How CIOs can leverage Azure Arc for hybrid management, pay-as-you-go SQL and Windows Server licensing, Extended Security Updates, architecture optimisation, and Enterprise Agreement negotiation tactics that maximise Azure Arc value.
Part of the Microsoft Negotiations series
📚 Microsoft Negotiations SeriesFor the complete EA renewal guide, see Microsoft EA Renewal Guide. This article focuses on Azure Arc optimisation and EA negotiation.
Azure Arc is a hybrid and multi-cloud management platform that extends Azure's control plane beyond Azure's own infrastructure. Arc "projects" on-premises and third-party cloud resources into Azure Resource Manager, allowing you to manage them as if they were native Azure resources. Servers, VMs, Kubernetes clusters, and databases running outside Azure can be monitored, tagged, governed, and automated through the Azure Portal and APIs — providing a single pane of glass for managing a diverse IT estate.
Register on-premises Windows and Linux servers with Azure Arc to inventory them, apply Azure Policies uniformly, run scripts via VM extensions, and enforce security standards across on-prem and cloud. Connecting servers to Arc is free — costs arise only when you enable add-on Azure services (Monitor, Defender, Update Management). Servers with active Software Assurance get certain Arc management features at no additional cost.
Attach Kubernetes clusters from AWS, GCP, or on-premises to Azure Arc. Deploy configurations via GitOps, enforce Azure Policies across all clusters, and manage fleet-wide governance from the Azure Portal. This unifies Kubernetes management across environments — critical for enterprises running multi-cloud container strategies. Arc's Kubernetes management is free for basic features; advanced capabilities (Azure Monitor Container Insights, Defender for Containers) incur standard Azure charges.
Deploy Azure SQL Managed Instance and Azure PostgreSQL Hyperscale on-premises or at the edge, managed through Azure as if they were cloud instances. This is essential for scenarios where data residency, latency, or regulatory requirements demand on-premises workloads without forfeiting cloud management benefits. Arc-enabled data services are billed through Azure — and critically, this consumption counts toward your Azure MACC commitment.
Azure Arc integrates with System Center 2025, allowing organisations to leverage familiar on-premises management while extending capabilities to Azure. This means enterprises do not need to abandon existing ITSM and configuration management investments — Arc complements and extends them. CIOs should view Arc as an evolution of their management approach, not a replacement of existing tools.
"Azure Arc should be considered a strategic enabler for hybrid cloud operating models. It helps standardise management in mixed environments — which is crucial for enterprises pursuing digital transformation while maintaining legacy systems. CIOs need to see Arc not just as a tool but as a shift toward cloud-inspired operations for all infrastructure."
Azure Arc's control plane is free — connecting resources, organising them, tagging, and running basic management scripts costs nothing. However, any Azure services enabled on Arc-connected resources and any advanced management features incur Azure charges. Understanding where costs arise — and where Arc creates licensing flexibility — is the key to optimisation.
| Arc Capability | Cost Model | Optimisation Strategy | EA Negotiation Relevance |
|---|---|---|---|
| Arc control plane (connect, inventory, tag, policy) | Free | Enable for all servers — zero cost for visibility and governance | Demonstrates Azure adoption breadth without additional spend |
| SQL Server PAYG via Arc | Hourly metered (per-core) | Use for burst, dev/test, seasonal; BYOL for steady production | Counts toward MACC; negotiate hourly rates in EA |
| Windows Server PAYG via Arc | Hourly metered (per-core) | Use for incremental/short-term deployments; perpetual for base | No CALs required for PAYG — saves on access licence costs |
| Extended Security Updates | Monthly via Azure billing | Stop paying instantly when servers are decommissioned or upgraded | Draws down Azure credits; can negotiate ESU rates in EA |
| Azure Monitor / Defender | Per-node or per-GB ingested | Enable selectively — critical servers only; use Defender plan bundles | Bundle with EA Azure commitment for volume discounts |
| Azure Hybrid Benefit | Licence entitlement applied to Arc | Apply existing SA-covered licences to reduce Arc PAYG costs | Negotiate SA inclusion/renewal as part of EA to maximise AHB |
| Core principle | Arc consumption flows through Azure billing → counts toward MACC → strengthens your Azure commitment negotiation position | ||
The most financially impactful Arc capability is pay-as-you-go (PAYG) licensing for SQL Server. Instead of purchasing per-core licences upfront, you connect SQL Server instances to Azure Arc and pay hourly — billed to your Azure subscription exactly like a cloud PaaS service.
