Microsoft Audit Defense Overview
- Executive Summary
- Identifying the type of Microsoft audit
- Understanding Microsoft audit triggers
- How to respond to a Microsoft audit
Warning: Beware Fake Microsoft Audits
If you’ve received an audit letter or verbal indication of an audit from Microsoft, a Microsoft sales person, a Microsoft reseller or anyone else, contact Miro right away.
Do NOT provide any information or fill out any server work sheets before speaking to a non-reseller organization nor a non-Microsoft-designated audit partner like Miro, who can help determine if the audit is legitimate and mandatory. This distinction is intentional. Did you know that both resellers and Microsoft audit partners are obligated to inform Microsoft of what they find?
Free Microsoft Audit Guide:
Microsoft Audit Summary
Microsoft is the most common software used by business, education and governmental organizations. Microsoft targets organizations of all sizes, so IT leaders should be prepared for the inevitable audit.
Microsoft Audit Challenges:
- Microsoft compliance policies, usage rights, cloud offerings, and terms are constantly changing and evolving due to technology and market forces, but the company does not proactively update software asset managers with new information.
- There are multiple types of Microsoft Audits which are triggered in different ways. Some are “friendly” audits while others carry significant financial exposure for non-compliance.
- Microsoft Audits are becoming significantly more frequent and hostile, having doubled in the last two years. Audits are now far more likely to include large financial penalties instead of friendly requests to “True-Up” to resolve license shortfalls.
Microsoft Audit Defense Recommendations:
- Actively review your Microsoft contracts entitlements and compare them to your current deployment and usage.
- Compare contractual requirements with assignment records to confirm alignment.
- Resolve all internal record conflicts before providing information to Microsoft and agreeing on entitlements.
- Avoid using any Microsoft Reseller for audit assistance, as they are contractually obligated to turn over all relevant information directly to Microsoft.
- Consult an independent third party specializing in Microsoft Audits to assist in the audit defense, audit preparation and negotiation process.
Microsoft Audit Types
Depending on the volume of Microsoft software purchased, organizations may experience one of five types of audits.
Additional Licensing Costs for Shortfalls
|A Third Party audit conducted by licensing experts hired by the organization. Results are NOT reported to Microsoft.
|The organization conducts its own internal audit at the request of Microsoft. Additional licensing costs will be incurred if the organization reports a shortfall to Microsoft.
|An audit like requirement for Microsoft clients, a SAM Partner or Reseller validates your True-up submission. The organizations are typically forced to purchase all additional licenses required, even if the product(s) or features were installed accidently or are not in use.
|An audit requested by Microsoft’s SAM group, done in conjunction with a Microsoft Reseller. If the organization agrees to the SAM Audit, it will be forced to purchase all additional licenses required, even if the product(s) or features were installed accidently or are not in use.
|An unsolicited audit attempt by a Microsoft Reseller that does not have a previous relationship with your organization. These Microsoft Resellers will spam out thousands of emails to random IT people at the organization, demanding information on the products and services they are using, under threat of “audit”. They then demand the organization make additional purchases from them to “true-up”, whether the organization really needs the products or not.
Microsoft LLC Audit
|A true audit that may produce financial penalties as well as software license purchases. The organizations are typically forced to purchase all additional licenses required, even if the product(s) or features were installed accidently or are not in use. Additional licenses may be priced at the “penalty” rate of 125% of the list price, not the organization’s original discounted purchase price.
|| Yes, with financial penalties
Microsoft Audit Triggers
There are many different possible triggers of a Microsoft Audit, but these are the most common. If these types of events have occurred at your organization recently, there is a substantially increased chance of an audit.
Perhaps the decision was made not to renew the Enterprise Agreement during an economic downturn as a cost reduction measure. Additionally, relatively few Microsoft purchases have been made since. With annual true-ups no longer necessary, Microsoft will wonder how business is still being supported with hardware and software that is very old.
Technology & Licensing Changes
BYOD, desktop virtualization, hosted services, license mobility, cloud environments, transitional licensing, bridge licenses, metric changes and evolving Software Assurance benefits all make adherence to licensing rules challenging, at best. Microsoft knows this and will use it to position the environment as non-compliant.
Mergers & Acquisitions
The Microsoft Account team will view any M&A activity as a potential opportunity. For example, when an organization with an active Enterprise Agreement acquires another company, Microsoft will assume an increase in the number of qualified devices or users. Beyond any contractual obligations that may exist, the Microsoft Account team will see a revenue windfall.
