The Services Provider License Agreement is Microsoft's monthly licensing program for hosters, managed service providers, and outsourcers that deliver Microsoft software to external customers. The audit profile is high. The SAL math is unforgiving. This guide maps the program, the math, the boundaries, and the renewal playbook.
SPLA is one of the highest audit risk programs in Microsoft's licensing portfolio. Microsoft audits SPLA partners at a documented 92 percent rate over the rolling 36 month window. The compliance failures rarely stem from intent. They stem from SAL counting discipline, multi tenant boundary confusion, and the difference between authenticated users and unique users on the host platform.
This guide is written for hosting providers, managed service providers, system integrators, and large enterprise buyers running internal SPLA estates. The frame is the buyer side. The math is unforgiving. The audit defense is structural.
What every SPLA partner should know before the next month end report
SPLA is monthly. Usage is reported every month, not annually. Late reports trigger compliance flags inside Microsoft's SPLA team.
SAL is the dominant metric. Subscriber Access Licenses count unique authenticated users per month, with a high water mark over the reporting period.
The 92 percent audit rate. Microsoft audits the majority of SPLA partners over the 36 month rolling window. Plan for it as a certainty.
Multi tenant boundary is critical. One customer per dedicated host, or explicit isolation controls in multi tenant deployments.
Dynamics and SQL carry separate rules. SQL by core, Dynamics by user, with Service Provider Reference Architecture for Dynamics SaaS hosting.
Reseller path differs from direct. SPLA Reseller and SPLA Direct carry different reporting boundaries and audit obligations.
Renewal is annual, with a step up. The renewal carries a price file update and a contract clause refresh. Negotiate the price file with leverage.
What SPLA is
The Services Provider License Agreement is Microsoft's licensing program for organizations that host Microsoft software as a service to external customers. SPLA covers Windows Server, SQL Server, Exchange, SharePoint, Skype for Business Server, Dynamics, and a long list of related products.
Who SPLA covers
Hosting providers. Companies that operate the infrastructure and deliver Microsoft software to external customers as a hosted service.
Managed service providers. MSPs that manage customer Microsoft estates as a service, where the customer is the end recipient.
System integrators with hosted offerings. SIs that run Microsoft software for client engagements lasting longer than a single project window.
Outsourcers and BPO providers. Organizations running customer applications on Microsoft software in their own data center.
Internal IT in some configurations. Large enterprise IT departments hosting Microsoft software for separate legal entities within the group.
SPLA versus other Microsoft programs
SPLA is not the same as an Enterprise Agreement. SPLA covers external customer service delivery. The EA covers internal use by the customer's own employees and contractors. The two cannot be mixed in a single deployment.
SPLA is not the same as Cloud Solution Provider. CSP is Microsoft's reseller program for cloud services. SPLA is the licensing program for hosted Microsoft software running on the partner's own infrastructure.
SAL math
The Subscriber Access License is the dominant SPLA metric for most products. SAL counts the unique authenticated users per month, with the high water mark across the reporting period as the billed figure.
SAL versus other SPLA metrics
Product
Primary metric
Counting rule
Common confusion
Windows Server
Processor or Core
All physical cores in the host
Virtual core allocation does not reduce the count
SQL Server
Core or SAL
By core if any user is unidentified; by SAL with full authentication
The mix breaks down at scale
Exchange Server
SAL
Unique users per month, high water mark
Service accounts count if interactive
SharePoint Server
SAL
Unique authenticated users per month
Anonymous users excluded only with explicit isolation
Skype for Business Server
SAL with feature tier
Standard, Plus, EnterpriseCAL tiers
Telephony features push to Plus
Dynamics 365 hosted
Subscription per user
Per Dynamics user, not Windows user
Service accounts excluded; admin counted
High water mark mechanics
Count daily. Authenticated user count taken daily at a defined time.
Take the monthly maximum. The highest daily count across the calendar month is the SAL count for the month.
