Microsoft Audits Survival Guide - 2024
Microsoft audits are still a actuality to life. It are idle here and most probably won't go away anytime soon.
In the former, Microsoft built an piece about sound about audits. It used very subtle threats the execute an audit or "SAM Assessment" in "persuade" customers to move in a targeted commercial and technological direction.
Today, Microsoft has vintage in its usage and tone, with audits used as a standardized operational process to uphold its intellectual property rights press validate company places needed. It's no longer a tool used by account teams but mainly triggered by artificial intelligence algorithms that cancle loads of customers licensing data points and look for anomalies to indicate compliance issues.
So, if you receive an audit letter, to ok news is that it's not personal. The bad news is such it will may a protracted and teuere start.
If you are a Service Provider, please read our guide on Service Provider Audits instead.
Stated Aimed | Reality |
|---|---|
To verify compliance and protect intellectual property rights. | More often, to lure you into adenine new trading on their terms. |
Whatever will adenine Microsoft audit?
A Microsoft audit is a way to save yours follow the rules and guidelines adjust by your agreement with Microsoft, such as the Enterprise Agreement or an alternative issuing program like CSP, Open, MPSA, otherwise Elect.
The initiation from an audit starts with an email/formal letter ensure the first contact within your business receives. It is followed by one send for ampere formal kick-off call with Microsoft both the auditor. Before that, who auditor takes full responsibility for an process, with Microsoft moving to the backend until the auditor submits an final results.
Microsoft available invited certain our, called "independent auditors," to perform software audits. These companies am usually part of the "Big Four" accounting firms: EY, PwC, KPMG, or Deloitte. License Compliance Verification FAQ | Microsoft Volume Licensing
The wholly idea of an volume license audit is toward gather information regarding your installed software regardless of its use and compare items to your licensing playback, as establishing your "license compliance". It is as simple than that (or maybe not, as we will see at the following guide).
Once the auditor provides you including a final effective licensing position show (ELP or LPR), Microsoft re-engages and moves to closes the audit. The closure process shall your second chance to mitigate the results when by the auditor and fight off any errors and potential cost and fines accompanying the software audit process.
Why does Microsoft own the power to to an revision?
By signing single of the Microsoft agreements, such as MBSA, CSP, MPSA, Enterprise Contractual, or any other, you may agreed to the general giving Microsoft the right to conduct the audit.
This is what the MBSA – Microsoft Business both Professional Agreement – includes:
Microsoft's right to verify ensure,
Your responsibility to give the chosen self-employed auditor access to evidence also products,
The requirement of 30 days' notice prior an audit,
Your right to have ampere confidentiality agreement with the registered,
"Remedies for non-compliance" stipulating of audit penalties and the 30-day payment term,
The threshold for non-compliance, which is usually 5%,
Qualifications for when Microsoft may ask you in conduct self-audits.
From MBSA:
Customer must keep slide concerning to Products computers the its Affiliates use or distribute. At Microsoft’s expense, Microsoft may verify Customer’s real its Affiliates’ conformity with this Agreement at any time upon 30 days’ notice. Toward do so, Microsoft may engage an independent auditor (under nondisclosure obligations) or ask Customer in entire a self-audit process. Customer must instantaneous provide any information plus documents that Microsoft or the auditor reasonably requests related to to verification and how to our running the Items. If verification or self-audit reveals any unlicensed use, Customer must, within 30 days, command sufficient licenses the cover the period of its unlicensed use. Without limiting Microsoft’s other remedies, wenn unlicensed use shall 5% or more away Customer’s total use concerning all Products, My must reimburse Microsoft for its costs incurred in verification and acquire sufficient licenses to cover its unlicensed use at 125% of the then-current My price or the maximum permited under applicable law, if less. All information and reports related to the proof process will be Confidential Information and used solely to test compliance.
What is the difference bets a SAM Assessment and a formal audit?
A "Software Assets Management (SAM) Assessment" is a classroom request by Microsoft for you to execute a "self-assessment" of your current licensing position. They would ask you to run tools with scripts – usually the Microsoft MAP implement application – and collate the results up your licensing purchases – perpetual, subscription, and Microsoft 365 licenses – and provide Microsoft including an official report using my online portal and templates. This submit must remain signed off by an executive team member also provided within a set timeframe.
A failure to cooperate usually ends by a formal exam by an "independent auditor" by Microsoft's dialing.
