Microsoft licensing audits consistently uncover the same categories of non-compliance: SQL Server virtualisation gaps, unassigned M365 users, CAL shortfalls, and Software Assurance expiry traps. This guide details the ten most common findings, explains exactly why they occur, and provides the remediation playbook to eliminate each one before Microsoft’s auditors find them first.
Microsoft licensing audits follow remarkably consistent patterns. Whether conducted through SAM (Software Asset Management) engagements, formal audit clauses, or partner-led compliance reviews, the same ten findings account for approximately 90% of all audit exposure across the thousands of Microsoft audit engagements completed globally each year.
This predictability is your advantage. Because the findings are foreseeable, they are also preventable. Organisations that conduct proactive internal assessments using the same methodology Microsoft’s auditors employ can identify and remediate every material gap before it becomes a seven-figure true-up demand.
Microsoft’s audit programme is fundamentally a revenue recovery mechanism. Under-licensing findings generate purchase obligations at list price. No volume discounts, no negotiation leverage, no budget planning time. The differential between proactive remediation (where you control the timing, the solution, and the commercial terms) and reactive compliance (where Microsoft dictates the terms) is typically 40 to 60% of the total cost. This guide provides the analytical framework to stay on the proactive side of that equation.
“In every Microsoft audit we have defended, the client’s strongest position came from knowing their own environment better than the auditor. The organisations that had already identified their findings, and either remediated them or prepared a documented defence, resolved audits 60 to 70% faster and at 40 to 50% lower cost than those caught unprepared.”
Our independent Microsoft audit defence team has defended hundreds of audit engagements. We use the same tools and methodology as Microsoft’s auditors, but we work exclusively for you. Fixed-fee engagements. Typical outcome: 40 to 60% reduction in final settlement compared to undefended audits.
Microsoft Audit Defence Service →SQL Server virtualisation is the single largest source of Microsoft audit exposure, generating the highest-value findings and the most contentious disputes. The core issue is the disconnect between how virtualisation works technically and how Microsoft licences it contractually.
Microsoft requires that SQL Server running on virtualised infrastructure be licensed based on physical cores, not virtual cores. For organisations without Software Assurance (SA) and licence mobility rights, every physical host in a VMware vSphere, Hyper-V, or other virtualised cluster that could potentially run SQL Server must be fully licensed. All physical cores, not just those allocated to SQL VMs.
| Scenario | What Organisations Assume | What Microsoft Claims | Typical Exposure |
|---|---|---|---|
| SQL EE on 1 VM (8 vCPUs) in a 4-host cluster (192 total cores) | 8 core licences | 192 core licences (all hosts) | $1.3M at list price |
| SQL SE on 3 VMs across 2 hosts (32 total cores) | 16 core licences per host used | 32 core licences (both hosts, min 8 per VM) | $230K at list price |
| SQL EE with SA and licence mobility in a server farm | Licence the VMs used | Licence the VMs used (mobility rights apply) | Compliant if documented |
Map every SQL Server instance to its physical host. Document which physical servers can run SQL VMs. Include disaster recovery and failover hosts. Microsoft counts passive hosts in certain configurations.
Verify Software Assurance status. SA with licence mobility is the primary mechanism for avoiding full-host licensing. If SA has lapsed, mobility rights are lost and full physical host licensing applies retroactively.
Consolidate SQL onto dedicated hosts. Restrict SQL Server VMs to specific hosts using affinity rules or dedicated clusters. Licence only those hosts. This reduces the licensing footprint dramatically.
Evaluate SQL Server Enterprise unlimited virtualisation. SQL Server Enterprise Edition with SA allows unlimited VMs on a fully licensed host. For dense virtualisation environments, this is often cheaper than licensing individual VMs.
Document VM mobility and placement. Maintain logs showing which hosts run SQL VMs and when. Without SA, the 90-day reassignment rule applies. Licences cannot move to a different server more frequently than once per 90 days.
Every active user account consuming Microsoft 365 services requires a corresponding licence assignment. Audits routinely discover active accounts, particularly for contractors, temporary staff, shared mailboxes, and service accounts, that access Exchange Online, SharePoint, Teams, or other M365 services without a licence.