Report on the SPLA portal. Submit within the contractual reporting window, typically the 10th of the following month.
Pay the price file rate. SAL rate times count times the contract price file. The bill arrives monthly.
Multi tenant and isolation boundaries
SPLA permits multi tenant hosting only under specific isolation conditions. The boundary failure pattern produces some of the most expensive compliance findings in Microsoft's SPLA audit history.
The isolation rules
Dedicated host model. One end customer per physical host. The cleanest model. Highest cost.
Shared host with authentication isolation. Multiple customers on the same physical infrastructure, with separate Active Directory or authentication tenancy per customer.
Shared host with logical isolation. Multiple customers, single AD, separate logical containers. Permitted for some products, not all.
SaaS application model. The Microsoft software is embedded in a customer facing SaaS application. Different metric rules apply, often via Service Provider Reference Architecture.
Per product boundary rules
Windows Server. Multi tenant permitted on shared infrastructure with full per host licensing.
SQL Server. Multi tenant permitted; license per physical or virtual core of the host or VM serving the database.
Exchange Server. Multi tenant permitted under SPLA with hosting party as the SAL holder for each end customer's users.
Dynamics 365. Multi tenant requires Service Provider Reference Architecture compliance and per Dynamics user reporting.
SharePoint Server. Multi tenant permitted with per SAL reporting for each authenticated user.
Audit triggers and the 36 month window
Microsoft audits SPLA partners at high frequency. The triggers are predictable. The defense is structural.
The seven common triggers
Reporting gap. A missed monthly report or a sudden drop in reported SAL count.
SPLA Reseller mix issue. Reporting inconsistency between the direct partner and the reseller channel.
New customer ramp signal. Public announcements of a new hosted contract that does not show up in the reported SAL count.
Channel intelligence. Microsoft account team data showing customer relationships outside the reported SPLA scope.
Acquired entity. Recent acquisition where the acquired entity's hosted estate was not reported.
Renewal step up failure. Refusal to accept renewal price file or contract refresh.
Random rotation. The remaining 30 percent of audits are statistical sampling, weighted toward partners with weak reporting history.
The 36 month look back
SPLA audits examine the 36 months prior to the audit notice. Findings cover unreported SAL counts, unreported customer estates, unreported product use, and reporting accuracy gaps.
The financial settlement covers the back fee at the price file rate plus a penalty. Penalties are negotiable. Back fees are not.
Reporting discipline and the audit defense pack
The structural defense against a SPLA audit is reporting discipline. The audit defense pack lives inside the operations team, not the licensing team.
The audit defense pack
Monthly SAL reports. Submitted on time, every month, for 36 months continuous.
Daily authentication logs. Sealed daily counts from the authentication source of record.
Customer mapping. Each reported SAL block mapped to an end customer contract.
Product version mapping. Each reported SAL mapped to the product version and edition deployed.
Boundary documentation. Multi tenant isolation architecture documented and signed.
SPLA Reseller reconciliation. Monthly reconciliation between SPLA Reseller channel and SPLA Direct reporting where both exist.
Indemnification position. Documented internal indemnification map covering each end customer engagement.
Operational cadence
Daily. Authentication source pulls authenticated user count at a defined time. Archive the raw data.
Weekly. Operations team reviews the running SAL count against the prior week.
Monthly. Licensing team submits the monthly SPLA report and pays the invoice.
The checklist takes a SPLA partner from the current reporting cycle to a clean renewal and a refreshed audit defense pack.
Inventory the SPLA estate. Every product, every customer, every host.
Pull 36 months of SAL reports. Reconcile gaps. Document anomalies in writing.
Refresh the boundary documentation. Multi tenant architecture diagrams, isolation controls, authentication source.
Map customer contracts to reported SAL blocks. Every reported SAL traces to a signed end customer contract.
Pull the new price file 90 days before renewal. Compare to last year. Identify increase items.
Score the leverage. Named alternative, multi tenant SaaS providers, internal hosting alternatives, AWS or Azure hosting alternatives.
