When people say they are being audited by Microsoft, they usually mean one of three different processes, run by three different parties, with three different sets of rights. Treating them as the same is the first mistake, because the right response to each one is not the same. This article sets out who actually conducts each route and what their role means for the number you end up defending.
Microsoft verifies licensing three ways
Microsoft has three routes to check that your deployment matches your entitlement. They differ in who runs them, whether you can decline, and how much room you have to set the terms.
| Route | Who conducts it | Can you decline |
|---|---|---|
| SAM engagement | Microsoft account team or an appointed partner | Yes, it is voluntary |
| Self verification | You, against a contractual demand | No, it is required |
| Formal audit | A third party accounting firm under the MBSA clause | No, but you control the process |
The SAM engagement, run by the account team
A Software Asset Management engagement is voluntary and sales led. It is presented as a free optimization, a helpful look at your estate to make sure you are licensed correctly. In practice it is run by the Microsoft account team or a partner the account team appoints, and it is used to find gaps and create sales. The person conducting it is not neutral. Their goal is to surface shortfalls that convert into new license purchases.
Because a SAM engagement is voluntary, you can decline the initial review. A recognized defensive move is to decline it and run your own internal assessment first, with independent help, so you understand your position before you hand any data to the party whose job is to sell you the gap.
The self verification, run by you
A self verification is different. It is a contractual demand under your agreement, and it is not optional. Microsoft asks you to verify your own licensing and report back. You conduct it, but Microsoft sets the requirement and reviews what you submit. The trap is to treat it casually because you are running it yourself. The figure you report becomes the basis for what follows, so the discipline you apply to your evidence and your timeline matters as much as in a formal audit.
The formal audit, run by an accounting firm
A formal audit runs through a third party accounting firm under the audit clause of the Microsoft Business and Services Agreement, the MBSA. The firm acts as an independent third party with authority to request deployment records, configuration data, and usage logs. They produce an Effective License Position, which is the reconciliation of your deployment against your entitlement.
The auditor produces the Effective License Position. It is the opening position, not the final sentence.
The important point about the accounting firm is that it works to Microsoft's brief. Its Effective License Position is built with Microsoft's counting methodology and Microsoft's data drawn from Azure, Microsoft 365, and management tooling. A clean export from your own asset tool does not match that calculation, and Microsoft's calculation governs. The Effective License Position is negotiated after the report, which is where a buyer side defense does its work.
Hosters are audited differently
If you are a hosting provider, a managed service provider, or an outsourcer delivering Microsoft software to external customers, you are not in this process at all. You license through SPLA, and a SPLA audit is conducted by a Big Four firm under the MBSA clause across a 36 month lookback of monthly reporting. The mechanics, the lookback, and the defense are distinct from the end customer routes above, and we keep them separate for a reason. If that is you, start with our SPLA material rather than this article.
Why the identity of the auditor changes your defense
Who conducts the audit tells you how to respond.
- If the account team is running a SAM engagement, you can slow down, decline the initial review, and assess yourself first
- If you are running a self verification, the discipline is yours to set, so build the evidence and the timeline before you report
- If an accounting firm is running a formal audit, the Effective License Position is an opening position you negotiate, not a bill you pay
In every case the same clause sits underneath the process. If unlicensed use reaches 5 percent or more of total use, you reimburse Microsoft's verification costs and acquire the licenses at 125 percent of the current price. Below that line, you license the gap at standard price. The 5 percent line is what the whole exercise turns on, and it is what a defensible position is built to stay under.
What to do first
Identify the route before you respond to a single request. Ask who is conducting it and under what authority. If it is a SAM engagement, you have more room than you think. If it is a self verification or a formal audit, the obligation is real, but the number is still open until you and Microsoft agree it. The worst outcome is to hand over data on the assumption that the auditor's first calculation is the truth.
If a letter has already arrived, the next move is to control the clock and the evidence. Read our guide to the first 48 hours after an audit letter for the immediate steps, and how to set the audit timeline in your favor for the longer game. For the full picture across every route, work through the Microsoft audit survival guide.
Before you send anything back to the auditor, our Microsoft audit defense team manages every exchange with the auditor on your behalf.