How Microsoft audits service providers under the SPLA programme, where the multi-million-dollar exposures hide, and the independent strategies that reduce settlements by 40 to 70%. Covers the six-phase audit process, 125% penalty calculation, draft report challenges, settlement negotiation tactics, and a 10-point compliance checklist for ongoing audit readiness.
We have defended dozens of SPLA audits across four continents. In every case, Microsoft's initial compliance claim was significantly higher than the final negotiated settlement, typically by 40 to 70%. The draft report is a starting position, not a verdict. Service providers who treat it as a negotiation rather than a bill consistently achieve far better outcomes. For the broader Microsoft audit landscape, see our CIO's audit compliance playbook.
A Microsoft SPLA audit is a formal compliance review in which Microsoft verifies that a service provider is correctly reporting and paying for the Microsoft software it hosts under the Service Provider License Agreement (SPLA). It is Microsoft's enforcement mechanism for its hosting channel, and for unprepared providers, it is one of the most financially dangerous events in enterprise software licensing.
SPLA allows cloud service providers, managed service providers (MSPs), hosting companies, SaaS vendors, and outsourcers to rent Microsoft software on a monthly, pay-as-you-go basis to deliver hosted services to their customers. In return, providers must report their peak usage of every Microsoft product every month to their SPLA reseller and pay the corresponding fees. An SPLA audit checks whether those monthly reports accurately reflect reality.
Who conducts it? Microsoft appoints a third-party auditor, almost always one of the Big Four accounting firms (EY, PwC, KPMG, or Deloitte). The auditor handles data collection and technical analysis. Microsoft's compliance team then reviews the auditor's findings and manages the commercial settlement.
How often? SPLA audits typically occur on a three-year cycle, though the timing varies. Some providers are audited more frequently if Microsoft detects reporting anomalies such as unusually low usage figures, late or missing monthly reports, or patterns that suggest systematic under-reporting.
Self-assessment vs. formal audit. Microsoft sometimes begins with an SPLA Self-Assessment, inviting you to review your own compliance and certify the results. Self-assessments are less invasive, and critically, they often avoid the 25% penalty surcharge that a formal audit imposes. Always respond cooperatively. A self-assessment is your best chance to identify and correct issues before they become a full audit. See our licence audit survival checklist for the preparation framework.
What is at stake? Non-compliance can result in back-payment of all unreported licences (at list price), a 25% penalty surcharge, reimbursement of audit costs, and in extreme cases, termination of the SPLA agreement entirely. Some audited providers have faced compliance bills exceeding their entire annual Microsoft resale profit. For the broader context on Microsoft audit penalties, see our lessons guide.
Microsoft's SPLA audit follows a structured, multi-phase process. Understanding each phase removes uncertainty and helps you prepare the right response at the right time.
Phase 1: Notification and Initiation (Week 0). You receive an official audit notice from Microsoft's Licence Compliance team identifying the legal entity, SPLA agreement number, audit period, and appointed auditor. You have 30 days to begin cooperating. This is a contractual obligation from your SPLA agreement. Immediately inform leadership, legal, IT, and finance. Designate a single point of contact for all auditor communications.
Phase 2: Kick-Off Meeting and NDA (Weeks 1 to 2). The auditor schedules an introductory meeting to present the audit plan, timeline, data requirements, and scope. Request an NDA between your company and the auditor to protect sensitive commercial data. Take detailed notes on scope boundaries. Knowing what is in and out of scope prevents accidental oversharing.
Phase 3: Data Collection (Weeks 3 to 8). The most labour-intensive phase. The auditor requests hardware/VM inventories, software inventories, Active Directory exports, usage logs, customer contracts, monthly SPLA reports, and deployment change records. You may be asked to run auditor-provided scripts on your servers. This phase is iterative. Expect follow-up clarification requests.
Phase 4: Analysis and Draft Report (Weeks 8 to 12). The auditor analyses the data and produces a draft audit report with an Effective Licence Position (ELP) for each product and month. This report highlights shortfalls where calculated usage exceeds reported usage. No financial amounts are included. The auditor identifies the licence delta, not the cost.
