Why Microsoft Audit Findings Are Predictable — and Why That Is Your Advantage
Microsoft licensing audits — whether conducted through SAM (Software Asset Management) engagements, formal audit clauses, or partner-led compliance reviews — follow remarkably consistent patterns. The same ten findings account for approximately 90% of all audit exposure across the thousands of Microsoft audit engagements completed globally each year.
This predictability is your advantage. Because the findings are foreseeable, they are also preventable. Organisations that conduct proactive internal assessments using the same methodology Microsoft's auditors employ can identify and remediate every material gap before it becomes a seven-figure true-up demand.
Microsoft's audit programme is fundamentally a revenue recovery mechanism. Under-licensing findings generate purchase obligations at list price — no volume discounts, no negotiation leverage, no budget planning time. The differential between proactive remediation (where you control the timing, the solution, and the commercial terms) and reactive compliance (where Microsoft dictates the terms) is typically 40–60% of the total cost. This guide provides the analytical framework to stay on the proactive side of that equation.
"In every Microsoft audit we have defended, the client's strongest position came from knowing their own environment better than the auditor. The organisations that had already identified their findings — and either remediated them or prepared a documented defence — resolved audits 60–70% faster and at 40–50% lower cost than those caught unprepared."
Finding 1 — SQL Server Virtualisation Under-Licensing
SQL Server virtualisation is the single largest source of Microsoft audit exposure, generating the highest-value findings and the most contentious disputes. The core issue is the disconnect between how virtualisation works technically and how Microsoft licences it contractually.
Microsoft requires that SQL Server running on virtualised infrastructure be licensed based on physical cores, not virtual cores. For organisations without Software Assurance (SA) and licence mobility rights, every physical host in a VMware vSphere, Hyper-V, or other virtualised cluster that could potentially run SQL Server must be fully licensed — all physical cores, not just those allocated to SQL VMs.
| Scenario | What Organisations Assume | What Microsoft Claims | Typical Exposure |
|---|---|---|---|
| SQL Server EE on 1 VM (8 vCPUs) in a 4-host cluster (192 total cores) | 8 core licences | 192 core licences (all hosts) | $1.3M at list price |
| SQL Server SE on 3 VMs across 2 hosts (32 total cores) | 16 core licences per host used | 32 core licences (both hosts, minimum 8 per VM) | $230K at list price |
| SQL Server EE with SA and licence mobility in a server farm | Licence the VMs used | Licence the VMs used (mobility rights apply) | Compliant if documented |
| SQL Server Enterprise Edition with Software Assurance is the only configuration that allows flexible VM mobility across hosts without licensing every physical core. | |||
🎯 SQL Server Virtualisation Remediation
- Map every SQL Server instance to its physical host: Document which physical servers can run SQL VMs. Include disaster recovery and failover hosts — Microsoft counts passive hosts in certain configurations.
- Verify Software Assurance status: SA with licence mobility is the primary mechanism for avoiding full-host licensing. If SA has lapsed, mobility rights are lost and full physical host licensing applies retroactively.
- Consolidate SQL onto dedicated hosts: Restrict SQL Server VMs to specific hosts using affinity rules or dedicated clusters. Licence only those hosts. This reduces the licensing footprint dramatically.
- Evaluate SQL Server Enterprise unlimited virtualisation: SQL Server Enterprise Edition with SA allows unlimited VMs on a fully licensed host. For dense virtualisation environments, this is often cheaper than licensing individual VMs.
- Document VM mobility and placement: Maintain logs showing which hosts run SQL VMs and when. Without SA, the 90-day reassignment rule applies — licences cannot move to a different server more frequently than once per 90 days.
Finding 2 — Unassigned or Unlicensed Microsoft 365 Users
Every active user account consuming Microsoft 365 services requires a corresponding licence assignment. Audits routinely discover active accounts — particularly for contractors, temporary staff, shared mailboxes, and service accounts — that access Exchange Online, SharePoint, Teams, or other M365 services without a licence.
The finding arises because user provisioning (creating the account) and licence assignment (allocating the M365 subscription) are often separate processes. In organisations with rapid onboarding, seasonal workforces, or decentralised IT, the two processes become desynchronised. The result is hundreds or even thousands of active accounts with no corresponding licence — each representing a compliance gap.
Typical Gap Size
We find 5–15% of active M365 accounts are unlicensed in the average enterprise. For a 10,000-user organisation on E3, that represents $180K–$540K in annual exposure at list price.
