White paper · End customer track

Building a Defensible ELP

When Microsoft opens an audit, it builds the Effective License Position with its own counting methodology and its own telemetry. A clean internal number is not enough. This paper shows how to build a position that holds against Microsoft's calculation, which is the one that governs.

  • The three ways Microsoft verifies, and what each one obliges you to do
  • Why SAM tool output is not audit defense
  • A worked reconciliation against the 5 percent unlicensed use clause
  • A pre audit evidence checklist your team can run this quarter

Six to ten pages. Written for CIOs, procurement, IT asset managers, and general counsel.

Free download

Send it to my inbox

Trade a work email and we send the paper. We block free inboxes so we know who we are sending it to.

Please use a work email. Free inboxes are blocked for this download.

On submit we redirect you to the asset and invite you to subscribe to The Audit Brief.

The summary up front: the auditor's Effective License Position is a reconciliation of your deployment against your entitlement, produced with Microsoft's data and Microsoft's rules. You cannot defend it with a SAM tool export. You defend it by building your own defensible position first, on the same evidence Microsoft will use.

The problem

Microsoft verifies licensing three ways, and they are not the same thing. A SAM engagement is voluntary and sales led. It is presented as a free optimization, but it is used to find gaps and create sales. A self verification is a contractual demand under your agreement and is not optional. A formal audit runs through a third party accounting firm under the MBSA audit clause. All three end in an Effective License Position, and the position is negotiated after the report, not before.

The trap is to treat your internal license count as the answer. Microsoft does not use your count. It uses its own counting methodology and its own data drawn from Azure, Microsoft 365, and management tooling. A clean SAM tool Effective License Position can still differ from Microsoft's calculation, and Microsoft's calculation governs.

A clean internal number is not a defense. The number that governs is the one built on Microsoft's own data.

The mechanics, with real numbers

The clause that gives the audit its teeth is simple. If unlicensed use is 5 percent or more of total use, the customer reimburses Microsoft's verification costs and acquires the licenses at 125 percent of the current price. Below 5 percent, you still license the gap, but at standard price and without the cost reimbursement. The 5 percent line is therefore the line worth defending.

Consider an estate where Microsoft's draft asserts a shortfall. The worked example below shows how rebuilding the position moves the result across that line.

LineMicrosoft draftRebuilt position
Total licensable use10,00010,000
Entitlement evidenced9,1009,640
Asserted unlicensed use900360
Unlicensed share9.0%3.6%
5 percent clauseTriggered, 125% priceNot triggered

Figures are indicative and chosen to show the mechanism. The rebuilt entitlement reflects proof of coverage that the draft had not credited, for example licenses assigned through a prior agreement, downgrade rights, or seats already retired.

The defense framework

A defensible Effective License Position is built in four moves, in this order.

  • Reconstruct deployment from the same sources Microsoft uses, Azure, Microsoft 365, and management tooling, not from a single inventory tool
  • Reconcile entitlement completely, including downgrade rights, prior agreements, and licenses that travel with the user or device
  • Remove use that should not count, for example dormant accounts, dev and test rights, and seats already decommissioned
  • Document every credit so each adjustment survives challenge, because an undocumented credit is an invitation to dispute

A recognized defensive move sits ahead of all of this. When the account team offers a SAM review, you can decline the initial review and run your own internal assessment first, with independent help, then respond to any formal demand from a controlled position rather than handing the vendor your gaps.

The checklist

  • Pull deployment data from Azure, Microsoft 365, and management tooling, dated and preserved
  • Assemble the full entitlement record, every agreement, every transfer, every downgrade right
  • Identify dormant and non production use and the rights that exempt it
  • Calculate the unlicensed share and locate it against the 5 percent line
  • Document the evidence behind every credit before any conversation with Microsoft
  • Decide the response track before you accept a SAM engagement

The next step

A defensible Effective License Position is the difference between negotiating from your evidence and reacting to Microsoft's. If an audit, a self verification, or a true up is in front of you now, the time to build the position is before you respond, not after. Download the full paper above, then book a Strategy Call and we will pressure test your position against the way Microsoft will actually count.

Read the paper, then build the real position.

Fixed Fee from $18,000 or Gainshare on verified savings, both backed by our guarantee: we reduce your exposure or we reimburse our service fee.

Get a Quote
Get a Quote · Book a Strategy Call · The Audit Brief · About · Pricing · Blog · Contact · Privacy · Terms · New York · London Not affiliated with Microsoft Corporation. Independent buyer side advisory only.