independent of the sales relationship and produces an Effective License Position, the reconciliation of what you have deployed against what you are entitled to use. The clause is specific. If unlicensed use reaches 5 percent or more of total use, you reimburse Microsoft for the verification costs and acquire the missing licenses at 125 percent of the current price. That threshold is the line the entire defense is organized around.
Whichever route you are in, the counting is not done in a vacuum. Microsoft uses its own methodology and its own data, drawn from Azure, Microsoft 365, and management tooling. This is why a clean report from your own SAM tool is reassuring but not decisive. A tidy internal position can still differ from Microsoft's calculation, and Microsoft's calculation governs. In 2026 Microsoft also applies anomaly detection across that telemetry to choose who to look at.
Once you know the route, the response writes itself. In a SAM engagement, consider declining the initial review and assessing yourself first. In a self verification, meet the obligation but control the count. In a formal audit, rebuild the position the way the auditor will and manage the 5 percent line. In all three, remember that the first number is rarely the final number, and that an Effective License Position is negotiated after the report.
If you want a second set of eyes first, our Microsoft audit defense team manages every exchange with the auditor on your behalf.
Weekly intelligence on Microsoft and SPLA audit moves and the buyer side defenses that work.