Shared Mailbox Trap
Shared mailboxes that are converted from user mailboxes retain access to Exchange Online. Microsoft considers these "active" even if no human logs in directly. Ensure shared mailboxes are properly typed and do not consume licensed features.
Service Account Risk
Service accounts that authenticate to M365 APIs or connect to Exchange for automated workflows require licensing if they access licensed services. Review all non-human accounts for M365 service consumption.
Remediation Cost Savings
Identifying and removing genuinely unused accounts — rather than purchasing licences for them — reduces your M365 bill. We typically find 8–12% of accounts can be deprovisioned with no business impact.
Finding 3 — Windows Server Edition and Core Count Mismatches
Windows Server licensing requires licensing every physical core on every server running Windows, with a minimum of 8 cores per physical processor and 16 cores per server. Audits frequently discover servers with more physical cores than the licence covers — a gap that widens every time hardware is refreshed with newer, higher-core-count processors.
The second common finding is edition mismatch: running Windows Server Datacenter workloads (unlimited virtualisation) on a Standard Edition licence (which covers only two VMs per licence set). Organisations that virtualise heavily on Windows Server Standard consistently under-licence when VM counts exceed the 2-per-licence-set threshold.
| Finding Type | How It Happens | Detection Method | Remediation |
|---|---|---|---|
| Core count shortfall | Server hardware refreshed with higher-core processors; licences not updated | Compare physical core inventory against licence entitlements | Purchase additional core packs or downgrade to fewer-core hardware |
| Standard vs. Datacenter | More than 2 Windows VMs per licence set on Standard Edition | Count VMs per host; compare against Standard Edition limits | Stack Standard licences (1 per 2 VMs) or upgrade to Datacenter |
| Unlicensed hosts | New servers provisioned without corresponding Windows Server licences | Reconcile server inventory against purchase records | Purchase licences or decommission unlicensed servers |
| Expired SA on version upgrades | Running newer Windows Server versions after SA expired | Compare installed version against licensed version and SA expiry | Purchase new licences for the current version or downgrade |
Finding 4 — Client Access Licence (CAL) Shortfalls and Multiplexing
Client Access Licences remain one of the most persistent audit findings because they are one of the least understood licensing constructs. Every user or device that accesses a Microsoft server product — Windows Server, SQL Server (in CAL mode), Exchange Server, SharePoint Server — requires a CAL. The licence type (User CAL or Device CAL) and version must match the server version being accessed.
The multiplexing trap is where most organisations unknowingly fail. Microsoft's policy is unambiguous: using middleware, web portals, or application servers to pool connections between users and a Microsoft server product does not reduce the CAL requirement. Every unique user who accesses the back-end server — even indirectly through an application — requires a CAL.
Retail Company: $1.4M CAL Exposure from Web Application Multiplexing
Situation: A retail company with 200 internal staff had built a customer-facing web application that queried SQL Server (licensed in CAL mode) on the back end. The company held 200 SQL Server CALs for its employees, assuming the web application users did not need licences.
What happened: During a SAM engagement, Microsoft identified that 45,000 unique external users accessed the web portal monthly, each triggering queries to SQL Server. Microsoft's position: every external user required a SQL Server CAL, or the company needed to relicence SQL Server on a per-core basis.
Finding 5 — Software Assurance Expiry and Version Rights
Software Assurance (SA) provides upgrade rights, licence mobility, and other benefits for a defined term. When SA expires, organisations lose the right to upgrade to newer versions of the covered software. Running a version of Windows Server, SQL Server, or Office that was released after your SA expired is a compliance violation — you are using software you are not entitled to.
This finding is increasingly common as organisations refresh hardware and install the latest operating systems without checking whether their SA still covers the upgrade. It is also a frequent trap during cloud migrations, where SA provides Azure Hybrid Benefit (AHB) rights that disappear when SA lapses.
SA Expired + New Version Deployed
Running Windows Server 2022 or SQL Server 2022 on licences where SA expired before the product released. The only compliant options are: renew SA retroactively (expensive), purchase new licences for the current version, or downgrade to the version your licence entitles you to use.
SA Expired + Azure Hybrid Benefit Lost
Azure Hybrid Benefit allows you to use on-premises Windows Server or SQL Server licences in Azure at reduced rates. When SA expires, AHB eligibility ends. Organisations running Azure VMs under AHB with expired SA face back-billing for the full Azure licence-included rate.
