SPLA and CSP Licensing Assessment for Hosting Providers
We audit your current SPLA/CSP programme structure, model the cost-optimal licensing architecture for your hosting model, identify compliance gaps, and negotiate programme terms — before Microsoft's auditors do.
1. SPLA: How It Works and What It Actually Costs
The Services Provider License Agreement is Microsoft's programme for organisations that host Microsoft products for third-party customers on infrastructure they own or control. SPLA is not a purchasing channel — it's a licensing model specifically designed for the service provider use case where the hosting company deploys Microsoft software (Windows Server, SQL Server, RDS, Exchange, SharePoint) on its own hardware and delivers services to external customers. For the broader comparison of Microsoft licensing agreements, see our licensing across programmes guide.
Programme Mechanics
Monthly reporting: SPLA requires the hosting provider to report monthly usage to Microsoft (through an SPLA reseller). Each month, you report the number of licences consumed — Windows Server cores, SQL Server cores, RDS SALs (Subscriber Access Licences), Exchange mailboxes, and so on. You pay based on reported consumption. There is no annual commitment, no minimum spend, and no upfront cost. The licence rental begins and ends with the monthly report.
Per-core pricing for server products: Windows Server and SQL Server under SPLA follow the same per-core licensing model as other Microsoft programmes — physical cores of the host server, minimum 16 cores per server, minimum 8 cores per processor. But the unit prices are different. SPLA pricing for Windows Server and SQL Server is typically 15–30% higher per core than equivalent EA pricing — reflecting the monthly flexibility premium and the third-party hosting use case. See our Windows Server core-based licensing mechanics and SQL Server 2022 licensing guide for the underlying counting rules.
Subscriber Access Licences (SALs): For products like Exchange, SharePoint, and RDS, SPLA uses SALs instead of CALs. SALs are functionally equivalent to CALs but are licensed per user per month — priced to reflect the hosting model where customers subscribe monthly. RDS SALs are particularly important: every user who connects to a hosted Windows Server desktop or application through Remote Desktop Services requires an RDS SAL in addition to the Windows Server licence on the host.
No Software Assurance: SPLA licences do not include Software Assurance. When a new version of Windows Server or SQL Server is released, you must update your SPLA ordering SKU to the new version and deploy it — there is no automatic upgrade right. However, since SPLA is a rental model (you pay monthly for the right to use the current version), you're always licensing the version you're using. The lack of SA means no Licence Mobility, no Azure Hybrid Benefit, and no passive failover rights — all of which must be addressed through SPLA-specific provisions or alternative licensing mechanisms.
The True Cost of SPLA
The monthly invoice is only the beginning. SPLA carries hidden costs that most hosting providers don't fully account for in their margin calculations. Administrative overhead: Monthly reporting requires accurate, granular tracking of every Microsoft product deployed across every customer environment — physical cores, SAL counts, product editions, version levels. Under-reporting triggers audit liability; over-reporting wastes money. Most hosting providers we assess have reporting accuracy between 75–90%, meaning they're simultaneously under-reporting some products (compliance risk) and over-reporting others (margin erosion). Audit exposure: SPLA agreements are Microsoft's most actively audited programme (see Section 4). The cost of an SPLA audit — internal staff time, consultant fees, remediation payments — is a real operational expense that should be factored into the programme cost. Version management: Without SA, hosting providers must manage version currency across customer environments manually — tracking which servers run which SQL Server version, ensuring the SPLA SKU matches the deployed version, and managing customer-requested upgrades as new versions release.
2. CSP: How It Works and What It Actually Costs
The Cloud Solution Provider programme is Microsoft's channel for partners to sell Microsoft cloud subscriptions — Microsoft 365, Azure, Dynamics 365, Power Platform — to end customers. CSP was originally designed for cloud-only scenarios (SaaS subscriptions), but Microsoft has progressively expanded CSP to include server product subscriptions that can be deployed on the hosting provider's infrastructure, creating direct overlap with SPLA use cases. For the CSP programme comparison with EA and MCA, see our EA vs CSP vs MCA guide. See our MCA explained guide.
