Your true up is not the only record of your usage. Microsoft holds its own telemetry, and it compares. Reporting a number that contradicts that data is how a routine true up becomes an audit.
Microsoft already has data on you
A common assumption behind a careless true up is that Microsoft only knows what you tell it. That has not been true for years. Cloud products report usage continuously, and Microsoft holds a detailed picture of your consumption independent of anything you submit. When your true up arrives, it is read against that picture. A figure that contradicts the telemetry is a flag, and flags are how true ups turn into audits.
The sources that matter
Microsoft draws on several streams when it evaluates your position. The three that matter most are the ones you cannot see into easily.
- Azure consumption data, which records what you run in the cloud down to the resource and the hour
- Microsoft 365 service usage, which reflects active users, assigned licenses, and the features in use
- Management and identity tooling, which exposes deployed software and the accounts that touch it
In 2026, Microsoft also applies AI anomaly detection across this telemetry to spot mismatches between what is deployed and what is licensed. A true up that does not reconcile with the signal those systems produce is more likely, not less, to draw scrutiny.
Where your number and theirs diverge
The gap between a self reported true up and Microsoft's telemetry usually comes from a handful of predictable places.
| Your record | Microsoft's data | Why they differ |
|---|---|---|
| Licenses assigned in your directory | Active users in the service | Stale accounts inflate or deflate the count |
| On premises install inventory | Identity and management telemetry | Shadow installs the inventory missed |
| Planned Azure footprint | Actual Azure consumption | Growth that outran the plan |
Why a SAM tool report is not enough
An internal tool reports what it is configured to see, on your terms. Microsoft counts on its terms, with its own methodology and its own data, and its calculation governs. A clean internal report that disagrees with Microsoft's telemetry will not protect you. The work is to reconcile the two before the true up goes in, so the number you report is the number the data already supports.
Reconcile, then report
A defensible true up is built by pulling your own usage from the same kinds of sources Microsoft uses, comparing it to your entitlement, and resolving the differences before you commit a figure. Where the telemetry shows more than your inventory, you investigate rather than ignore. Where it shows less, you avoid paying for phantom use. The aim is a single reconciled position that holds up whether it is read by you or by Microsoft.
The next step
Knowing the data Microsoft relies on changes how you prepare a true up. Start with our pillar, the Microsoft Audit Survival Guide for 2026, then read what the annual true up demands and how to go about documenting usage for a true up. Report a number that already matches the telemetry, and the true up stays a true up.
If the timeline is already running, our EA true up defense service checks every line before you sign.
Report a number that matches the data
We sit between you and Microsoft and its appointed auditor. Fixed Fee from $18,000 or Gainshare, both backed by our guarantee.
Download guide