Phase 5: Review and Defence (Weeks 12 to 16). Your most critical window. Examine every line item, verify formulas, challenge wrong assumptions, and provide additional evidence. The draft report is negotiable. Auditors expect pushback and frequently revise their findings when presented with compelling evidence. Submit your challenges in writing to create a formal paper trail.
Phase 6: Final Report and Commercial Negotiation (Weeks 16 to 24+). The auditor issues a final report to Microsoft, concluding the technical phase. Microsoft's compliance team then calculates the financial settlement, applies penalties, and enters direct commercial negotiation with you. This phase determines your actual out-of-pocket cost and is where independent advisory support delivers the most value. See our detailed SPLA settlement negotiation guide.
SPLA audits consistently expose the same categories of compliance failure. Knowing these patterns helps providers focus pre-audit preparation on the highest-risk areas.
This is the number one source of SPLA audit findings, accounting for 50 to 80% of financial exposure in most engagements. Under SPLA, a SAL is required for every user or device authorised to access a Microsoft service, not just those actively using it. The distinction is critical: if 500 users are in an Active Directory group with access to a Windows Server, all 500 need SALs even if only 50 log in regularly. Auditors will cross-reference your Active Directory exports with your monthly SPLA reports. If the AD shows more users with access than you reported, the shortfall is counted for every month of the audit period.
A hosting provider reports 200 RDS (Remote Desktop Services) user SALs monthly. The auditor's AD export reveals 350 users in the RDS access group. The shortfall is 150 SALs x 36 months x $4.50/SAL/month = $24,300 at list price, plus the 25% penalty = $30,375. And that is just one product. Multiply across Windows Server, SQL Server, Exchange, and other products, and the total can reach six or seven figures.
Over time, new virtual machines and deployments are created without being captured in monthly SPLA reports. This "shadow IT" problem is especially acute in environments where multiple teams can spin up servers independently. Every untracked VM with Microsoft software installed is a compliance liability for every month it existed. For broader licensing model context including per-core virtualisation rules, see our models guide.
SPLA has specific rules around processor licensing vs. SAL licensing, virtualisation rights, licence mobility, and the distinction between internal use and hosted services. Common mistakes include using SPLA licences for internal (non-customer) workloads, failing to report Windows Server core licences when running SQL Server on a VM, and not understanding the SAL requirement for multiplexed access scenarios.
Auditors default to worst-case assumptions when data is incomplete. If you cannot prove when a VM was created, they assume it existed since the start of the audit period. If you cannot identify the edition of SQL Server on a machine, they assume Enterprise (the most expensive). If you cannot show a customer brings their own licences, they charge it to your SPLA. Poor documentation is not a defence. It is an accelerant for higher findings.
SPLA requires you to report end-customer names for any customer spending over $1,000/month in Microsoft services. Failure to maintain these records is a contractual breach that auditors specifically look for, and it can erode your credibility during the negotiation phase.
If the audit finds you are more than 5% out of compliance, Microsoft can contractually require you to reimburse the audit costs, the fees Microsoft paid the Big Four auditor. For large, complex audits, these fees can reach $50,000 to $100,000+. Keeping your shortfall below 5% (or negotiating it down to that level) should be a strategic objective. See our costly Microsoft licensing mistakes guide for the patterns that trigger the highest exposure.
Understanding the penalty mechanics is essential for both preparation and negotiation. The default financial consequence under SPLA is: Shortfall Quantity x SPLA List Price x Months of Shortfall x 125%. The 25% surcharge applies on top of full back-payment at list price. Self-assessments often avoid this surcharge.
| Product | Monthly Shortfall | SPLA Price/Unit/Month | Audit Period | Sub-Total | + 25% Penalty |
|---|---|---|---|---|---|
| Windows Server SAL | 120 users | $4.20 | 36 months | $18,144 | $22,680 |
| SQL Server Enterprise | 8 cores | $570 | 36 months | $164,160 | $205,200 |
| RDS SAL | 200 users | $4.50 | 36 months | $32,400 | $40,500 |
| Exchange Server SAL | 150 users | $4.20 | 36 months | $22,680 | $28,350 |
| Total | $237,384 | $296,730 |
In this example, a mid-sized hosting provider faces nearly $300,000 in audit liability from just four products. Larger providers with hundreds of servers and thousands of users routinely see initial claims in the $1M to $5M range. The penalty escalates quickly because it compounds across every product, every month, and every unreported unit.