Programme Mechanics
Subscription model: CSP licences are monthly or annual subscriptions purchased by the hosting provider on behalf of customers. The provider buys from Microsoft (direct CSP) or from a distributor (indirect CSP), then resells to the end customer — typically at a margin. The licence is tied to the customer, not to the provider's infrastructure. Per-user pricing for M365/Dynamics: Microsoft 365, Dynamics 365, and Power Platform licences under CSP are per-user per-month subscriptions — identical to what the customer would pay directly from Microsoft, but purchased through the CSP partner (the hosting provider) who adds value through management, support, and integration. Server subscriptions: CSP now offers Windows Server, SQL Server, and RDS subscriptions that can be deployed on the hosting provider's infrastructure — a direct alternative to SPLA for certain scenarios. These subscriptions include Software Assurance-equivalent benefits (Licence Mobility, Azure Hybrid Benefit) that SPLA does not.
New Commerce Experience (NCE): Microsoft's NCE framework, which now governs CSP, introduced important structural changes: annual commitments with auto-renewal, limited mid-term reduction rights (seat decreases only during a specific cancellation window), and aligned pricing across direct and indirect CSP. NCE makes CSP less flexible than the month-to-month model it replaced — a critical consideration for hosting providers whose customer base fluctuates. See our CSP and NCE licensing playbook for the complete NCE analysis.
The True Cost of CSP
Margin structure: CSP margins for the hosting provider are typically 15–20% on cloud subscriptions — earned through the difference between Microsoft's partner price and the customer-facing price. For commoditised products (M365 Business Basic, Azure Reserved Instances), margin pressure is intense because customers can easily compare CSP pricing against Microsoft's direct pricing. Customer management overhead: The CSP partner is the customer's first point of contact for billing, provisioning, and support. Microsoft provides Tier 2/3 support, but the CSP partner handles frontline inquiries — a real cost that erodes the 15–20% margin. Commitment risk under NCE: Annual CSP subscriptions committed under NCE cannot be reduced mid-term (except during the cancellation window). If a customer downsizes or churns, the hosting provider is responsible for the remaining commitment. For hosting providers with high customer turnover, this commitment risk is a significant cost factor.
3. The Unit Economics Comparison: Where Each Programme Wins
The economics of SPLA vs CSP depend on three variables: the product being licensed, the hosting model (dedicated vs shared infrastructure), and the customer engagement model (managed service vs subscription resale). The following comparison uses representative pricing for the most common hosting products.
Windows Server
| Factor | SPLA | CSP Server Subscription |
|---|---|---|
| Pricing model | Per core, monthly | Per core, monthly or annual |
| Approximate cost (16-core Standard) | $180–$220/month | $140–$180/month |
| Datacenter edition available | Yes | Yes |
| SA-equivalent benefits | No | Yes (Licence Mobility, AHB) |
| Multi-tenant shared hosting | Designed for this use case | Supported with restrictions |
| Customer licence portability | Customer can BYOL with SA | Licence follows customer tenant |
| Flexibility | Monthly, no commitment | Annual under NCE (limited mid-term changes) |
SPLA wins when: Customer environments change monthly (spinning up/down servers frequently), multi-tenant shared hosting where core counts fluctuate, and when monthly flexibility outweighs the per-unit premium. CSP wins when: Customer environments are stable (dedicated servers with predictable core counts), SA-equivalent benefits reduce total cost (Licence Mobility in virtualised environments, AHB for Azure workloads), and annual commitment is acceptable.