SA Expired + No Version Upgrade
If SA expires but you continue running the version you were entitled to at the time of expiry, you remain compliant for that version. You lose upgrade rights and mobility, but the existing deployment is licensed. This is the safest position if SA renewal is not economical.
Finding 6 — Development and Test Environment Misuse
Development and test environments are frequently deployed using production licence keys and configurations, creating compliance gaps that auditors identify quickly. Microsoft offers specific dev/test licensing through Visual Studio (MSDN) subscriptions and Azure Dev/Test pricing — and expects organisations to use these rather than deploying production licences to non-production servers.
The finding typically manifests as: dozens of servers running Windows Server, SQL Server, and other Microsoft products in lab, QA, staging, and training environments, all consuming production licence entitlements that should be allocated to production workloads. The result is either a shortfall in production licensing (because entitlements are consumed by dev/test) or an outright lack of licensing for the non-production instances.
🎯 Dev/Test Remediation Strategy
- Transition to Visual Studio subscriptions: Visual Studio Enterprise and Professional subscriptions include rights to use most Microsoft software for dev/test purposes. Each subscription covers one developer across all their test environments. This is almost always cheaper than allocating production licences.
- Isolate non-production infrastructure: Segregate dev/test servers into dedicated clusters, VLANs, or Azure subscriptions. Tag every non-production resource clearly. This isolation both prevents licence bleed and makes it easy to demonstrate to auditors which systems are non-production.
- Use Azure Dev/Test pricing: Microsoft offers discounted Azure VM rates for dev/test workloads that eliminate Windows licence costs entirely. Migrate non-production cloud workloads to these dev/test subscriptions.
- Audit non-production quarterly: Review all dev/test environments quarterly to ensure they are using the correct licence type. New test servers appear constantly — without governance, they default to production licensing.
Finding 7 — Microsoft 365 Over-Licensing and Under-Utilisation
While most audit findings involve under-licensing, Microsoft's optimisation reviews also identify over-licensing — not to save you money, but to upsell. If an audit reveals that 60% of your E5 users never touch advanced security, compliance, or voice features, Microsoft's response is to suggest additional adoption services and training (for a fee), not to recommend downgrading to E3.
Over-licensing is not a compliance finding, but it is a cost finding — and one that represents significant savings when addressed proactively. The most common scenario is organisations that deployed E5 estate-wide when E3 plus selective add-ons would have been 30–40% cheaper.
Professional Services Firm: $620K Saved by Right-Sizing M365 Before Renewal
Situation: A 4,200-seat professional services firm was approaching its Enterprise Agreement renewal. All users were on E5 ($57/user/month). An internal assessment revealed that only 35% of users actively used E5-specific features (Power BI Pro, advanced compliance, phone system).
What happened: We helped the client create three user tiers: E5 for 1,470 heavy users (35%), E3 for 2,310 standard users (55%), and F3 for 420 frontline workers (10%). The restructured licensing was negotiated into the EA renewal at volume pricing.
Finding 8 — SPLA Compliance Failures for Service Providers
The Services Provider Licence Agreement (SPLA) governs how hosting providers, managed service providers, and SaaS companies licence Microsoft software for their customers. SPLA audits are among the most aggressive Microsoft conducts, and the findings frequently run into seven figures.
The most common SPLA findings include: under-reporting subscriber counts, failing to licence all physical cores on shared infrastructure, using retail or volume licences instead of SPLA on hosted platforms, and not reporting internal use separately from customer-facing use.
Subscriber Under-Reporting
SPLA requires monthly reporting of subscriber counts. Automated counting is essential — manual estimates consistently under-report by 20–40%, creating significant cumulative exposure.
Core Count Gaps
Shared hosting infrastructure must licence every physical core running Microsoft software, including SQL Server and Windows Server. Hardware refreshes that increase core counts are the most common trigger for SPLA shortfalls.
Internal Use Separation
SPLA requires that internal company use be licensed separately from customer-facing use. Using the same SPLA licences for both internal operations and customer hosting is a compliance violation.
Retail/Volume Licence Misuse
Retail and volume licences (including EA licences) cannot be used to provide services to third parties. Only SPLA licences are authorised for hosted and managed service delivery. This distinction is the most frequently violated SPLA rule.