Negotiate the renewal. Price file cap, audit cap, contract clause refresh. Document everything in writing.
Frequently asked questions
What is the difference between SPLA and CSP?
SPLA covers Microsoft software hosted by the partner on the partner's own infrastructure and delivered to external customers as a service. CSP covers Microsoft cloud services (Microsoft 365, Azure, Dynamics 365) that the partner resells from Microsoft's cloud.
The two programs can coexist within the same partner organization but cannot be mixed in a single deployment. A given workload sits in SPLA or CSP, never both.
How is the SAL high water mark actually calculated?
The high water mark is the maximum daily authenticated user count across the calendar month. Daily counts are taken at a defined time (commonly 02:00 local time or end of business day) from the authentication source of record (Active Directory, Azure AD, or the application's own authentication system where appropriate).
The highest single day count across the month is the SAL count for that month. The same count is reported and billed.
Can we host Microsoft software for customers using our EA licenses?
No. The Enterprise Agreement covers internal use by the customer's own employees, contractors, and affiliates. Delivering Microsoft software as a hosted service to external customers requires SPLA licensing for those externally facing instances.
The most common compliance failure is exactly this mix. The remediation cost is the back fee for the gap period at the SPLA price file rate, plus any negotiated penalty.
How does Microsoft typically discover SPLA reporting gaps?
Microsoft uses a combination of channel intelligence, customer side disclosures, public announcements, and statistical sampling. The Microsoft account team that covers the partner's own enterprise estate often holds intelligence about hosted customer relationships that should appear in the SPLA report.
The 36 month look back captures gaps that opened years before the audit notice. Partners with multi year reporting discipline reduce the audit cost to a verification exercise.
What is the boundary between SPLA Reseller and SPLA Direct?
SPLA Direct is the program where the hosting partner reports usage directly to Microsoft and pays Microsoft. SPLA Reseller is the program where the hosting partner sells SPLA capacity to a downstream reseller channel that delivers to end customers. The reseller handles reporting and payment.
Where both models coexist in the same partner, the reconciliation between the two reporting streams becomes a recurring audit risk. The boundary should be documented in writing and reviewed monthly.
How long do SPLA audits typically take?
A typical SPLA audit runs four to nine months from notice to settlement. The data gathering phase consumes the first 60 to 90 days. The technical reconciliation phase takes another 60 to 120 days. The financial settlement and contract refresh consume the remainder.
Partners with an active audit defense pack and clean monthly reporting reduce the audit timeline to three to four months. Partners with reporting gaps see audits extend to twelve months or longer.
How does Redress engage on Microsoft SPLA?
Redress runs Microsoft SPLA advisory inside the Vendor Shield subscription, the Microsoft services practice, and the Renewal Program. Engagements cover audit defense, reporting discipline rebuild, renewal negotiation, price file analysis, and the boundary documentation around SPLA versus EA versus CSP.
The work is led by senior Microsoft commercial professionals on the buyer side. Engagements span hosting providers, managed service providers, system integrators, BPO companies, and large enterprise IT groups running internal SPLA estates.
Buyer side reference on Microsoft renewals. EA structure, M365 trade ups, Azure commit math, Copilot economics, and the seven levers procurement carries to every Microsoft renewal.
Independent. Buyer side. Written for CIOs, CFOs, procurement leaders, and Microsoft contract owners running active EA, SPLA, and CSP renewals. No Microsoft kickback. No conflict on the table.
Microsoft EA Renewal Playbook
Open the white paper in your browser. Corporate email only.
SPLA audit defense is not a project. It is a recurring operational discipline. The partners that treat the SPLA report as a monthly accounting close find audits boring. The partners that treat it as a paperwork chore find audits financially material.
SPLA, EA, M365, Azure, and Copilot lessons from every Microsoft engagement we run. Audit defense patterns, renewal benchmarks, price file analysis, and the moves that closed the deal.
Before you go
Get the buyer side monthly briefing.
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.