SQL Server
| Factor | SPLA | CSP Server Subscription |
|---|---|---|
| Pricing model | Per core, monthly | Per core, monthly or annual |
| Approximate cost (4-core Standard) | $600–$750/month | $500–$650/month |
| Enterprise edition available | Yes | Yes |
| SA-equivalent benefits | No | Yes (Licence Mobility, AHB, failover) |
| Virtualisation licensing | License physical cores of host | License physical cores, with Licence Mobility |
SQL Server is where the programme choice has the largest financial impact — because SQL Server per-core pricing is 5–10× Windows Server, and the SA-equivalent benefits in CSP (particularly Licence Mobility and passive failover rights) can reduce the effective licensing requirement by 30–50% in virtualised environments. A hosting provider running SQL Server Enterprise on VMware clusters may find CSP server subscriptions dramatically cheaper than SPLA — not because the unit price is lower, but because the SA-equivalent benefits reduce the number of cores that must be licensed. See our SQL Server licensing master guide for the virtualisation calculation.
Remote Desktop Services
| Factor | SPLA | CSP |
|---|---|---|
| Pricing model | Per user SAL, monthly | Per user subscription, monthly or annual |
| Approximate cost per user | $5–$8/month | $7–$10/month (through Windows 365/AVD add-ons) |
| Traditional RDS hosting | Native use case — designed for this | Limited — Azure Virtual Desktop (AVD) is the CSP equivalent |
| On-premises RDS hosting | Fully supported | Not directly supported — AVD is Azure-only |
RDS is the product category where SPLA retains the strongest advantage. Traditional RDS hosting (session-based desktops or RemoteApp on the provider's on-premises infrastructure) is a core SPLA use case with no direct CSP equivalent for on-premises delivery. CSP's answer to hosted desktop is Azure Virtual Desktop (AVD) — which is Azure-only and carries Azure consumption costs on top of the licence. For hosting providers whose primary service is on-premises hosted desktop/application delivery, SPLA remains the required programme.
Microsoft 365 and Dynamics 365
Cloud-only products — M365, Dynamics 365, Power Platform — are CSP-exclusive. These products are not available under SPLA because they are cloud services delivered from Microsoft's infrastructure, not software deployed on the hosting provider's servers. Any hosting provider that also resells M365 or Dynamics 365 must have a CSP relationship regardless of their SPLA status — which is why most hosting providers operate both programmes simultaneously (see Section 6).
4. Audit Exposure: The Risk You Don't Price Into Your Margins
The audit risk differential between SPLA and CSP is one of the most under-appreciated factors in the programme decision — and for many hosting providers, it should be the decisive factor.
SPLA Audit Reality
Microsoft actively audits SPLA agreements. SPLA is one of the most frequently audited Microsoft programmes because the monthly self-reporting model creates inherent inaccuracy — and Microsoft knows it. Audits are typically conducted by third-party firms (Deloitte, EY, PwC, or specialist firms) under Microsoft's direction and follow a rigorous methodology: full infrastructure discovery (every physical and virtual server), product deployment verification (every Microsoft product installed, including development, test, and disaster recovery environments), comparison against monthly SPLA reports (looking for under-reported cores, missed SALs, unreported products, edition mismatches), and a compliance gap calculation at SPLA list pricing — no volume discount, no negotiated rate.
The common findings in SPLA audits are predictable because we see the same patterns across every engagement. Under-reported SQL Server cores: The hosting provider reports SQL Server Standard on 4 cores; the auditor discovers the VM runs on a host with 32 physical cores and, without Licence Mobility (unavailable under SPLA), the full 32 cores must be licensed. Unreported test/dev environments: Development and staging servers running Windows Server and SQL Server that were never included in SPLA reporting because they "aren't production." Under SPLA, every instance of Microsoft software serving any purpose — including development, testing, and disaster recovery — must be reported and licensed. RDS SAL undercounting: The provider counts concurrent sessions; Microsoft counts unique users who access the service in any given month. The difference creates a systematic under-count. Edition mismatches: SQL Server Enterprise is deployed on servers reported as SQL Server Standard — whether through configuration drift, upgrade during troubleshooting, or original deployment error. See our SPLA audit guide and SPLA audit settlement negotiation guide for the complete audit methodology and defence strategy.