The finding arises because user provisioning (creating the account) and licence assignment (allocating the M365 subscription) are often separate processes. In organisations with rapid onboarding, seasonal workforces, or decentralised IT, the two processes become desynchronised. The result is hundreds or even thousands of active accounts with no corresponding licence. Each representing a compliance gap.
| Gap Area | What Happens | Typical Scale | Remediation |
|---|---|---|---|
| Unlicensed active accounts | User provisioning and licence assignment are separate processes that desynchronise | 5 to 15% of active M365 accounts are unlicensed in the average enterprise | Automate licence assignment at provisioning; audit monthly |
| Shared mailbox trap | Shared mailboxes converted from user mailboxes retain access to Exchange Online | Dozens to hundreds of mailboxes | Ensure shared mailboxes are properly typed and do not consume licensed features |
| Service account risk | Service accounts authenticating to M365 APIs or Exchange for automated workflows | 10 to 50 service accounts per enterprise | Review all non-human accounts for M365 service consumption; licence or restructure |
| Unused account savings | Accounts for departed employees or inactive users remain provisioned and licensed | 8 to 12% of accounts can be deprovisioned with no business impact | Identify and remove genuinely unused accounts to reduce M365 bill |
For a 10,000-user organisation on E3, a 5 to 15% unlicensed account gap represents $180K to $540K in annual exposure at list price. But identifying and removing the 8 to 12% of genuinely unused accounts typically offsets or exceeds the cost of licensing the remaining gaps. The net result of a thorough M365 licence reconciliation is often cost-neutral or cost-positive.
Windows Server licensing requires licensing every physical core on every server running Windows, with a minimum of 8 cores per physical processor and 16 cores per server. Audits frequently discover servers with more physical cores than the licence covers. A gap that widens every time hardware is refreshed with newer, higher-core-count processors.
The second common finding is edition mismatch: running Windows Server Datacenter workloads (unlimited virtualisation) on a Standard Edition licence (which covers only two VMs per licence set). Organisations that virtualise heavily on Windows Server Standard consistently under-licence when VM counts exceed the 2-per-licence-set threshold.
| Finding Type | How It Happens | Detection Method | Remediation |
|---|---|---|---|
| Core count shortfall | Server hardware refreshed with higher-core processors; licences not updated | Compare physical core inventory against licence entitlements | Purchase additional core packs or downgrade to fewer-core hardware |
| Standard vs Datacenter | More than 2 Windows VMs per licence set on Standard Edition | Count VMs per host; compare against Standard Edition limits | Stack Standard licences (1 per 2 VMs) or upgrade to Datacenter |
| Unlicensed hosts | New servers provisioned without corresponding Windows Server licences | Reconcile server inventory against purchase records | Purchase licences or decommission unlicensed servers |
| Expired SA on version upgrades | Running newer Windows Server versions after SA expired | Compare installed version against licensed version and SA expiry | Purchase new licences for current version or downgrade |
Client Access Licences remain one of the most persistent audit findings because they are one of the least understood licensing constructs. Every user or device that accesses a Microsoft server product (Windows Server, SQL Server in CAL mode, Exchange Server, SharePoint Server) requires a CAL. The licence type (User CAL or Device CAL) and version must match the server version being accessed.
The multiplexing trap is where most organisations unknowingly fail. Microsoft’s policy is unambiguous: using middleware, web portals, or application servers to pool connections between users and a Microsoft server product does not reduce the CAL requirement. Every unique user who accesses the back-end server, even indirectly through an application, requires a CAL.
Situation: A retail company with 200 internal staff had built a customer-facing web application that queried SQL Server (licensed in CAL mode) on the back end. The company held 200 SQL Server CALs for its employees, assuming web application users did not need licences.
What happened: During a SAM engagement, Microsoft identified that 45,000 unique external users accessed the web portal monthly, each triggering queries to SQL Server. Microsoft’s position: every external user required a SQL Server CAL, or the company needed to relicence SQL Server on a per-core basis.
Result: We helped the client relicence SQL Server from CAL mode to per-core licensing (the appropriate model for internet-facing workloads) at negotiated rates. The cost was $86K versus the $1.4M Microsoft initially claimed for 45,000 CALs at list price. The client also restructured their architecture to use a non-Microsoft database for the public-facing queries, eliminating the exposure entirely going forward.