PAYG excels for: seasonal workloads (scale up for quarter-end processing, scale down after), development and testing environments (spin up SQL for a sprint, decommission after release), temporary projects (data migration staging, analytics for a specific initiative), and burst capacity (additional SQL instances during peak demand). The advantage: zero upfront licence cost, pay only for hours of active use, and stop paying immediately when the instance is shut down. For a SQL Server Enterprise core that costs $14,256/year as a traditional licence, PAYG can reduce the cost to a fraction if the workload runs only a few months per year.
For SQL Server instances running 24 hours a day, 365 days a year, PAYG hourly billing becomes more expensive than a traditional per-core licence over a 3-year period. The break-even point varies by edition and negotiated EA discount, but as a rule of thumb: if a SQL Server instance runs continuously for more than 18–24 months, the traditional licence (purchased under EA with Software Assurance) is typically cheaper. The optimal strategy is hybrid: BYOL (Bring Your Own Licence) for stable production, PAYG for everything else. Arc supports both modes on the same server — you can attach a licensed SQL instance for management-only or enable PAYG billing for unlicensed instances.
Starting with Windows Server 2025, Microsoft offers pay-as-you-go licensing through Azure Arc — converting on-premises server licensing into a cloud-like hourly subscription. The significant benefit: PAYG Windows Server instances do not require separate Client Access Licences (CALs), which can represent a major saving for environments with large user populations. Use PAYG for new incremental deployments, short-term projects, and labs. Continue using perpetual licences or EA entitlements for well-utilised permanent servers where the annual cost comparison favours traditional licensing.
Legacy servers past end-of-support (Windows Server 2012/R2, SQL Server 2012/2014) can receive Extended Security Updates through Azure Arc on a pay-as-you-go monthly basis — instead of the traditional upfront annual ESU purchase through volume licensing. The advantages: (1) pay monthly and stop immediately when a server is decommissioned or upgraded (no wasted annual fees on servers retired mid-year), (2) ESU costs are billed through Azure and count toward your MACC commitment, (3) any negotiated Azure discounts apply to ESU billing. For enterprises with hundreds of legacy servers on varied decommission timelines, Arc-based ESU billing can save 20–40 % compared to annual ESU purchases.
Treat Azure Arc onboarding as a cloud adoption project. Before connecting servers, establish resource organisation: Azure subscriptions, resource groups, and management groups for Arc-connected assets. Define Azure Policy assignments that will apply automatically to Arc-enabled resources — security baselines, tagging requirements, compliance standards. This ensures that as you Arc-enable hundreds of servers or dozens of clusters, they consistently adhere to enterprise standards from day one.
The free Arc control plane provides inventory, tagging, and basic management for all connected resources. Add-on services (Monitor, Defender, Update Management) should be enabled selectively based on workload criticality. Tier your Arc-connected servers: Tier 1 (production-critical) gets full monitoring and Defender; Tier 2 (business applications) gets Update Management and basic monitoring; Tier 3 (development, test, legacy) gets Arc visibility only. This tiered approach can reduce Azure management costs by 40–60 % compared to enabling all services on all servers.
Arc agents require secure outbound communication with Azure. Work with your CISO and network teams to plan connectivity: set up proxies or specific outbound firewall rules, configure Azure AD service principals for Arc, and ensure identity and access management controls are in place. Private Link for Arc is available for organisations requiring all Arc traffic to traverse private networks. Proper upfront planning maintains security parity between on-premises and Azure environments.