The financial impact: SPLA audit settlements typically range from $200,000 to $2,000,000+ for mid-market hosting providers, depending on the size of the infrastructure and the extent of under-reporting. The settlement is calculated at SPLA list pricing applied retroactively to the period of under-reporting — typically 3 years. These are not theoretical risks; they are recurring events that we defend against regularly through our SPLA Audit Defence Service.
CSP Audit Reality
CSP carries dramatically lower audit risk — for a structural reason. Under CSP, the licensing relationship is between Microsoft and the end customer (with the CSP partner as intermediary). The licences are cloud subscriptions managed through Microsoft's own admin portals. There is no self-reporting; the subscription count is tracked automatically by Microsoft's systems. You cannot under-report a CSP subscription because the system enforces the count — if a user is provisioned, the subscription exists and is billed. The audit risk that remains in CSP is narrow: incorrect product assignment (provisioning a lower-tier subscription than the user's actual usage requires), licence sharing (multiple users accessing a single-user subscription), and Azure consumption misallocation (using Azure resources outside the terms of the CSP agreement). These risks are real but an order of magnitude smaller than the comprehensive infrastructure audit exposure under SPLA.
5. Compliance Architecture: What Each Programme Requires
The compliance obligations under each programme are structurally different — and understanding these obligations is essential for maintaining audit-defensible licensing.
SPLA Compliance Requirements
Monthly reporting accuracy: Every Microsoft product deployed on every server must be accurately reported every month. This requires automated discovery tools (not manual inventory) across all physical and virtual infrastructure, product-version mapping (which SQL Server edition is actually installed, not which was ordered), core count verification (physical cores, not vCPUs or logical processors), SAL tracking (unique monthly users, not concurrent sessions), and development/test/DR inclusion (all environments, not just production). Use rights adherence: SPLA has specific use rights that differ from other licensing programmes. The hosting provider must ensure that each product is used within its SPLA use rights — particularly the rules around multi-tenancy, customer data isolation, and the distinction between "hosted services" (permitted) and "internal use" (not permitted under SPLA — internal use requires a separate EA or CSP licence). See our Microsoft licensing metrics guide for the measurement framework.
CSP Compliance Requirements
Subscription management: Ensure every user consuming a Microsoft cloud service has an active CSP subscription of the correct tier. Monitor licence assignment to prevent over-provisioning (wasted cost) and under-provisioning (compliance gap). NCE commitment tracking: Track annual commitment terms, cancellation windows, and auto-renewal dates to prevent unwanted renewals and manage customer churn within the commitment framework. Azure governance: If the hosting provider manages Azure subscriptions on behalf of CSP customers, Azure consumption governance (spending limits, resource tagging, reservation management) is a compliance and financial management requirement. See our Azure spend management guide for the governance framework.
6. The Hybrid Model: When You Need Both (and When It Breaks)
The majority of hosting providers operate both SPLA and CSP simultaneously — and for good reason. SPLA covers the on-premises infrastructure (Windows Server, SQL Server, RDS on the provider's hardware), while CSP covers cloud subscriptions (M365, Dynamics 365, Azure) and increasingly covers server products deployed on the same infrastructure. The hybrid is often the correct architecture. But it introduces compliance complexity that neither programme was designed to handle in isolation.
Where Hybrid Works
The hybrid model works well when there is a clean separation: SPLA for on-premises hosted infrastructure (dedicated servers, shared hosting platforms, RDS farms), CSP for cloud subscriptions (M365, Azure) and customer-specific server subscriptions on dedicated infrastructure. In this model, the SPLA and CSP licences cover different products or different infrastructure — no overlap, no confusion. The compliance architecture is straightforward: SPLA reports cover the on-premises infrastructure; CSP subscriptions cover the cloud services; and the two don't intersect.
Where Hybrid Breaks
The hybrid breaks when SPLA and CSP licences cover the same product on the same infrastructure — which happens when a hosting provider deploys Windows Server or SQL Server on shared infrastructure using SPLA for some customers and CSP server subscriptions for others. The compliance questions become complex: which cores are covered by SPLA and which by CSP? If a VM migrates between hosts (DRS/vMotion), does the SPLA or CSP licence follow it? Can a host be partially SPLA-licensed and partially CSP-licensed? These questions don't have clean answers in Microsoft's documentation — and auditors will ask them.
