If a letter has arrived, or you sense one is coming, the single most useful thing to understand is this: the position Microsoft puts in front of you is an opening bid, not a verdict. The work of defense is to rebuild the evidence on your side before that bid hardens into a settlement. This guide walks through the whole arc, from the first contact to the final number.
The three ways Microsoft verifies licensing
Microsoft checks whether customers are licensed for what they run in three distinct ways. They feel similar from the inside, a request for data and a reconciliation, but the leverage is different in each, and confusing them is how customers give away their position early.
A SAM engagement is voluntary and sales led
A Software Asset Management engagement is presented as a free optimization, often through your account team or a partner. It is voluntary. It is also sales led, which means the data you hand over is used to find gaps and build a purchase. A clean looking SAM review can become the evidence base for a demand. You can decline the initial review, and declining it to run your own internal assessment first is a recognized defensive move.
A self verification is a contractual demand
A self verification looks softer than a formal audit because you do the counting. It is not softer. It is a contractual demand under your agreement and you cannot decline it. The trap is that customers self report against Microsoft's methodology without challenging it, and hand over a number that becomes the floor of the settlement.
A formal audit runs through a third party firm
A formal audit is invoked under the MBSA audit clause and runs through a third party accounting firm. The auditor has authority to request deployment data, configuration records, and usage logs. The auditor produces an Effective License Position, the reconciliation of what you deployed against what you are entitled to. Read more on the role of the third party auditor and why their draft is a starting point, not a sentence.
The Effective License Position is negotiated, not handed down
The ELP is the heart of the audit. It is the reconciliation: deployment on one side, entitlement on the other, and the gap between them is your alleged shortfall. Customers treat the ELP as a final accounting. It is not. It is produced from Microsoft's counting methodology and Microsoft's data, and it is negotiated after the report is delivered.
This matters because Microsoft pulls its own data from Azure, Microsoft 365, and management tooling, and applies its own rules to count it. A SAM tool output that looks clean on your side can still differ from Microsoft's calculation, and Microsoft's calculation is the one that governs unless you contest it with better evidence. That is the work: rebuild a defensible ELP from your own records and use it to challenge the gap line by line.
The 5 percent clause and the 125 percent uplift
The audit clause in the Microsoft Business and Services Agreement carries a specific commercial consequence. If verified unlicensed use is 5 percent or more of total use, two things follow. The customer reimburses Microsoft for the cost of the verification, and the customer acquires the missing licenses at 125 percent of the current price rather than the standard rate.
The 5 percent threshold is why the count matters so much. A reconciliation that lands at 4 percent and one that lands at 6 percent are worlds apart in cost, and the difference often comes down to disputed editions, virtual core counting, and entitlements the auditor did not credit. A worked illustration shows the shape of it.
| Line | Auditor draft | Defended |
|---|---|---|
| Deployment counted | overstated | corrected |
| Entitlement credited | understated | fully credited |
| Unlicensed share of total | 6.0% | under 5% |
| 125 percent uplift applies | yes | no |
Indicative figures shown to illustrate the mechanics, not a quoted outcome.
Why SAM tool output is not audit defense
A common and costly assumption is that a clean SAM tool report is a defense. It is not. Microsoft uses its own counting methodology and its own data, and a SAM tool that reads your environment differently will produce a different number. When the two disagree, Microsoft's calculation governs. The SAM report is useful as an internal management tool. It is not the evidence that wins an audit. The evidence that wins is a reconciliation built to answer Microsoft's methodology on its own terms.
How Microsoft selects targets in 2026
Audit selection is no longer random. In 2026 Microsoft uses anomaly detection across licensing and telemetry to choose targets. Usage spikes, entitlement mismatches, and Azure Arc telemetry that reveals unlicensed servers all raise risk. A rapid cloud migration, a large acquisition, or a renewal on the horizon will draw attention. The practical lesson is that the data Microsoft already holds about your estate is part of the case before any letter arrives, which is why knowing your own position first is the strongest posture.
The moves that bring the number down
Defense is a sequence, not a single argument. The moves that consistently reduce exposure are these.
- Decline the initial SAM review and run your own internal assessment before Microsoft sees the data
- Rebuild a defensible ELP from your own records rather than accepting the auditor's count
- Credit every entitlement, including downgrade rights and prior purchases the draft missed
- Contest editions, virtual core counting, and the data sources behind the deployment number
- Keep the unlicensed share under the 5 percent line where the evidence supports it
- Separate what is contractually fixed from what is negotiable and argue the negotiable parts
- Document remediation so the record reflects good faith and a corrected position
You do not have to face the auditor alone.
Download the full survival guide, or book a Strategy Call and we will walk through where you stand and what the opening number really means.
Download guide