Finding 9 — Hybrid Cloud Licensing Gaps
Hybrid environments — where workloads span on-premises data centres, Azure, and potentially AWS or other clouds — create licensing complexity that audits exploit. The most common finding is organisations claiming Azure Hybrid Benefit (AHB) for workloads where the underlying licences are already consumed on-premises, effectively double-counting the same entitlement.
Azure Hybrid Benefit allows you to use your on-premises Windows Server or SQL Server licences (with active SA) in Azure at reduced rates. However, each licence can only be applied in one place at a time — on-premises or Azure, not both (with certain dual-use exceptions for migration windows up to 180 days).
⚠️ The 180-Day Dual-Use Window
Microsoft permits concurrent use of the same licence on-premises and in Azure for up to 180 days during migration. After 180 days, you must fully decommission the on-premises instance or purchase separate Azure licensing. Auditors specifically check for workloads that have been running in both locations beyond the 180-day window — a finding that requires either immediate decommissioning or purchase of additional licences at list price.
🎯 Hybrid Cloud Remediation Checklist
- Maintain a licence allocation register: Track where each licence is applied — on-premises, Azure AHB, or AWS BYOL. Ensure no licence is allocated to multiple locations beyond the 180-day migration window.
- Audit Azure Hybrid Benefit claims: Review every Azure VM running under AHB to confirm: (a) the corresponding on-premises licence exists, (b) SA is active, and (c) the licence is not simultaneously in use on-premises.
- Monitor migration timelines: Set calendar reminders for the 180-day dual-use expiry on every workload in migration. Auto-decommission or reallocate licences before the window closes.
- Document licence assignment decisions: Maintain written records of which licences are applied where and when. This documentation is your primary defence against audit findings in hybrid environments.
Finding 10 — True-Up Miscalculations and Reporting Gaps
Enterprise Agreement (EA) true-ups require annual reporting of any increases in licence consumption beyond the original agreement quantities. Organisations that under-report — whether through error, delayed reporting, or misunderstanding what needs to be counted — face retroactive true-up charges plus potential compliance penalties at the next audit or renewal.
True-up miscalculations often compound over the three-year EA term. A 10% under-report in year one, left uncorrected, can grow to 25–30% by the end of the term — particularly in fast-growing organisations or those undergoing M&A activity where new employees and infrastructure are added without corresponding true-up reporting.
Automate User and Device Counting
Use Active Directory, Azure AD, and M365 admin centre reports to generate accurate user and device counts monthly — not just at the annual true-up deadline. Monthly tracking catches drift early and prevents year-end surprises.
Include M&A Activity in True-Up Calculations
Acquired companies bring employees, devices, and Microsoft deployments. Include these in your true-up from the date of acquisition. Failing to report acquired users is the most common true-up under-reporting error — and the easiest for Microsoft to verify.
Reconcile Server Licences Against Physical Inventory
True-ups cover server products as well as user subscriptions. Any new servers, storage nodes, or virtual hosts added since the last true-up must be reported. Compare your physical and virtual infrastructure inventory against the quantities in your EA.
Review True-Up Before Submission
Have your licensing adviser or SAM team review the true-up calculation before submitting it to Microsoft. Errors — in either direction — are difficult to correct after submission and can trigger audit scrutiny. A 15-minute review can prevent a six-figure mistake.
The Pre-Audit Remediation Timeline — 90 Days to Audit Readiness
Whether you have received an audit notification or simply want to prepare proactively, the following 90-day timeline provides a structured remediation approach that addresses all ten common findings.
| Phase | Timeline | Focus Area | Key Actions |
|---|---|---|---|
| Phase 1: Discovery | Days 1–30 | Data collection and entitlement assembly | Run MAP Toolkit, export M365 reports, inventory all servers (physical + virtual), gather all licence agreements and purchase history |
| Phase 2: Analysis | Days 31–60 | Gap identification and exposure quantification | Reconcile deployments against entitlements, identify all ten finding categories, calculate financial exposure at list price for each gap |
| Phase 3: Remediation | Days 61–90 | Fix gaps and document compliance position | Decommission unlicensed instances, reassign M365 licences, consolidate SQL VMs, purchase shortfall at negotiated rates, document all changes |
"The single best investment you can make in Microsoft compliance is a 90-day internal review before your next EA renewal or true-up. The findings you discover internally — and remediate on your terms — are findings that Microsoft will never see. The ROI is consistently 10–20× the effort invested."