The other failure point: customer BYOL (Bring Your Own Licence). Customers with their own Enterprise Agreement and active Software Assurance can exercise Licence Mobility to deploy their own licences on the hosting provider's infrastructure — but only if the hosting provider is an authorised Licence Mobility partner. Tracking which servers run SPLA licences, which run CSP subscriptions, and which run customer BYOL licences on the same shared infrastructure requires rigorous documentation that most hosting providers don't maintain — and that auditors specifically request.
7. Microsoft's Strategic Direction: Where the Incentives Are Heading
Microsoft's strategic direction is unambiguous: the company is investing in CSP and Azure as the primary licensing channels for all scenarios — including hosting. SPLA is not being discontinued (it remains essential for on-premises hosting use cases), but Microsoft is systematically making CSP more attractive through pricing, features, and programme benefits that SPLA doesn't receive.
SA-equivalent benefits in CSP: CSP server subscriptions include Licence Mobility and Azure Hybrid Benefit — benefits unavailable under SPLA. This single difference can make CSP 20–40% cheaper than SPLA for SQL Server in virtualised environments. NCE pricing parity: NCE aligns CSP pricing across channels, reducing the pricing advantage that SPLA historically held for server products. Azure migration incentives: Microsoft offers Azure credits, migration tools, and free Extended Security Updates on Azure — all of which benefit CSP-linked Azure deployments and none of which apply to SPLA on-premises deployments. Audit enforcement: Microsoft continues to invest in SPLA audit programmes while CSP's automated tracking reduces audit necessity — a structural shift in enforcement attention.
The implication for hosting providers: any new service development should default to CSP unless there is a specific technical or commercial reason requiring SPLA. Existing SPLA-licensed environments should be evaluated for CSP migration where the economics and operational model support it. SPLA should be retained only for use cases where CSP cannot technically serve the requirement — primarily on-premises RDS hosting and multi-tenant shared infrastructure with highly variable monthly usage. For the broader context of Microsoft's programme evolution, see our CSP and NCE playbook and MCA transition guide.
8. The Decision Framework: Matching Programme to Hosting Model
The programme choice should be driven by your hosting model — not by historical inertia or partner relationship convenience. The following framework maps the five common hosting models to the optimal programme.
| Hosting Model | Recommended Programme | Rationale |
|---|---|---|
| Traditional shared hosting (multi-tenant Windows/SQL on provider infrastructure, high customer turnover, monthly billing) | SPLA | Monthly flexibility essential, multi-tenant licensing designed for SPLA, CSP annual commitment conflicts with customer churn |
| Dedicated managed hosting (single-tenant servers per customer, long-term contracts, stable core counts) | CSP server subscriptions | Stable environments suit annual commitment, SA-equivalent benefits reduce SQL Server virtualisation cost 20–40%, lower audit risk |
| Hosted desktop / RDS (session-based desktop or RemoteApp on provider infrastructure) | SPLA | Only programme supporting on-premises RDS hosting with SALs, CSP equivalent (AVD) is Azure-only |
| Cloud-first MSP (M365/Azure/Dynamics resale with light on-premises infrastructure) | CSP primary, minimal SPLA | Core business is cloud subscription management, SPLA only for residual on-premises services |
| SaaS provider (proprietary application hosted on Microsoft stack) | SPLA or CSP depending on infrastructure | On-premises SaaS platform = SPLA; Azure-hosted SaaS = CSP/Azure direct; evaluate per deployment model |
The Migration Decision
If your analysis suggests migrating from SPLA to CSP for some or all server products, the migration requires careful planning. Timing: Align with your SPLA agreement anniversary — SPLA is a 3-year agreement with annual renewals, and the optimal migration point is at renewal. Customer communication: If you're changing the underlying licensing model, customer contracts may need updating — particularly if your hosting agreement references SPLA-specific terms. Compliance gap management: During the transition, ensure no server is unlicensed in the gap between SPLA cancellation and CSP activation. Parallel operation: Plan for a 3–6 month parallel period where both SPLA and CSP are active for different parts of the infrastructure, with clear documentation of which programme covers which servers.
