Client Access Licences are the forgotten half of Windows Server licensing. They generate fewer headlines than core licensing, but they generate audit findings with the same financial consequences. This guide explains every dimension of CAL licensing: the types, versioning rules, multiplexing trap, cost modelling, External Connectors, RDS CALs, and audit scenarios.
Part of the Windows Server Licensing Guide 2026. See also: Core-Based Licensing Mechanics | Virtualisation and Container Licensing | Azure RDS Licensing.
A Windows Server Client Access Licence is a legal entitlement, not a piece of software, not a key, not a token, and not something installed or enforced technically. It grants a specific user or device the legal right to access services provided by a Windows Server operating system. Without a CAL, the access is unlicensed, regardless of whether it works technically.
Windows Server does not check for CALs before allowing a connection. Active Directory does not verify CAL assignments. File shares do not refuse unlicensed devices. DNS does not check entitlements. Everything works perfectly without CALs, right up until the moment Microsoft audits and asks for proof.
| What a CAL Grants | What a CAL Does NOT Grant |
|---|---|
| The right for a user or device to access any number of Windows Server instances within the organisation. A single User CAL allows that user to access every Windows Server in the enterprise: domain controller, file server, print server, application server | The right to run Windows Server on hardware (that requires core licences). The right to access Remote Desktop Services (requires separate RDS CALs). The right to access SQL Server databases (requires separate SQL Server CALs or core licences). The right to access Exchange, SharePoint, or other Microsoft server applications (each requires its own application-specific CALs) |
A Windows Server User CAL is assigned to a specific named person and allows that person to access Windows Server services from any number of devices. The employee can connect from a desktop in the office, a laptop at home, a tablet on the train, and a phone in a coffee shop. One User CAL covers all of them.
User CALs are optimal when users access Windows Server from multiple devices, which is the default reality in most modern enterprises. An employee with a desktop, laptop, phone, and tablet would require four Device CALs but only one User CAL. In any environment where the number of users is less than the total number of devices, User CALs are cheaper.
A Windows Server Device CAL is assigned to a specific device and allows any number of users to access Windows Server services from that device. Ten shift workers sharing a single factory-floor terminal need one Device CAL for the terminal, not ten User CALs for the workers.
Device CALs are optimal when multiple users share a single device: call centres where three shifts of agents share the same workstations, hospital nursing stations, retail point-of-sale terminals, factory floor kiosks, library computers, and hotel business centre computers.
| Scenario | User CALs Needed | Device CALs Needed | Optimal Choice | Savings |
|---|---|---|---|---|
| 5,000 employees, each uses 2 devices (laptop + phone) | 5,000 | 10,000 | User CALs | 50% fewer licences |
| Call centre: 200 workstations shared by 600 agents across 3 shifts | 600 | 200 | Device CALs | 67% fewer licences |
| Mixed: 4,000 knowledge workers (2 devices each) + 500 shared workstations used by 1,500 shift workers | 5,500 (pure User) | 8,500 (pure Device) | Mixed: 4,000 User + 500 Device = 4,500 total | 18% vs User alone, 47% vs Device alone |
Microsoft permits mixing User and Device CALs within the same organisation. The calculation should be performed segment by segment: User CALs for knowledge workers with multiple devices, Device CALs for shared workstations with multiple users. This mixed-model optimisation typically saves 15-25% compared to a single-type approach.
Windows Server CALs are version-specific. The CAL version must be equal to or greater than the Windows Server version being accessed. A Windows Server 2022 CAL grants access to 2022 and all earlier versions. A Windows Server 2019 CAL does not grant access to 2022.
When an enterprise upgrades Windows Server from 2019 to 2022 (or 2022 to 2025), every CAL must also be upgraded. If the enterprise has Software Assurance on its CALs, the version upgrade is automatic. If not, new CALs at the current version must be purchased. In practice, the CAL version should match the newest Windows Server version deployed anywhere, because virtually every user interacts with the domain controller, which is typically one of the first servers upgraded.
Software Assurance on CALs provides automatic version upgrade rights. For organisations upgrading Windows Server every 3-5 years, the cumulative SA cost (approximately 25% of CAL price per year) is typically less than purchasing new CALs at each upgrade.
Standard CALs work for internal users. But external users (customers visiting a web portal, partners accessing an extranet, public users) also require licensing. Microsoft offers two options: purchase individual CALs for every external user or device, or purchase one External Connector licence per Windows Server instance that external users access.