Takeaway: Any application that exposes Microsoft server products to external users creates multiplexing exposure. The remediation is almost always to switch from CAL to per-core licensing for the affected servers. A fraction of the cost of purchasing individual CALs for every external user.
Use our Microsoft assessment tools to evaluate your current licence position, identify gaps across SQL Server, M365, Windows Server, and CALs, model your exposure at list price, and build a prioritised remediation plan before your next audit or EA renewal.
Start Free Assessment →Software Assurance (SA) provides upgrade rights, licence mobility, and other benefits for a defined term. When SA expires, organisations lose the right to upgrade to newer versions of the covered software. Running a version of Windows Server, SQL Server, or Office that was released after your SA expired is a compliance violation. You are using software you are not entitled to.
This finding is increasingly common as organisations refresh hardware and install the latest operating systems without checking whether their SA still covers the upgrade. It is also a frequent trap during cloud migrations, where SA provides Azure Hybrid Benefit (AHB) rights that disappear when SA lapses.
| Risk Level | Scenario | What Happens | Remediation |
|---|---|---|---|
| High Risk | SA expired + new version deployed | Running Windows Server 2022 or SQL Server 2022 on licences where SA expired before product release | Renew SA retroactively (expensive), purchase new licences for current version, or downgrade to entitled version |
| Medium Risk | SA expired + Azure Hybrid Benefit lost | Azure VMs running under AHB with expired SA face back-billing for full Azure licence-included rate | Renew SA, purchase Azure licence-included pricing, or migrate workloads off AHB |
| Lower Risk | SA expired + no version upgrade | Continue running the version entitled at time of SA expiry. Lose upgrade rights and mobility but remain compliant. | No immediate action required. Evaluate SA renewal economics at next budget cycle. |
Development and test environments are frequently deployed using production licence keys and configurations, creating compliance gaps that auditors identify quickly. Microsoft offers specific dev/test licensing through Visual Studio (MSDN) subscriptions and Azure Dev/Test pricing and expects organisations to use these rather than deploying production licences to non-production servers.
The finding typically manifests as: dozens of servers running Windows Server, SQL Server, and other Microsoft products in lab, QA, staging, and training environments, all consuming production licence entitlements that should be allocated to production workloads. The result is either a shortfall in production licensing (because entitlements are consumed by dev/test) or an outright lack of licensing for the non-production instances.
Transition to Visual Studio subscriptions. Visual Studio Enterprise and Professional subscriptions include rights to use most Microsoft software for dev/test purposes. Each subscription covers one developer across all their test environments. This is almost always cheaper than allocating production licences.
Isolate non-production infrastructure. Segregate dev/test servers into dedicated clusters, VLANs, or Azure subscriptions. Tag every non-production resource clearly. This isolation both prevents licence bleed and makes it easy to demonstrate to auditors which systems are non-production.
Use Azure Dev/Test pricing. Microsoft offers discounted Azure VM rates for dev/test workloads that eliminate Windows licence costs entirely. Migrate non-production cloud workloads to these dev/test subscriptions.
Audit non-production quarterly. Review all dev/test environments quarterly to ensure they are using the correct licence type. New test servers appear constantly. Without governance, they default to production licensing.
While most audit findings involve under-licensing, Microsoft’s optimisation reviews also identify over-licensing. Not to save you money, but to upsell. If an audit reveals that 60% of your E5 users never touch advanced security, compliance, or voice features, Microsoft’s response is to suggest additional adoption services and training (for a fee), not to recommend downgrading to E3.
Over-licensing is not a compliance finding, but it is a cost finding. And one that represents significant savings when addressed proactively. The most common scenario is organisations that deployed E5 estate-wide when E3 plus selective add-ons would have been 30 to 40% cheaper.
Situation: A 4,200-seat professional services firm was approaching its Enterprise Agreement renewal. All users were on E5 ($57/user/month). An internal assessment revealed that only 35% of users actively used E5-specific features (Power BI Pro, advanced compliance, phone system).
What happened: We helped the client create three user tiers: E5 for 1,470 heavy users (35%), E3 for 2,310 standard users (55%), and F3 for 420 frontline workers (10%). The restructured licensing was negotiated into the EA renewal at volume pricing.
Result: Annual M365 cost dropped from $2.87M to $2.25M. A saving of $620K per year (22%). Over the three-year EA term, cumulative savings exceeded $1.86M. No user lost any functionality they were actually using.