9. Frequently Asked Questions
No — EA licences are for internal use only. They cannot be used to provide services to third-party customers, even if you own the infrastructure. If you deploy Windows Server or SQL Server on your hardware and customers access those services, you must licence through SPLA, CSP server subscriptions, or the customer's own licences via Licence Mobility (which requires the customer to have active Software Assurance and you to be an authorised Licence Mobility partner). Using EA licences for hosting is one of the most common — and most expensive — compliance findings in Microsoft audits of hosting providers. The distinction between "internal use" and "external hosting" is rigid: if an external party accesses the workload, EA cannot cover it. See our licensing across programmes guide for the full programme eligibility matrix.
Microsoft has not announced SPLA discontinuation, and there is no indication that SPLA will be retired in the near term. SPLA remains essential for use cases that CSP cannot serve — particularly on-premises RDS hosting, multi-tenant shared infrastructure with monthly variability, and hosting providers who need the monthly flexibility that NCE-governed CSP doesn't provide. However, Microsoft is clearly investing in CSP as the strategic channel: CSP receives SA-equivalent benefits, pricing parity, and programme enhancements that SPLA does not. The practical implication: SPLA will likely remain available but become progressively less competitive relative to CSP for use cases where both programmes can serve. Hosting providers should treat SPLA as a legacy programme for specific use cases, not as a default licensing strategy. See our CSP and NCE playbook for the programme trajectory analysis.
Customers with their own Windows Server or SQL Server licences and active Software Assurance can deploy those licences on your hosting infrastructure through Licence Mobility — regardless of whether your infrastructure is licensed under SPLA or CSP. The hosting provider must be an authorised Licence Mobility partner (listed in Microsoft's partner directory). The customer submits a Licence Mobility verification form to Microsoft, and once approved, their licences cover the deployment on your infrastructure — you do not need to report those workloads under SPLA or purchase CSP subscriptions for them. The compliance requirement: maintain documentation of which customer licences cover which servers, ensure the customer's SA remains active (if SA lapses, Licence Mobility terminates and you must licence the workload under SPLA or CSP), and track Licence Mobility verifications with expiration dates. See our MPSA and licensing programmes guide for the Licence Mobility mechanics.
SPLA is a rental programme — you don't own the licences. When you stop reporting a product under SPLA (because it's now covered by CSP), you stop paying for it. There is no asset to transfer, no licence to convert, and no credit for prior SPLA payments. The migration is a clean switch: deactivate SPLA reporting for the affected servers, activate CSP subscriptions for the same servers, ensure there is no gap in coverage between the two. The SPLA agreement itself remains active for any products you continue to report under it. You can run both programmes simultaneously — the agreement doesn't require exclusivity. See our EA-to-CSP transition checklist for the parallel migration methodology.
For any hosting provider with annual Microsoft licensing costs exceeding $200K, independent advisory delivers immediate returns. The SPLA/CSP decision affects every server, every customer, every monthly invoice, and every audit exposure — a single programme mistake compounds across the entire infrastructure. An advisor provides: programme cost modelling comparing SPLA, CSP, and hybrid architectures for your specific infrastructure and customer mix; audit risk assessment identifying current SPLA compliance gaps before Microsoft's auditors find them; migration planning for SPLA-to-CSP transitions that maintain continuous compliance; customer BYOL governance ensuring Licence Mobility documentation is audit-defensible; and negotiation support for SPLA renewal terms and CSP partner agreements. At Redress Compliance, hosting provider licensing is one of our deepest specialisms — we defend SPLA audits, architect CSP transitions, and optimise hybrid programmes across the full Microsoft stack. Our Microsoft Advisory Services cover the complete hosting provider licensing lifecycle.