The External Connector provides unlimited external access to that specific server. If external users access three Windows Server instances (web server, application server, database server), three External Connectors are needed. The pricing is significant but dramatically cheaper than individual CALs for thousands of external users.
External Connector licences are among the most frequently overlooked licensing requirements. Any customer-facing application hosted on Windows Server, a web portal, customer service platform, API endpoint, or partner extranet, requires either individual CALs for every external user or External Connector licences for every Windows Server instance. This is trivially easy for Microsoft to identify in an audit.
If users access Windows Server through Remote Desktop Services (RDP to RDS Session Hosts), they need RDS CALs in addition to Windows Server CALs. RDS CALs are a separate per-user or per-device licence. This includes direct RDP connections, Citrix Virtual Apps environments using RDS, VMware Horizon session-based desktops on Windows Server, and RemoteApp published applications.
RDS CALs are not required for remote administration using the 2 included admin RDP connections, for Azure Virtual Desktop sessions (AVD does not require RDS CALs, a deliberate incentive for AVD adoption), or for accessing Windows Server services over the network without an interactive desktop session (file shares, AD, DNS, web services).
When the RDS role is installed without a licence server configured, Windows Server grants a 120-day grace period. This creates a false sense of compliance. The enterprise deploys RDS, users connect, everything works, and the assumption is that licensing is handled. Months or years later, a Microsoft audit compares RDS connection logs against RDS CAL purchases and identifies the gap. This is the most common CAL audit finding.
Multiplexing is the use of hardware or software that pools connections, reroutes information, or reduces the number of users or devices that directly access Windows Server. Common multiplexing technologies include web servers, load balancers, connection pooling middleware, and application servers.
Microsoft's position: multiplexing does not reduce the number of CALs required. Every end user or device that ultimately accesses Windows Server services, whether directly or through a multiplexing layer, requires a CAL. If 10,000 web users access a website running on IIS, and IIS uses connection pooling to connect to SQL Server through 50 pooled connections, the enterprise needs licences for the 10,000 end users, not the 50 pooled connections.
| Environment | CAL Requirement | Detail |
|---|---|---|
| Azure VMs (pay-as-you-go or Reserved) | Windows Server CALs included in Azure VM price | Users accessing Azure-hosted Windows Server instances do not need separate CALs. The CAL requirement is satisfied by the Azure consumption model |
| Azure Hybrid Benefit | Depends on access pattern | Internal users accessing on-premise-style services (AD, file shares) replicated to Azure may still need CALs. Microsoft guidance is evolving. Verify for your architecture |
| Azure Virtual Desktop | No RDS CALs required | Windows access rights for AVD included in qualifying M365 licences (E3, E5, F3) or Windows Enterprise E3/E5 per-user subscriptions. Key incentive for AVD over traditional RDS |
| Traditional RDS on Azure VMs | RDS CALs required | Standard RDS running on Windows Server VMs in Azure does require RDS CALs. This distinction drives AVD adoption |
| On-premises Windows Server | Full CAL requirement | Every user and device accessing on-premises Windows Server instances requires CALs. Standard rules apply |
| Third-party hosting (AWS, GCP, co-lo) | Depends on hosting model | If BYOL on dedicated hosts, standard CAL rules apply. If hosting provider supplies licences under SPLA, CAL responsibility typically falls on the provider. Verify in hosting contract |
| Audit Area | What Microsoft Checks | Common Finding |
|---|---|---|
| Active Directory user count | Counts enabled user accounts that have authenticated in the audit period. Compares against User CALs purchased | More enabled AD accounts than User CALs. Dormant/service/test accounts inflate the count |
| Device inventory | Counts devices that have connected to Windows Server services via SCCM/MECM, Intune, and network logs. Compares against Device CALs | More devices connecting than Device CALs purchased. BYOD and unmanaged devices create gaps |
| Version compliance | Verifies CAL version matches or exceeds the Windows Server version. 2019 CALs without SA do not cover 2022 servers | Upgraded servers without corresponding CAL version upgrade. Very common after server migration projects |
| RDS CAL gap | Identifies servers running RDS Session Host role. Compares RDS connection data against RDS CAL purchases | Most common CAL audit finding. RDS works without CAL enforcement, creating an invisible gap |