Azure Hybrid Benefit (AHB) allows organisations with Software Assurance-covered Windows Server and SQL Server licences to apply those entitlements against Arc-enabled workloads, reducing or eliminating PAYG costs. Map your existing SA entitlements to Arc-connected instances: production servers with existing licences should use BYOL mode (management-only), while unlicensed instances use PAYG. The combination of AHB + Arc PAYG creates a flexible licensing model where you optimise cost per workload without over-purchasing traditional licences.
Azure Arc creates specific negotiation opportunities within your Microsoft Enterprise Agreement. Because Arc consumption flows through Azure billing, it directly impacts your Azure commitment, discount levels, and overall EA commercial structure.
| Negotiation Lever | Microsoft's Position | Your Counter-Strategy |
|---|---|---|
| Arc consumption in MACC | Microsoft counts Arc billing toward your Azure commitment | Use Arc PAYG to fill MACC at favourable rates — especially ESU and dev/test SQL. Negotiate that ALL Arc consumption (including PAYG licences) counts toward MACC commitment |
| Azure discount on Arc services | Standard Azure discount applies to Arc consumption | Negotiate a higher Azure discount tier by including projected Arc consumption in your total Azure commitment. Arc adds predictable on-prem spend to your Azure commitment, justifying a higher discount level |
| SQL Server PAYG rates | Standard hourly rates for Arc SQL | Negotiate custom PAYG rates for Arc SQL Server as part of your EA — particularly if you commit to migrating dev/test and seasonal workloads to Arc PAYG. Volume-based pricing is achievable |
| ESU pricing via Arc | List pricing for ESU through Azure billing | Negotiate ESU discounts as part of the EA renewal. Present your legacy server decommission timeline to demonstrate declining ESU spend — Microsoft may offer better rates to secure the commitment |
| Software Assurance and AHB | Microsoft wants SA renewal for AHB eligibility | Evaluate whether SA renewal cost is justified by AHB savings. Negotiate SA terms specifically for Arc benefit — include only products where AHB delivers measurable savings on Arc consumption |
| Arc as migration leverage | Microsoft views Arc as a pathway to Azure migration | Position Arc adoption as evidence of Azure investment that justifies better EA terms. "We are standardising on Azure management for 2,000+ servers via Arc — this commitment warrants improved pricing across the EA" |
Connect all on-premises servers and Kubernetes clusters to Azure Arc using the free control plane. Establish resource organisation (subscriptions, resource groups, management groups for Arc assets), apply Azure Policy assignments for tagging and security baselines, and generate a comprehensive inventory of your hybrid estate. This phase costs nothing in Azure charges and provides immediate value: unified visibility across on-prem, AWS, GCP, and edge infrastructure. Use this inventory to identify licensing optimisation opportunities — servers running legacy ESU-eligible OS, SQL Server instances that could benefit from PAYG, and workloads where Azure Hybrid Benefit can be applied.
Enable paid Azure services selectively based on your tiered server classification: Defender for Cloud on Tier 1 (critical production), Update Management on Tier 1 and 2, Azure Monitor on servers requiring detailed observability. Enable PAYG SQL Server billing on development, test, and seasonal instances. Route ESU for legacy servers through Arc billing. Monitor Azure cost reports weekly during this phase to validate that actual charges align with projections — adjust service enablement if costs exceed expectations.
Incorporate Arc consumption data into your EA renewal planning. Calculate the total projected Arc spend (PAYG licences, ESU, management services) and include it in your Azure MACC commitment negotiation. Evaluate Software Assurance renewals based on AHB value across Arc-connected instances. Establish quarterly reviews of Arc consumption versus budget, and continuously optimise the balance between BYOL and PAYG per workload based on actual usage patterns. This phase is ongoing — Arc's licensing flexibility means your optimisation strategy should evolve with your infrastructure.
The Azure Arc control plane is free — connecting on-premises servers, Kubernetes clusters, and other resources to Azure Arc costs nothing. You can tag, organise, inventory, and apply basic Azure Policies to Arc-connected resources at no charge. However, any Azure services you enable on those resources incur standard Azure charges: Azure Monitor (per-GB or per-node), Microsoft Defender for Cloud (per-server plan), Update Management, and Arc-enabled data services all carry Azure billing. The optimisation strategy is to enable the free control plane universally for visibility and governance, then selectively enable paid services based on workload criticality and cost-benefit analysis.
