The SPUR, Explained

Under the Services Provider License Agreement, the SPLA, you do not buy licenses up front. You report what you use each month and you pay for it. The document that tells you how to count and report is the Services Provider Use Rights, the SPUR. It defines which products exist, how each one is licensed, and how you translate live usage into a monthly report. When a SPLA audit arrives, the auditor is checking your reports against the SPUR for every month in the lookback. Getting the SPUR right is not paperwork. It is the structure of your defense.

What the SPUR is and why it governs everything

The SPUR is the rulebook for services providers. It is updated regularly, and the version that applies to any given month is the version in force during that month. That detail matters more than it sounds. Because SPLA is monthly pay as you consume, and because compliance is verified for every monthly cycle across a 36 month lookback, the auditor does not check your reporting against today rules. The auditor checks each month against the rules that applied to that month. Product version mapping across that window is a defense in itself.

SAL and processor: the two ways you report

Most SPLA products are licensed one of two ways, and the SPUR tells you which applies to each product.

Subscriber Access License, the SAL

A SAL is a per user model. You report one SAL for each unique user who is authorized to access the licensed product during the month, regardless of how often they actually use it. The key word is authorized. Access rights, not active sessions, drive the count. If a user could access the product, that user needs a SAL for the month, even if they never logged in. This is where many hosters under report without realizing it, because they count active users rather than authorized users.

Processor and core licensing

Some products are licensed by the physical capacity that runs them, measured in processors or cores rather than users. Here the count is driven by the hardware where the workload runs, and the SPUR sets the rules for how cores are counted, what the minimums are, and how virtualization affects the total. Processor based products are where virtualization assumptions can inflate a count quickly, so the mapping between where a workload can run and where it actually runs needs to be documented.

How the monthly cycle works

SPLA reporting runs on a rhythm, and the rhythm is the discipline that protects you.

• You consume. Across the month, users are authorized and workloads run.
• You count. You apply the SPUR for that month to translate usage into SAL and processor numbers.
• You report. You submit a monthly SAL report, on time, to your reseller.
• You pay. You pay at the price file rate for what you reported.

Each month is its own settled unit. There is no annual true up that smooths over a missed month. A month reported late or reported wrong sits in the record as a defect, and the 36 month lookback is built to find exactly those defects.

What the auditor checks in a SPLA audit

A SPLA audit is conducted by a Big Four firm under the audit clause in your Microsoft Business and Services Agreement. The auditor reconstructs what you should have reported for every month in the 36 month window and compares it to what you actually reported. Two outcomes carry very different weight:

• Back fees. Where you under reported, you owe the difference at the price file rate. Back fees at the price file rate are not negotiable. They are simply the cost of usage you did not report.
• Penalty uplift. On top of back fees, the auditor can apply an uplift that ranges from 25 to 125 percent. Unlike back fees, the uplift is negotiable, and reporting discipline is what gives you the leverage to negotiate it down.

The distinction is the whole strategy. You cannot argue away usage you genuinely consumed. You can argue down the penalty when your records show that your reporting was disciplined, complete, and made in good faith.

The structural defense: reporting discipline

The hosters who come through a SPLA audit cleanly are the ones who built discipline into the monthly cycle long before any audit notice arrived. The defense is structural, not reactive.

• Submit monthly SAL reports on time, every month, with no gaps in the record.
• Seal daily authentication counts so that authorized user numbers are evidenced, not reconstructed from memory.
• Maintain customer mapping so every reported user ties to a known customer and contract.
• Keep product version mapping for each month, so the SPUR version that applied is documented.
• Document multi tenant boundaries so shared infrastructure is allocated correctly and not double counted.

Every item on that list is evidence. When the auditor asks how you arrived at a number for a month two years ago, disciplined records answer the question for you. Where the records are thin, the auditor fills the gap with assumptions, and assumptions run against you.

Where we sit

We are the defense that sits between you and Microsoft and its appointed auditor. For hosters that means two things: we build the reporting discipline that prevents exposure, and when an audit lands we reconstruct your position month by month, isolate the non negotiable back fees from the negotiable uplift, and drive the penalty down.

We work on a Fixed Fee from $18,000 or on Gainshare, a share of verified savings or avoided penalty with zero retainer and no risk to you. Our guarantee is plain: we reduce your exposure or we reimburse our service fee. Across more than 300 Microsoft and SPLA audits we have defended more than $500M in Microsoft exposure, holding clients in the 95 to 100 percent range of penalty exposure defended, backed by more than 20 years of combined experience.