| External access without External Connectors | Identifies customer-facing or partner-facing Windows Server instances. Web server logs, load balancer data, and application architecture documentation reveal patterns | Customer-facing applications without External Connector licences. Trivially easy for Microsoft to identify |
| # | Action | Detail | Expected Savings |
|---|---|---|---|
| 1 | Conduct user-to-device ratio analysis | Pull AD user count and device inventory (Intune, SCCM). Calculate ratio per segment. If average user accesses from more than 1 device, User CALs are cheaper. If devices shared by more than 1 user, Device CALs are cheaper. Model both for each segment | 15-25% savings from mixed-model approach |
| 2 | Clean up Active Directory before counting | Disabled accounts, orphaned accounts, service accounts, terminated employees inflate count. Run AD cleanup before each true-up and audit response. In enterprises with 5,000+ users, cleanup typically identifies 5-15% excess accounts | 5-15% reduction in User CAL requirement |
| 3 | Audit External Connector requirements | Identify every Windows Server instance serving external users: web servers, API gateways, partner portals. Calculate External Connectors vs individual CALs. External Connectors almost always cheaper for 100+ external users | Prevents significant audit exposure |
| 4 | Reconcile RDS CALs against actual usage | Count users/devices connecting via RDS, Citrix on RDS, VMware Horizon. Compare against purchased RDS CALs. If considering AVD migration, factor in RDS CAL savings as part of business case | Prevents most common CAL audit finding |
| 5 | Maintain SA on CALs | Evaluate SA cost vs purchasing new CALs at each version upgrade. For 3-5 year upgrade cycles, cumulative SA typically cheaper than new CALs | Avoids version upgrade purchase costs |
| 6 | Include CALs in EA negotiation | CALs purchased through EA or SCE benefit from volume pricing significantly better than list. For 5,000+ CAL counts, EA discount alone represents substantial savings | Significant per-CAL price reduction |
| 7 | Evaluate M365 E3/E5 as CAL replacement | M365 E3 and E5 include Windows Server CAL rights. If every employee already has M365 E3, separate Windows Server User CALs may not be needed. Verify with current Product Terms. Does not cover RDS CALs | Eliminates separate CAL purchase entirely |
Yes. Core licences grant the right to run the operating system on hardware. Client Access Licences grant the right for users or devices to access the services provided by that server. Both are required. A server with core licences but no CALs for its users is not fully licensed, and the CAL gap is a standard audit finding.
Yes. Microsoft permits mixing User and Device CALs within the same environment. This is the optimal approach for most enterprises: User CALs for knowledge workers who access from multiple devices, Device CALs for shared workstations used by multiple people. The mixed model typically saves 15-25% compared to a single type.
An External Connector licence provides unlimited access to a specific Windows Server instance for external users (customers, partners, members of the public). One External Connector is required per Windows Server instance accessed by external users. It replaces the need to purchase individual CALs for each external user, which is impractical when the count is large or unknown.
No. Azure Virtual Desktop does not require RDS CALs. The Windows access rights for AVD are included in qualifying Microsoft 365 licences (E3, E5, F3, Business Premium) or Windows Enterprise E3/E5 per-user subscriptions. This is a deliberate Microsoft incentive to drive AVD adoption over traditional RDS deployments, which do require RDS CALs.
No. CALs are version-specific and must match or exceed the Windows Server version being accessed. Windows Server 2019 CALs do not grant access to 2022. You need either 2022 CALs or 2019 CALs with active Software Assurance (which provides automatic version upgrade rights). If upgrading any server to a newer version, verify CAL version coverage.
Microsoft 365 E3 and E5 include Windows Server CAL entitlements as part of the subscription. Employees with M365 E3 or E5 may not need separate Windows Server User CALs. However, verify against the current Microsoft Product Terms, as inclusions can change. This does not cover RDS CALs, which remain a separate requirement.
Redress Compliance provides independent Windows Server licence assessments covering core licences, CAL type optimisation, RDS CAL compliance, External Connector gap analysis, and audit readiness. We help enterprises right-size their CAL portfolio, prevent audit exposure, and negotiate optimal pricing within the EA. 100% vendor-independent. Fixed-fee engagement.
Microsoft Advisory ServicesIndependent Microsoft advisory. CAL type optimisation. RDS CAL compliance. External Connector analysis. Audit readiness. 100% vendor-independent, fixed-fee engagement.