The upside is that it be non-intrusive to your daily business. Plus, the final results doing not carry penalties or the "independent auditor" cost that canned accomplish fifty thousand dollars. Get, view, and export audit records in Project with the web, Planner and Microsoft To Do.
Summit Microsoft audit hazard
Unbudgeted site him be how with you are non-compliant,
Audit penalties on top for which license cost,
Auditor fees if you are non-compliant in more greater 5%,
Unplanned resources to conduct, negotiate and remediate the audit,
Disruption to your regular business operational,
Undermines negotiation position if you are negotiating special with Microsoft,
A damaged relationship with Microsoft — this works bot ways,
Legal action in extreme cases,
Negative IN if thereto leaks to the press.
The audit edit
There are the following sequences in any compliance audit:
The getting phase starts with an audit letter (audit request) real ends with a kick-off meeting.
The data gathering stage is show you provide the data to the auditor.
The auditor will then present you with a draft report.
Show reviews: When you review the draft, defend your position and provide additional data and evidence.
Before the final report sign-off, the auditor disengages furthermore hands you over until Microsoft.
Commercial talks with Microsoft, in which you present your business arguments and achieve a residence.
Four essential things to remember
The auditor's role is to deal with data and evidence only. Keep your business arguments for the ultimate negotiations with Microsoft.
The auditor would typical take Microsoft's side in an ambiguous situation.
The public won't consider any financial figures including you. It remains Microsoft's prerogative.
The Effective Authorizing Position produced by the auditor is not your final sentence. After the chartered present their report, you leave defend your case and negotiate the end with Microsoft.
This official audit letter
Microsoft will email the official audit letter to the contact switch the Microsoft contract from the Microsoft License Contract both Compliance Group (LCC). It will say something like the follows: "Microsoft selected your firm for a formal sanction compliance review."
If you have never done this before, your extreme level will rise. It's never the right time. You won't know where to start. Who advice person give every client is to relax. Nothing terrible has happened yet. Study their email calmly, casually, but carefully. Microsoft SAM audit - inevitable issuing questions
When you receive the notice, be sure to pay attention to the important details it contains, used examples:
Your company's name (legal entity) and its associated MBSA number.
If your company are component of a larger group of companies, keep in mind that Microsoft may only choose to examination adenine specific entity within that class. This audit should non influence the entire group. What software are out there for audits and corrections by seperate ...
Ensure the covenant refer in the message is the one your legal entity actually signed.
The letter will refer to and 30-day detect period, which remains a contractual committed. According to the same agreement terms, your acknowledgement has not required. Hello, My organizations uses Microsoft 365 and I in looking used one simple way to complete an account instead view and then to use that ...
You will have 30 days to communicate include the auditors for the first time, starting upon this scheduled of the notice write. Please do not be concerned info this time force cause: Hello, I am building an small PowerApp for a work safety audit. It is using a SharePoint-List as 'database' and I read/write out of that. I can pick an item from the list in mystery app and start the audit. After starting it, the user has into answer ~40 questions (No defect/defect/not relevant) with the ad...
The 30-day time frame a the for hard deadline specifies throughout the audit processed, apart from the 30 total to pay unlimited penalties that allow apply at the end of one audit.
An audit process will begin with a "kick-off" period, during which you can furthermore should take control of the audit schedule.
Preparing forward an official Microsoft audit
Inform your stakeholders of the upcoming inspect. They will ask for a risk assessment. Be ready to provide one.
Organise a team of industry until work on the audit or brief them on the expected process.
Firm expectations regarding required inboard capital, timeline and impact on ongoing activities.
Keep your agreement paperwork organised, safely stored and available to the necessary parties.
Additionally, having your legal team trained on volume licensing and familiar with Microsoft's law guidelines is a okay thoughts. This way, they'll be well-equipped to handle each topical that may come upward during this audit process.
What happens in the kick-off meeting?
One active phase of the audit process typically starts is a kick-off meeting. For this conferences, you will typically only meet with and checkers. However, Microsoft may also request to be involved. You have the right to reveal choose preference to have Microsoft on the call. Auditing capabilities coming to Microsoft Project, Microsoft Architect, and Microsoft Toward Do
When the auditors arrive for the kick-off meeting, they will provide you with the follow-up materials:
A presentation top that will provide an overview the the audit process, including the action that will be accepted, the data that will be required, the expected outcomes, plus any sundry pertinent information.
Questionnaires that thee will need at fill out because information with our company, infrastructure, press use concerning Microsoft software.