Takeaway: M365 right-sizing before an EA renewal is the single highest-ROI optimisation available. Combine it with a contract negotiation to lock in volume discounts on the restructured quantities.
The Services Provider Licence Agreement (SPLA) governs how hosting providers, managed service providers, and SaaS companies licence Microsoft software for their customers. SPLA audits are among the most aggressive Microsoft conducts, and the findings frequently run into seven figures.
The most common SPLA findings include: under-reporting subscriber counts, failing to licence all physical cores on shared infrastructure, using retail or volume licences instead of SPLA on hosted platforms, and not reporting internal use separately from customer-facing use.
| SPLA Finding | What Goes Wrong | Why It Is Serious | Remediation |
|---|---|---|---|
| Subscriber under-reporting | Manual estimates consistently under-report by 20 to 40% | Creates significant cumulative exposure over months/years | Automate subscriber counting with monthly reporting workflows |
| Core count gaps | Shared hosting infrastructure core counts increase at hardware refresh | Every unlicensed core on shared infrastructure is a violation | Licence every physical core running Microsoft software; track hardware changes |
| Internal use separation | Using same SPLA licences for both internal operations and customer hosting | Compliance violation regardless of total licence count | Licence internal use separately via EA or volume licensing |
| Retail/Volume licence misuse | Using retail, OEM, or EA licences to provide services to third parties | Only SPLA licences are authorised for hosted/managed service delivery | Replace all non-SPLA licences on customer-facing infrastructure with SPLA |
Hybrid environments (where workloads span on-premises data centres, Azure, and potentially AWS or other clouds) create licensing complexity that audits exploit. The most common finding is organisations claiming Azure Hybrid Benefit (AHB) for workloads where the underlying licences are already consumed on-premises. Effectively double-counting the same entitlement.
Azure Hybrid Benefit allows you to use your on-premises Windows Server or SQL Server licences (with active SA) in Azure at reduced rates. However, each licence can only be applied in one place at a time. On-premises or Azure, not both (with certain dual-use exceptions for migration windows up to 180 days).
Microsoft permits concurrent use of the same licence on-premises and in Azure for up to 180 days during migration. After 180 days, you must fully decommission the on-premises instance or purchase separate Azure licensing. Auditors specifically check for workloads that have been running in both locations beyond the 180-day window. A finding that requires either immediate decommissioning or purchase of additional licences at list price.
Maintain a licence allocation register. Track where each licence is applied: on-premises, Azure AHB, or AWS BYOL. Ensure no licence is allocated to multiple locations beyond the 180-day migration window.
Audit Azure Hybrid Benefit claims. Review every Azure VM running under AHB to confirm: (a) the corresponding on-premises licence exists, (b) SA is active, and (c) the licence is not simultaneously in use on-premises.
Monitor migration timelines. Set calendar reminders for the 180-day dual-use expiry on every workload in migration. Auto-decommission or reallocate licences before the window closes.
Document licence assignment decisions. Maintain written records of which licences are applied where and when. This documentation is your primary defence against audit findings in hybrid environments.
Enterprise Agreement (EA) true-ups require annual reporting of any increases in licence consumption beyond the original agreement quantities. Organisations that under-report (whether through error, delayed reporting, or misunderstanding what needs to be counted) face retroactive true-up charges plus potential compliance penalties at the next audit or renewal.
True-up miscalculations often compound over the three-year EA term. A 10% under-report in year one, left uncorrected, can grow to 25 to 30% by the end of the term. Particularly in fast-growing organisations or those undergoing M&A activity where new employees and infrastructure are added without corresponding true-up reporting.
1. Automate user and device counting. Use Active Directory, Azure AD, and M365 admin centre reports to generate accurate user and device counts monthly. Not just at the annual true-up deadline. Monthly tracking catches drift early and prevents year-end surprises.
2. Include M&A activity in true-up calculations. Acquired companies bring employees, devices, and Microsoft deployments. Include these in your true-up from the date of acquisition. Failing to report acquired users is the most common true-up under-reporting error. And the easiest for Microsoft to verify.
3. Reconcile server licences against physical inventory. True-ups cover server products as well as user subscriptions. Any new servers, storage nodes, or virtual hosts added since the last true-up must be reported. Compare your physical and virtual infrastructure inventory against the quantities in your EA.