Transition to the Cloud
Cloud subscriptions are presented as the easiest path to achieving and maintaining license compliance. Office 365 has reached critical mass in the commercial space, which reflects Microsoft’s success in engineering the transition. And it will continue with this process and even repeat it as it tries to upsell existing subscribers. Microsoft recently suggested that audits of cloud-based deployments are 90% quicker and smoother. However, this is costly from the October 2019 announcement that any deployment at a “Listed Provider” (currently Alibaba, AWS, and Google) must have Software Assurance and provide Microsoft with a License Verification Form that names the Authorized License Mobility Partner. What’s the additional cost? Software Assurance – a charge of 25% annually for server software.
Disgruntled Employees or Former Employees
Organizations such as the Business Software Alliance, of which Microsoft is a member, actively ask individuals to come forward to report non-compliance issues. This isn’t unusual as employees – former or existing – may want to create difficulties and instigate an audit.
The best advice for an organization is to complete its own, proactive License Position Assessment, or “self-audit”, as soon as possible via an independent expert. This assessment will provide the snapshot needed to determine any exposure and allow the organization to prepare and protect their budget from unexpected costs from Microsoft.
Step-by-Step Audit Response
Step 1: Form Your Audit Team
Your organization should have preestablished an audit team before you received an audit letter. The audit team should include appropriate experts from legal, IT and the C-suite. And if you don’t have someone on staff with comprehensive, historical knowledge of Microsoft’s tendencies, preferences and ongoing licensing changes, hire an outside expert. There are three important positions within the audit team to designate. These are the internal point of contact, the external point of contact and the record keeper.
The audit team should designate a single point of contact for Microsoft, and formally alert Microsoft, and their audit partners, that this person is the sole communication point within the organization. This will stop Microsoft from reaching out to multiple people within the organization in an attempt to gain information. Make sure to communicate with everyone applicable in your organization that communications and solicitations for information should be referred to the designated point-of-contact.
As well as an external single point of contact, the audit team should designate a single internal point of contact. This person would be responsible for all internal communications within the organization, in terms of providing updates on the status of the audit. In some firms, this can be the same person as the externally-focused point-of-contact.
An audit team member should be designated as the official record keeper of all entitlement documents, terms, conditions, purchase orders, contracts, amendments, concessions, and any findings or results from previous audits. In some firms, the same person can fulfill all three roles.
A Microsoft expert can help you save money and optimize your licensing portfolio by negotiating the best T&Cs for you in the first place, and by helping you navigate the intricacies of the Microsoft audit process after the formal audit letter arrives.
Step 2: Verify Audit Group
If you receive information from a Microsoft Reseller, SAM Partner, or employee, the first step is to determine exactly which group is contacting you for which type of audit. Verify whether the audit is mandatory, voluntary, or even an actual audit, and not just a subtle threat by a salesperson.
Ensure any communication between your organization, Microsoft, and the partner, is approved and reviewed by your audit team before delivery beyond your organization. Your options may vary depending on the Microsoft group contacting you, but the importance of controlling your inventory data remains the same.
Step 3: Establish Audit Timeline & Scope
Microsoft contracts typically require an organization to allow Microsoft’s chosen third-party auditors to verify the organization’s compliance position. This must be done within 30 days of receiving the audit letter, but that time frame is somewhat negotiable. If Microsoft chooses an accounting firm to conduct the actual audit, ensure that the firm does not also manage the yearly financial audit for the organization, as this can be considered a conflict-of-interest.
NDA’s should be signed by all relevant parties including the organization, Microsoft, third-party auditors, and any outside compliance experts retained by the organization. Establish what tools, scripts or programs will be used to gather information (subjecting them to IT security), and make sure there is time to review their findings.
Step 4: Proof of Ownership
Collect and review all Microsoft Agreement information. You may wish to request a Microsoft License Statement (MLS) from your reseller. The MLS will provide you with all volume license purchases made by your organization. When reviewing the MLS, verify the organizations listed in Microsoft’s report to ensure there are no licenses missing and ensure there are no licenses added in error. You will also want to request an OEM license history report. Officially, the time lapse between a purchase under a volume license agreement and that purchase’s appearance in the MLS is 45 days.