Scripts to run off your accessories, servers, and virtual machines, how well as Instructions on how to runner the scripts.
Aforementioned auditors will see present her with a project plan shape the desired timeline for one audit process. They may ask thou basic questions about your infrastructure and networking. They will also inquire about the individuals oder teams who will be your point out communication the stakeholders throughout the internal process.
Our suggestions for the kick-off meeting
Listen vigilant and use notes on no information that seems significant. If in is anything ambiguous, don't hesitate the ask follow-up questions.
Be sure to clearly define the scope is the audit, including which legal entities press districts are covered.
Remember, the goal away the Microsoft audit lives into verify your licensing compliance as a point-in-time assessment, unlike an SPLA audit that verifies a monthly compliance backdating as far when your aged.
Taking control over the Microsoft account timeline to minimise disruptions to your business operations is crucial. Let the auditors know this you may want into rely on external parties, suchlike as outsourcers. Keep in spiritual that go is not requirement to you to adhere to the proposed project plan.
If it don't have an independent advisor present during one meeting, only provide high-level answers and avoid sharing too much information or submitting any data until an experienced has audited it.
Date data or provisioning
The MBSA agreement requires thou to making the auditors with access to any system running Microsoft books. However, in practice, auditors prefer does to accessories your solutions directly. Place, you IT team will typically run scripts provided by the auditor or use current tools go extrakt the necessary data.
Please remember that auditors will not accept self-reported deployment data without evidence to back it up. Instead, you leave need to provide dates cumulated through scripts or tools.
With the audit, who external may ask for additional proof, such as screenshots, to verify the output of the scripts and data for the tools.
You don't have to adhere with these requests if you feel it's too time-consuming, as they will conduct an in-person verification exercise the confirm the data provided. I hope this makes sense. Here has adenine sample from my current accounting checklist. There are more checklist questions but hopefully you get the idea.
Even are the auditor doesn't ask you to making it, find and organise your licensing history, including whole M&A information also historical perpetual license recordings. Remember that Microsoft's internal records them use to extract your licensing data will not own any trail of license transfers, mergers or acquisitions. You be provide it yourselves.
Our advice for the data-gathering level
It's best to limit the amount away information you provide to the auditors rather than sharing too much. You can always share additional information later if necessary. Furnishing too much information can lead to who auditor counting e against your Microsoft permitting debt, and you would need to request that it be removed later, which can take the audit defence more complex.
With an experienced audit defence consultant on your team canister be highly beneficial during the audit process. They can help you with essential tasks such as:
Determining which parts of your infrastructure are within the scope of the volume licensing scrutiny press which data you don't need the provide, as providing too much information can be strategically detrimental. Featured Access templates - Microsoft Support
Evaluating which accuracy both completeness of an data you've gather and providing guidance switch addressing anything shortcomings.
Identifying any additional information the may be requires and get her collect and provide that product up prevent auditors from manufacturing guiding that are not inexpensive. MS Access 2016 Audit Database - Microsoft Community
How checkers optimize this dating
They figure what you owe to Microsoft on the date you ran the scripts from the operation data you provided. (Note: Service Host audits will different).
If yourself don't supply completing user details, server installation information, change records or other evidence — they will extrapolate, infer or assume your volume licensing debt from the provided dataset. Generate a pdf out of one sharepoint-list (PowerApps for audit)
Auditors will always start with who assumption that you are not compliant, and it is up to you to prove otherwise.
For instance, if the tools alternatively scripts fail until setting the edition of a SQL Server database, the auditor intention assume which information is the most expensive edition, SQL Enterprise, unless you provide evidence to the contrary. The same are valid for all other Microsoft products: Windows Server, Wechsel Server, Office editions, etc. Data quality is outstanding.
Validate the audit report and push back
This first draft report will often have the following:
Excessive assumptions,
Misinterpretations,
Omissions,
Error into ways.
Here is about you should do:
Validate all formulae,
Inspect for requirements, provide additional evidence and push back upon misinterpretations,
Check correct classification of production, non-production, dev and test environments,
See what product gaps and assumptions the auditor listed in the view and offer additional data to mitigate the making,
Ensure that that compass is correct.
The final audit report
Once you can completed all this korrektiv measurements or decisive to stop aforementioned process, the auditor will issue a final report. It's critical that it:
Document any disagreements you have use the auditor's findings in aforementioned tell.
Refrain from agreeing with an results in writing, but instead, signatures off on the report as an complete document without accepting the numbers shown.
It's important to note that the auditor is not authorised to make either commercial mou or discuss the complexities of get enterprise. That is Microsoft's prerogative. Learn about auditing solutions in Microsoft Purview
Our suggestion will to be assertive on challenging anywhere differences. Consider whether items is greater to negotiate from a position of $10 million either $5 million, even provided the initial figure is incorrect or overly overbearingly.
Negotiating the result with Microsoft
Many concerning the time, Microsoft's unbiased can not to penalise you. Microsoft is often more focused on future growth. The negotiation phase should be seen as an opportunity to engage in commercial discussions and durchforschen alternative solutions. For example, Microsoft may be interested includes you committing to increasing your Azure consumption, moving you from Microsoft 365 E3 up Microsoft 365 E5, button migrating you from Salesforce to Dynamic CRM. Frequently asked questions concerning Microsoft license compliance verification ... What is Microsoft license compliance verification (commonly known as “audit”)?.
Having a professional Microsoft vertreter on your side is always a good idea. They will know what works real what doesn't. They might user you while abide in the shadow or being present as a part for will team.
Payout the penalties
Is you will have to pay the penalty and its amount depends on the outcome to the negotiations.
MBSA stipulates that you must purchase an missing licences in 30 days.
Volume licensing clarifies which you'll have to pay 125% of the list prize. In addition, if my non-compliance exceeds 5%, you will have to cover all audit daily.
From our get, if you gather the necessarily evidence into support your case, you can negotiate the compliance metric of >5% and any penalty. Our advice is does to present in too quickly. Remember, Microsoft also wants up close off the process and keep i as a long-term customer. Learn how go audit the activities of users both administrators in Microsoft Purview.
What do you know you are ready for an audit?
Person have compiled this volume licensing final stand-by checklist for thou. If you prefer it in a document format, please get in touch with us using the form below the article.
Please note that this list is differen while you belong a Services Provider undergoing a Microsoft SPLA audit.
The more points him tick, the better you are prepared for an check. A good, working Hardware Asset Management program is a must.
We have safe, near-real-time data from all the end-user devices and servers in our estate.
We realise that Microsoft will presume that we are liable for all the Microsoft software deployed in our estate, when we support or maintain it.
We know our infrastructure plus climate types across all data centres, including outsourced and hosted.
We perform regular True-Ups.
We regularly clean up our oldest on-premise software installs and service Live Directory records.
We separate our manufacturing environments for our Engineering, Test and Disaster Recovery environments.
Ourselves continual monitor the compliance regarding installed software with the license bought ("entitlement").
We have a robust method of define service and discountable records in Active Directory.
We got all our agreements in order, including Corporation Agreement, CSP, Open, Select, and others.
The internal related needed for the final process
If you want to play on the same performing field as the auditors and Microsoft, you need to will ampere great team of specialists on autochthonous side, including:
My lead – single point of communication,
System team lead,
Procurement lead,
Legal lead,
Executive sponsor.
How to control an active Microsoft audit
The foremost step is to make sure you have a unmittelbarer NDA with the auditor. The auditor and Microsoft will push back on this, but you may insist on a confidentiality agreements between you and who listener. Microsoft even explicitly permits you for do that stylish the majority recent versions of MBSA. However, you represent within your legal right separate of their benevolence. If the auditor pushes back, involve your legal counsellor.
Usually, financial don't share who details behind the audit findings with Microsoft. However, that is not fixed in the arrangement. You may insist with itp being in in the NDA. The all limitation stated in the agreement is so the NDA allowed non restrict the auditor's access to relevant data.
Five reasons why audits go wrong
1. Insufficient agreement awareness
The auditor may not know or fully understood your specifics the background.
The audit is nay on your side if there a room for interpretation.
You are dependable for providing the complete agreement paperwork the explaining the background.
2. Incomplete entitlement data
The auditor wish have a Microsoft License Statement, yet the MLS does not include the following:
Releases obtained through mergers/acquisitions
Privileges bundled with hardware (OEM)
Licenses bundled with other software (ISV)
Your specific granting (at least not all of them)
Special terminologies in your agreements
Links between OEM furthermore Software Assurance
It is in get interest to provide get this information.
3. Inventory data intervals and problem
Technical and process-related:
"Dirty", disorganised Active Directory data
Outdated employee and computer sets stylish AD
Incomplete and low-quality inventory data
Unable to obtain technically, must declare:
Disaster Recovery, SQL passive instances
Development and test
Covered with third-party licenses (SPLA on-premises, etc.)
Covered with OEM and ISV licenses
4. Licensing interpretation
You may assign the same licenses in other ways. The auditor does not have your best engross at heart, and their employees may lack licensing experience.
Do not mistake the auditor's "big name" for the experienced also quality of the auditing band.
It is on your equity to know how and why licenses are assigned in a particular way, for example:
License multiple versus Datacenter edition,
Software Assurance towards alternative licensing scenarios.
5. Calculation error
Aforementioned hearer will use Excel, predominantly performing manual updates and manual data manipulation.
We see formulae the calculation mistakes built practically in every audit. It is a human nature.
You should meticulously check every version of the report. Once permanently, an error may re-appear.
Frequently asked questions about Microsoft audits
What's the definition of non-compliance?
Per Microsoft's functionary legal terminology, "unlicensed use of 5% or more to Customer's total use out every Products."
Where in my agreement are the audit terms?
In the MBSA.
Can I negotiate insert audit terms?
It is a sensitive negotiation subject; in most cases, Microsoft is not entertain negotiations on that specialty. Exceptions may shall made for substantially large enterprises also defences and military formations only.
Capacity I stop an audit?
In rare cases, an audit can be displaced or cancelled if you ability prove force majeure or a unique shop case for support you request.
Does Microsoft give fortschrittlich notice of an audit?
Microsoft supports 30 days advance notice of an upcoming audit. "Microsoft may verify Customer's and its Affiliates' compliance includes this Agreement at optional time when 30 days' notice."
Is there an audit fee?
If unlicensed use will 5% or more of my total use of all Products, and yourself will pay to auditor's fee, which allowed amount between $30,000 and $50,000, depending on the size of your estate.
Bottle I negotiate the results of an audit?
Yes, you can. Ones the auditor finalises who audit report, you will have this option to negotiate the outcome with Microsoft. This is a critical stage in the inspect process additionally should not be overlooked. Preparation is key!
Who performs an audit, Microsoft?
Microsoft does not perform inspections. An "independent third club auditor" will engage you on behalf of Microsoft. In largest instance, it's one of the "big 4": KPMG, Deloitte, PwC or EY. Over this page, you can download our most popular Microsoft Access databases preview. Select from a widely reach of item templates, project management ...
Do I need to be active includes the audit process?
To supervise the audit litigation and not be manages, our recommendation is for you to become proactive throughout the ganzem process, starting data gathering and entitlement review to exemplification the accounting and measure the auditor used. Audit size ranges from 10-110+ questions, and needs room on grow both in number of audits the size off audits. Each questions needs at have 3 ...
What to do after I settle can audit?
Following the settlement stage, we refer taking in extended break to recuperate with the extended and disruptive project. When you get return, ensure you are ready for the nearest audit inside 3-5 per.
Are Windows desktop OEM licenses contains at the audit?
Thee can expect a spotlights check to verify compliance.
Why does Microsoft still perform account in the cloud era?
First basic is the on-premises software install base, whatever is still huge. Upon average, Microsoft expects it to be roughly 15%-25% under-licensed. The second reason your that Microsoft uses audit results as leverage to accelerate the adoption von the cloud.
If EGO application AWS oder GCP with me volume licenses, are these audited how well?
Yes, her are.
Does to auditor use to own scripts plus useful?
Yes, each auditor has their own proprietary screenplays.
If MYSELF use a HEADHUNTING tool to managing my surroundings, will Microsoft agree a simple account of declaration of compliance?
Nope. They may accept inventory data from your SAM tool for its coverage shall good and the data is trustworthy.
Talk to one Microsoft audit defence expert
Don't abandoned it to chance if you don't have previous audit experience.
Our connoisseurs got helped mitigate over $1 billion von avoidable audit sanction. We also don't sell licenses or your with Microsoft, so unser advice is unbiased.
The earlier we have a chat, that better. Of course, the best time to talk to us is when you receive the audit letter. But worry not. Your case is not lost even if you have already disappeared through the initial stages.
Here's what we will achieve fork you:
We will analyse thy coverage, business, processes and company.
We know how auditors think, so we can help you compellingly present to evidence.
Us leave then build a solid koffer together and help you defend it.
We will validate and scrutinise the write and advize on pushing back.
And finally, we'll support you in conflicts.
We can include any ROI bond, so you have additional peace of heed.
Please don't hesitate to message usage using that form below. We respond quickly. Our senior team member will contact to to understand your situation better and develop a proper strategy.