4. Review true-up before submission. Have your licensing adviser or SAM team review the true-up calculation before submitting to Microsoft. Errors in either direction are difficult to correct after submission and can trigger audit scrutiny. A 15-minute review can prevent a six-figure mistake.
Whether you have received an audit notification or simply want to prepare proactively, the following 90-day timeline provides a structured remediation approach that addresses all ten common findings.
| Phase | Timeline | Focus Area | Key Actions |
|---|---|---|---|
| Phase 1: Discovery | Days 1 to 30 | Data collection and entitlement assembly | Run MAP Toolkit, export M365 reports, inventory all servers (physical + virtual), gather all licence agreements and purchase history |
| Phase 2: Analysis | Days 31 to 60 | Gap identification and exposure quantification | Reconcile deployments against entitlements, identify all ten finding categories, calculate financial exposure at list price for each gap |
| Phase 3: Remediation | Days 61 to 90 | Fix gaps and document compliance position | Decommission unlicensed instances, reassign M365 licences, consolidate SQL VMs, purchase shortfall at negotiated rates, document all changes |
“The single best investment you can make in Microsoft compliance is a 90-day internal review before your next EA renewal or true-up. The findings you discover internally, and remediate on your terms, are findings that Microsoft will never see. The ROI is consistently 10 to 20 times the effort invested.”
SQL Server virtualisation under-licensing is the most frequent and highest-value finding. The gap between how organisations licence SQL VMs (based on virtual cores) and how Microsoft requires licensing (based on physical cores of the host) generates findings ranging from $200K to $3M+ depending on the environment size. The second most common finding is unassigned or unlicensed M365 user accounts.
Yes, and you should. The period between audit notification and data submission (typically 30 to 60 days) is your remediation window. Microsoft evaluates your compliance based on the data you submit, not on historical snapshots. Decommissioning unlicensed instances, removing unused accounts, and consolidating SQL VMs during this window directly reduces your audit exposure. However, avoid destroying records or misrepresenting historical usage, as this creates legal risk.
Microsoft uses several audit mechanisms: formal contractual audit rights (Section 9 of the MBSA/EA), SAM (Software Asset Management) engagements conducted by partner firms, and self-assessment tools like the Microsoft Assessment and Planning (MAP) Toolkit. SAM engagements are positioned as helpful reviews but generate compliance reports that Microsoft uses to identify purchase obligations. Regardless of the mechanism, the data analysis and finding categories are consistent.
Microsoft will present a compliance report detailing the licensing shortfall and the corresponding purchase obligation. You are required to purchase licences to close the gap, typically at list price without volume discounts. In some cases, Microsoft offers a settlement where you can purchase the shortfall combined with new subscriptions or renewals at a blended discount. But this is a negotiation, not a penalty. An independent audit defence adviser can challenge findings and negotiate significantly better terms than accepting the initial compliance report.
Absolutely. Microsoft’s initial compliance report frequently contains assumptions that inflate the exposure: counting passive DR servers as active, including decommissioned instances in the count, applying the most expensive licensing model when cheaper alternatives exist, or miscounting virtualisation host cores. Every finding should be verified against your own data. We typically reduce initial audit findings by 30 to 60% through factual challenges and licensing model optimisation.
At minimum, annually. Ideally three to six months before your EA anniversary or true-up date. Organisations with dynamic environments (frequent hiring, M&A activity, cloud migration, virtualisation changes) should conduct quarterly reconciliation reviews of their highest-risk products: SQL Server, M365, and Windows Server. Monthly automated scans using tools like MAP Toolkit or ServiceNow SAM provide continuous visibility between assessments.
For any audit with potential exposure above $250K, independent advice is almost always justified. An independent adviser brings: knowledge of Microsoft’s audit methodology and common errors, experience challenging inflated findings, negotiation leverage from market pricing data, and objectivity that your Microsoft account team cannot provide. Our audit defence engagements consistently reduce final settlement amounts by 40 to 60% compared to clients who negotiate directly with Microsoft.
Redress Compliance provides independent Microsoft audit defence and proactive compliance assessments. We use the same tools and methodology as Microsoft’s auditors, but we work exclusively for you. Our assessments consistently identify and remediate $500K to $3M in avoidable audit exposure. Fixed-fee engagements with guaranteed ROI.