SPLA Audit Initial Claim: $2.8M. Settled: $680K (76% reduction). A European managed services provider with 400+ hosted customers received a formal SPLA audit notice covering a 36-month period. The auditor's draft report identified widespread SAL under-reporting, unreported SQL Server cores on development VMs, and missing end-customer declarations. Redress Compliance challenged the auditor's Active Directory methodology (which counted disabled and service accounts as licensable users), demonstrated that 12 VMs were test environments not serving customers, and provided BYOL attestations for three enterprise clients. The final negotiated settlement was $680K with a 24-month payment plan and a two-year audit forbearance clause.
The best SPLA audit outcome is the one you prepared for before the audit notice arrived. These proactive measures form the foundation of a strong defence.
Maintain monthly reporting archives. Save every monthly SPLA usage report and the corresponding reseller invoice for at least the last 36 months. This is your first line of evidence. If the auditor claims you under-reported in a particular month, you need to produce the original report and the invoice that proves what you paid. Create a centralised repository updated monthly alongside each SPLA report submission.
Conduct quarterly self-audits. Select one or two products each quarter (e.g., SQL Server in Q1, RDS in Q2) and reconcile the licences you reported against actual usage. This spot-checking catches drift before it compounds into a 36-month liability. Track results and document corrections. See our licence usage auditing guide for the methodology.
Perform annual mock audits. Engage a third-party licensing expert or use your internal audit team to run a full mock SPLA audit annually. They should review your data and processes exactly as an official auditor would: extracting AD exports, comparing VM inventories against reports, and building an Effective Licence Position. This "dress rehearsal" identifies compliance gaps privately, on your terms, with no penalties attached.
Lock down Active Directory hygiene. Active Directory is the auditor's primary evidence source. Ensure that user accounts are promptly disabled or removed when employees or customer users leave. Remove users from access groups they no longer need. Eliminate generic or shared accounts where possible. The cleaner your AD, the narrower the auditor's findings.
Document VM lifecycles. Maintain records of when every VM was created, what software was installed, when it was decommissioned, and which customer it served. Without this documentation, auditors will assume every VM that exists today has existed since the start of the audit period, potentially adding months of phantom licensing liability.
In one engagement, a provider could not demonstrate when 15 SQL Server VMs were deployed. The auditor counted all 15 from the beginning of the 36-month audit period. The provider believed they were created in the last 12 months. The difference? Over $50,000 in additional back-licensing. A simple deployment log would have eliminated the entire exposure. Documentation is not bureaucracy. It is insurance. For broader contract terms that govern audit rights, see our negotiation guide.
Verify scope before sharing. Only provide data for in-scope environments. Do not include your internal corporate IT, separate business units not under SPLA, or environments belonging to different legal entities. Oversharing accidentally widens the audit. One provider we advised mistakenly included their internal development environment in the data; the auditor counted it as SPLA usage, and removing it required months of negotiation.
Review data before submission. Before sending anything to the auditor, inspect the outputs for anomalies: accounts that appear to have access to systems they should not, servers with unexpected software installations, or misconfigured user permissions. If you spot a problem, fix it or prepare an explanation before the auditor draws their own (likely harsher) conclusion.
Keep copies of everything. Retain copies of all data you provide, with timestamps showing when and how it was transmitted. This documentation protects you if the auditor later claims they never received something or misinterprets a submission.
Once the auditor has your data, they construct an Effective Licence Position (ELP), a month-by-month spreadsheet comparing calculated usage against reported usage for every Microsoft product.