You connect an on-premises SQL Server instance to Azure Arc and enable pay-as-you-go billing. Azure then meters the SQL Server usage hourly — per core, per edition (Standard or Enterprise) — and bills it to your Azure subscription exactly like a cloud PaaS service. There is no upfront licence purchase; you pay only for hours of active use. When the instance is shut down, billing stops. This is ideal for temporary, seasonal, and dev/test workloads where traditional per-core licence purchasing creates waste. For steady 24/7 production workloads, compare the annual PAYG cost against traditional licensing (with your EA discount) to determine which model is cheaper. Arc supports both BYOL and PAYG on the same server, so you can optimise per workload.
Yes — all Azure Arc consumption billed through Azure counts toward your Microsoft Azure Consumption Commitment (MACC). This includes PAYG SQL Server licensing, PAYG Windows Server licensing, Extended Security Updates, Azure Monitor, Defender for Cloud, and Arc-enabled data services. This is strategically important for EA negotiations: Arc consumption adds predictable on-premises spend to your Azure commitment, which can justify higher Azure discount tiers and helps ensure you meet MACC thresholds without over-committing to pure cloud consumption. CIOs should include projected Arc consumption in their total Azure commitment calculations during EA negotiations.
Significantly. Traditional ESU purchases require an upfront annual commitment per server through volume licensing. Azure Arc delivers ESU on a pay-as-you-go monthly basis — billed through Azure. The advantages: (1) you pay monthly and stop immediately when a server is decommissioned or upgraded (no wasted annual fees), (2) ESU billing counts toward your MACC, (3) any negotiated Azure discounts apply to ESU charges, and (4) billing through Azure provides granular cost tracking per server. For enterprises with hundreds of legacy servers on varied decommission timelines, Arc-based ESU billing typically saves 20–40% compared to annual ESU purchases — and the flexibility to stop billing mid-month eliminates the "sunk cost" of annual ESU fees on servers that are retired before the period ends.
The decision depends on the workload profile. PAYG via Arc is optimal for: new incremental deployments, short-term projects, labs and testing environments, and scenarios where you want to avoid CAL requirements (PAYG Windows Server does not require separate CALs). Traditional perpetual licences (or EA entitlements) are typically cheaper for well-utilised servers running 24/7 over multi-year periods. The hybrid strategy: use existing perpetual licences or EA entitlements for your stable server base, and use Arc PAYG for incremental, temporary, and elastic deployments. Arc supports mixing both modes — you do not need to choose one approach for all servers.
Azure Hybrid Benefit (AHB) allows organisations with active Software Assurance on Windows Server and SQL Server licences to apply those entitlements against Arc-connected workloads, reducing or eliminating PAYG costs. For example, if you have SA-covered SQL Server Enterprise licences, you can attach those instances to Arc in BYOL mode — Arc provides centralised management at no additional licence cost. For instances without existing licences, you use PAYG mode. The combination creates a flexible model: licensed workloads use AHB for free management, unlicensed workloads use PAYG for on-demand licensing. During EA negotiations, evaluate whether SA renewal costs are justified by the AHB savings they enable on Arc — only renew SA on products where the benefit is measurable.
Six priority items: (1) Negotiate that all Arc consumption (PAYG licences, ESU, management services) counts toward MACC without exclusions. (2) Request custom PAYG rates for Arc SQL Server and Windows Server based on your projected volume. (3) Negotiate ESU discounts for legacy servers — present your decommission timeline to demonstrate declining spend. (4) Include projected Arc consumption in your total Azure commitment to justify a higher discount tier. (5) Request flexibility to shift between BYOL and PAYG modes within the EA term. (6) Bundle Defender and Monitor pricing across all Arc-connected resources for volume discounts. Position Arc adoption as evidence of your strategic investment in the Microsoft ecosystem — this strengthens your case for improved pricing across the entire EA.
Let Redress Compliance analyse your Azure Arc opportunity and build a negotiation strategy that protects your interests and maximises value.
This playbook is part of our Microsoft Negotiations series. Explore related guides: