An audit rarely begins with a surprise. It begins with a signal that your deployment and your entitlement no longer line up. This page maps the signals Microsoft watches, how each track gets selected, and the moves that reduce your exposure before anyone asks for data.
How Microsoft selects targets in 2026
Microsoft now applies AI anomaly detection to the data it already holds about your estate. It does not need to visit you to form a suspicion. It reconciles what it can see from Azure, Microsoft 365, and its management tooling against what you have bought, and it flags the gaps. The account that looks anomalous is the account that gets a SAM engagement, a self verification, or a formal audit notice.
For end customers, three verification paths follow from that signal. A SAM engagement is voluntary and sales led, presented as a free optimization but used to find gaps. A self verification is a contractual demand under your agreement and you cannot decline it. A formal audit runs through a third party accounting firm under the MBSA audit clause and ends in an Effective License Position. For hosters, the path is a SPLA audit by a Big Four firm across a 36 month lookback.
The triggers that raise an end customer profile
These are the patterns that most often move an account up the list.
- Usage spikes that outpace your last purchase, for example a sharp rise in Microsoft 365 seats or new server workloads with no matching entitlement
- Entitlement mismatches where deployed editions or versions exceed what your agreement covers
- Azure Arc telemetry that reveals on premises and hybrid servers Microsoft can now count, including unlicensed instances
- An expiring Enterprise Agreement or an approaching true up, which concentrates attention on your real position
- Mergers, acquisitions, and divestitures that blur which entity holds which license
- A declined SAM engagement handled badly, which can convert a soft motion into a formal demand
That last point is the one buyers underestimate. A clean internal SAM tool report can still differ from Microsoft's calculation because Microsoft uses its own counting methodology and its own telemetry. When the two disagree, Microsoft's number is the one on the table. Defense means rebuilding a defensible Effective License Position on your terms before that happens.
The triggers that raise a hoster profile
SPLA risk is structural, not occasional. Because SPLA is pay as you consume and verified for every monthly cycle across a 36 month lookback, the triggers cluster around reporting discipline.
- Monthly SAL or processor reports that arrive late, are missing, or move erratically month to month
- Reported counts that do not reconcile to sealed daily authentication data
- Customer mapping gaps where reported SAL blocks do not tie to real end customer contracts
- Misapplied SPUR that drives under reporting, which is compliance risk, or over reporting, which wastes margin
- Multi tenant boundaries that are not documented, leaving disputed consumption open to challenge
- A SPLA to CSP transition handled without a clean wind down trail
The 5 percent clause and why exposure compounds
For end customers, the MBSA audit clause carries a sharp consequence. If unlicensed use reaches 5 percent or more of total use, you reimburse Microsoft's verification costs and acquire the missing licenses at 125 percent of the current price. A small percentage gap can therefore carry an outsized bill once the penalty rate is applied.
For hosters, exposure compounds differently. The auditor reconstructs each of 36 months. Back fees at the price file rate are not negotiable. The penalty uplift, which ranges from 25 to 125 percent, is. A single reporting habit repeated across three years multiplies into the headline number, which is why rebuilding the monthly base is where the defense begins.
Indicative exposure, end customer
| Line | How it is set | Negotiable |
|---|---|---|
| Missing licenses | Acquired at 125 percent of current price | The count and methodology, yes |
| Verification costs | Reimbursed if unlicensed use is 5 percent or more | Whether the threshold is met |
| Final position | Negotiated after the report, not before | Yes |
Figures are indicative and depend on your agreement and estate.
How to reduce your audit profile
You cannot make yourself invisible, but you can make yourself unrewarding to audit and ready if one comes. A recognized defensive move is to decline the initial SAM review and run your own internal assessment with independent help first, then respond to any formal demand from a controlled position.
- Run an independent internal assessment before you respond to any SAM motion
- Reconcile deployment to entitlement on a quarterly habit, not once a year
- Govern Azure and Microsoft 365 consumption so usage and entitlement track together
- Document your entitlements so they hold up against Microsoft's own counting
- For hosters, keep monthly SAL reports on time, seal daily authentication counts, and map every block to a customer and a version
If a signal has already become a letter, the priority changes from prevention to defense. Read more on how a Microsoft audit begins, and on reducing your Microsoft audit profile before the next cycle.
Where this leaves you
Triggers are early warnings, not verdicts. The opening position an auditor builds is designed to be high. Whether you are an end customer facing a self verification or a hoster facing a 36 month reconstruction, the number on the first page is the start of a negotiation, not the end of one. We sit on your side of the table and bring it down.