Worst-case defaults. If something is ambiguous, the auditor assumes the most expensive interpretation. Unidentified SQL Server edition? They assume Enterprise. User account with potential access? They count it as requiring a SAL. VM with no creation date? They count it from the start of the audit period.
No credit for over-reporting. If you over-reported in some months (paid for more licences than you used), that surplus does not offset shortfalls in other months. Each month is counted independently, and only the shortfall matters. This is contractually how SPLA works, but it surprises many providers.
SAL = access, not usage. The auditor counts every user or device with authorised access, not just those that actually logged in. The distinction between "can access" and "did access" is where most SAL findings originate. For the broader licensing fundamentals, see our beginner's guide.
The draft audit report is not a verdict. It is the start of a conversation. Auditors expect pushback, and initial SPLA audit reports frequently contain errors, overestimates, and unfounded assumptions. Your response to the draft report is the single most impactful activity in the entire audit process.
Step 1: Verify every calculation. Open the ELP spreadsheet and check every formula. Auditors build complex Excel models, and errors in formulas, lookups, or date ranges are more common than you might expect. One transposition error in a VLOOKUP can inflate a product's shortfall across every month.
Step 2: Challenge wrong assumptions. Identify every line item where the auditor assumed the worst due to missing information, and provide the missing evidence. Common challenges include proof of VM creation dates to shorten the liability window, screenshots or logs proving SQL Server Standard (not Enterprise) was installed, and evidence that specific accounts are service accounts or disabled accounts that should not count as SAL users.
Step 3: Verify scope boundaries. Confirm the auditor did not accidentally include environments, servers, or customers outside the agreed audit scope. If something was included that should not have been, present a documented argument for its removal.
Step 4: Leverage over-reporting. While the auditor's report will not credit over-reporting against shortfalls, documenting areas where you overpaid is valuable ammunition for the negotiation phase with Microsoft. It demonstrates good faith and provides a factual basis for requesting penalty waivers or reductions.
Step 5: Submit written challenges. Always submit your responses in writing and request that they be attached to or referenced in the final report. You want a formal paper trail showing that you contested specific findings with evidence. This documentation strengthens your position in the subsequent commercial negotiation.
Draft Report Reduced by $1.4M Through Systematic Challenges. A large North American managed services provider received a draft SPLA audit report claiming $2.1M in shortfalls. Redress Compliance systematically challenged the report: 280 "users" were identified as service accounts or disabled accounts that should not require SALs (-$340K); 18 VMs were proven to have been created within the last 12 months rather than at the start of the 36-month period (-$520K); and SQL Server Standard editions were misidentified as Enterprise on 6 servers (-$540K). The revised draft reduced the finding to $700K, which was then negotiated down to a $450K settlement with a structured payment plan.
Once the auditor issues a final report, the technical phase ends and the commercial negotiation begins. You now deal directly with Microsoft's compliance team, a fundamentally different conversation from the data-driven audit process.
Microsoft's default calculation is: full back-payment of all shortfall licences at SPLA list price, for every month of the shortfall, plus a 25% penalty surcharge. If the shortfall exceeds 5%, they may also seek reimbursement of audit costs. This is the maximum, and it is almost always negotiable.
Future commitments. Microsoft values ongoing revenue over one-time penalties. Offering to increase your Azure consumption, commit to a new 3-year SPLA with higher minimums, or transition workloads to CSP can persuade Microsoft to reduce the back-payment or waive the penalty. Frame this as a win-win: you avoid a crippling lump sum, and Microsoft gains predictable future revenue.
Penalty waivers. If you cooperated fully throughout the audit and any under-reporting was inadvertent, explicitly request that the 25% surcharge be waived or reduced. Microsoft's compliance team has discretion here, and they frequently grant partial or full waivers for cooperative partners who demonstrate a genuine commitment to correcting processes.
Audit forbearance. Request a clause preventing Microsoft from auditing you again for 2 to 3 years after the settlement. This is commonly granted and provides operational certainty as you implement compliance improvements.
Payment plans. If the settlement amount is substantial, negotiate instalment payments spread over 6 to 24 months rather than a single lump sum. Microsoft generally accommodates this for partners who demonstrate financial goodwill.
Release of liability. Ensure the settlement agreement includes a full release confirming that payment resolves all compliance issues for the audited period. Without this, you risk Microsoft reopening the same period later.
For the comprehensive settlement playbook, see our SPLA audit settlement negotiation guide. For the broader EA negotiation framework, see our negotiation guide. For contract terms protection, see the dedicated guide.
The settlement cheque has cleared. Now the real work begins: ensuring you never face another painful audit outcome.
Fix reporting processes. Address whatever caused the under-reporting. If SAL counts were inaccurate, implement automated tools that extract actual user counts from Active Directory on the last business day of each month and cross-reference them with your SPLA report. If server inventories were incomplete, integrate your VM provisioning system with your licence tracking system so new deployments automatically trigger a reporting update.
Invest in Software Asset Management (SAM). Deploy SAM tooling or scripts that continuously monitor your environment for new Microsoft software installations, changes in user access groups, and VM creation/deletion events. Set alerts for anomalies. An unexpected spike in SQL Server instances or a new AD group with hundreds of members should trigger an immediate review. See our licence optimisation tools for ongoing analysis support.
Train your teams. Ensure that everyone involved in deploying, managing, or provisioning hosted services understands the licensing implications of their actions. A technician spinning up a new VM is not just performing an operational task. They are creating a licensing event. Key concepts to reinforce: every user with access needs a SAL (not just active users), every VM needs Windows Server licences reported, and internal-use workloads require separate licensing from SPLA.
Schedule annual mock audits. Make the mock audit a permanent fixture in your operational calendar. An annual self-audit costs a fraction of an official audit settlement and provides early warning of any compliance drift.
Maintain ongoing advisor relationships. The Microsoft licensing landscape evolves constantly: SPLA pricing changes, CSP programme updates, virtualisation rule changes, and evolving contract terms. Maintaining a relationship with independent licensing advisors ensures you adapt your compliance practices to keep pace with Microsoft's evolving programme.
1. Archive every monthly SPLA report and invoice for at least 36 months. Store them in a centralised, backed-up repository accessible to your compliance team.
2. Maintain a real-time server/VM inventory listing every physical and virtual machine in your hosting environment, including CPU core counts, installed Microsoft software, creation dates, and associated customers.
3. Reconcile Active Directory with SPLA reports monthly. Count the total users in every AD group with access to a Microsoft service and ensure the corresponding SALs are reported. Remove disabled, departed, or unnecessary user accounts promptly.
4. Conduct quarterly spot-checks on one or two products. Compare actual usage against reported usage and correct any discrepancies immediately.
5. Run an annual mock audit. Engage a licensing expert or internal audit team to simulate the full SPLA audit process, including AD extraction, ELP construction, and finding documentation.
6. Track VM lifecycles. Record deployment dates, decommission dates, and any changes to installed software. Use change management tickets as evidence to bound the audit period for each VM.
7. Maintain customer BYOL documentation. For any customer bringing their own Microsoft licences, keep signed attestation letters and Licence Mobility verification forms on file, updated annually.
8. Report end-customer names as required. Ensure all customers spending more than $1,000/month in Microsoft services are properly declared in your SPLA reporting.
9. Train all technical staff on SPLA licensing basics. Every technician, administrator, and engineer who touches hosted infrastructure should understand that provisioning actions are licensing events. See our licensing for beginners guide.
10. Designate an audit response team. Pre-assign roles (compliance lead, legal, IT, finance) and maintain an audit response plan so you can mobilise within days of receiving an audit notice, not weeks.
SPLA audits can be routine (Microsoft typically audits every 3 years) or triggered by red flags such as consistently low or declining reported usage, late or missing monthly reports, large discrepancies between your reported usage and what Microsoft's analytics suggest, or patterns that indicate systematic under-reporting. Microsoft also conducts audits in waves, targeting multiple providers simultaneously across a region or market segment.