The OEM license history report can be obtained from the software reseller where the software was purchased. The OEM license history report will be needed as Microsoft does not track OEM purchases electronically but rather places proof of purchase on the customer’s records. Organizations can also access their volume licensing purchases from either the “Volume Licensing Service Center” (VLSC) or the “Volume Licensing Business Center”.
Ensure that these reports represent your complete Microsoft estate. Licenses purchased by acquired entities may be under those entities names instead of the parent organization. There may also be discrepancies based on formal or informal versions of the organization’s name. To use ourselves as a hypothetical example, some licenses may be under “Miro Consulting” but others could be under just “Miro”. Items purchased in a retail environment, OEM products, and licenses purchased in the past 45 days may also be missing.
Step 5: Self-Audit
It’s very important to be fully aware of your licensing situation, including any shortfalls, before the formal audit, so be sure to perform a thorough self-audit that parallels Microsoft’s license compliance assessment. Ensure that only those that require access to applications are given access to the applications. Also ensure licenses are managed and any deployments adhere to Microsoft licensing policies.
It’s very important to be fully aware of your licensing situation, including any shortfalls, before the formal audit, so be sure to perform a thorough self-audit that parallels Microsoft’s license compliance assessment.
A tool, either already installed and utilized, a new for-fee tool, or a cost-free option, can be used to discover deployments. An example of the latter is the Microsoft Assessment & Planning (MAP) Toolkit. Be aware that the tool cannot detect deployments of products not on the same network (or network segment). Nor would it understand the rules for licensing. (An example is SQL Server being licensed under the “Per Core” metric or the “Server+CAL” metric.)
Step 6: Analyze Self-Audit Results
When reviewing the self-audit results, be sure to note how various enterprise modifications might have impacted Microsoft licensing. Although potential violation areas are numerous – as any modification can impact Microsoft licensing – it is critical to pay special attention to potential areas of challenges and misunderstandings:
- Test servers: e.g., inadvertently taking software from brand new development to production without additional licensing
- Software or hardware upgrades
- Disaster recovery process
- Backup and Restore processes
- Internet, intranet and extranet access
- Transfers of data to and from a system
- Merger and acquisition changes
- Geographic expansion
- Use of server virtualization
- Use of enterprise server features
- Transitioning all or a portion of your on-premises solutions to a Cloud or Third-Party hosting site
- Use of Self-Hosted Applications (apps used by your clients)
Do not judge the state of your license compliance based on Microsoft technical white papers! Terms such as Active/Passive, Disaster Recovery, and/or Core Licensing have meanings that differ between Microsoft’s technical teams and Microsoft licensing teams which affect how an enterprise should license. There are various Microsoft Policy documents that can be used as licensing guidelines, but those can be about the topic of licensing and not written from a technical perspective. These terms can and have cost organizations thousands when their definition of a term differs from Microsoft’s official licensing rules.
Step 7: Formulate a Plan of Action
The odds of finding your organization to be 100% compliant after a self-audit are slim. You’ll probably find several areas where you are either under-licensed or over-licensed, so get ready to cooperate and negotiate with Microsoft. Licensing issues are not usually black and white, and situations vary from company to company in terms of how Microsoft interprets “compliance.”
Unfortunately, licensing violations can cost hundreds of thousands, or even millions of dollars to true-up, depending on the size of your Microsoft estate. Microsoft will also go after clients for past use even if you currently no longer use the software in the same way, as previously installed software can leave a trail.
Step 8: Prepare for Next Time
After a Microsoft audit, an organization may feel that once an audit is done, they may be safe for future audits. The truth is that many organizations can experience an audit whenever Microsoft believes there may be unpurchased licenses used in the organization. To help future audits go smoothly your organization will want to keep up to date with any changes. Microsoft does not always announce license changes to their customers. Quite often a software reseller may not always be updated by Microsoft or may not always effectively share Microsoft’s licensing changes. It’s important to remember that you are responsible for keeping track of the constant changes that Microsoft makes to its licensing rules.
The best way to avoid non-compliance fees arising from Microsoft audits is to utilize proactive software license management practices, including regular self-audits, and the use of experts to help you keep aware of the continuous changes to Microsoft’s licensing rules. Proactive management of software assets can reduce costs by avoiding both over-licensing and under-licensing. Average savings are usually about 30% the first year when a good IT asset management strategy is implemented, according to Gartner.