The SPLA contract specifies that any under-reported licences discovered in a formal audit must be paid at 125% of list price: the full licence cost plus a 25% surcharge. This penalty is contractual, not discretionary. However, in practice, Microsoft frequently waives or reduces the surcharge during settlement negotiations, particularly for providers who cooperated fully, whose under-reporting was inadvertent, and who demonstrate corrective actions. Self-assessments (as opposed to formal audits) typically do not carry the 25% penalty at all, which is one reason to respond proactively to self-assessment requests.
The entire process, from notification to settlement, typically takes 4 to 8 months, though complex audits can extend to 12 months or longer. The data collection phase (4 to 8 weeks) and draft report review/defence phase (4 to 8 weeks) are the most time-intensive. The commercial negotiation with Microsoft can take an additional 1 to 3 months. Responsiveness to auditor requests directly impacts the timeline.
Absolutely, and you should. The draft audit report is explicitly a preliminary document presented for your review and feedback. Auditors expect challenges and regularly revise their findings based on additional evidence. Common successful challenges include proving VMs were created later than assumed, demonstrating that user accounts are service accounts or disabled accounts, providing BYOL attestations for customers who bring their own licences, and correcting software edition misidentifications (e.g., SQL Server Standard vs Enterprise).
Microsoft generally prefers to retain you as a partner rather than force you out of business. If the settlement amount is unaffordable, negotiate a structured payment plan (6 to 24 months or longer), explore future-commitment offsets (where increased Azure or CSP spending reduces the back-payment), and request penalty waivers. Engaging independent advisory support significantly improves your ability to negotiate a workable outcome.
For any SPLA audit with potential exposure exceeding $100K, independent advisory support is almost always cost-effective. Experienced SPLA audit defence consultants know Microsoft's audit methodologies, can identify errors in the auditor's calculations, advise on which data to provide (and which is out of scope), and lead settlement negotiations. The typical fee for advisory support is a small fraction of the settlement reduction achieved. Our SPLA Audit Defence Service has consistently achieved 40 to 70% reductions versus initial audit claims.
A self-assessment is a request from Microsoft for you to review your own compliance and certify the results. It is less invasive, typically does not involve a Big Four auditor, and most importantly, often avoids the 25% penalty surcharge on any shortfalls you discover and correct. A formal audit involves a third-party auditor conducting an independent review with full data access, and the 25% penalty applies to any shortfalls found. Self-assessments should always be taken seriously and responded to thoroughly.
Yes, but this is extremely rare and reserved for cases of egregious non-compliance, fraud, or persistent refusal to cooperate. Microsoft's commercial incentive is to keep you as a revenue-generating partner. In practice, even significant compliance shortfalls are resolved through financial settlements and process improvements. The termination risk is highest for providers who refuse to cooperate with the audit process itself.
You cannot prevent future audits entirely, as they are a contractual right Microsoft retains under every SPLA agreement. However, you can reduce the likelihood and impact: negotiate an audit forbearance clause (2 to 3 years of protection) as part of your settlement, maintain impeccable monthly reporting and documentation, conduct annual self-audits to stay ahead of drift, and respond promptly to any self-assessment requests, which may satisfy Microsoft's compliance concerns without triggering a formal audit.
Your SPLA reseller is not directly part of Microsoft's compliance team, but they can be a valuable ally. They may have copies of your historical monthly reports and invoices (useful if your own records are incomplete), can provide context on pricing and discount history, and may be willing to advocate on your behalf within Microsoft's partner ecosystem. Keep your reseller informed about the audit and leverage their relationship with Microsoft where it helps.
Redress Compliance has defended SPLA audits for service providers across four continents. Our independent advisors manage every phase, from the initial notice through data collection, draft report challenges, and commercial settlement. Average settlement reduction: 40 to 70% below Microsoft's initial claim. Fixed-fee. 100% vendor-independent.
SPLA Audit Defence ServiceIndependent SPLA audit defence. Draft report challenges, settlement negotiation, compliance remediation. Average reduction: 40 to 70%. Fixed-fee. Vendor-independent.