Why Microsoft Audits Have Become More Dangerous in 2026
Microsoft does not need to send an auditor to your data centre to know you have a compliance problem. Since Microsoft 365 usage analytics, Azure Arc on-premises telemetry, and Dynamics 365 in-product licensing enforcement all funnel data back to Microsoft's customer data platform, the company has continuous visibility into the gap between your licensed entitlements and your actual deployment footprint.
The shift matters commercially. Since November 1, 2025, Microsoft eliminated tiered volume discounts for Online Services under EA and MPSA — all customers now pay Level A list price regardless of organisation size. That change simultaneously increased base costs and removed the pricing buffer that previously cushioned audit settlements. If Microsoft finds a shortfall today, you owe list price on every unlicensed unit, not the discounted EA rate you originally negotiated. Current EA discounts for online services stand at 10–20% off list, down from the historical 15–25% range — meaning the gap between your contracted rate and the audit-settlement rate is narrower, but the absolute exposure on high-value SKUs like M365 E5, Copilot, and SQL Server Enterprise is larger than ever.
Under standard EA terms, any shortfall identified in an audit must be purchased at full retail prices without volume discounts. If the gap exceeds 5% of your licence count or spend, an additional surcharge of 5–25% may apply — a provision commonly referred to in the industry as the 125% penalty clause. In our experience across 500+ Microsoft engagements, buyers who address gaps proactively — before receiving any audit notice — consistently achieve better commercial outcomes than those who negotiate under audit pressure.
Finding 1: SQL Server Virtualisation Licensing
SQL Server virtualisation licensing is the single most common finding we see in Microsoft EA audits, and it is also the most financially significant. The root cause is a consistent misunderstanding of what Software Assurance (SA) does and does not grant.
The Passive Replica Trap
The most recurring SQL Server audit failure in the current cycle involves AlwaysOn Availability Groups configured with a secondary readable replica. The Microsoft Product Terms are explicit: a secondary replica requires a full licence the moment it is configured as readable — even if no production workload ever touches it and it exists purely for reporting offload or HA purposes. Organisations that licensed only their primary instances and treated secondaries as "free" passive nodes discover at True-Up time that they owe full SQL Server Enterprise licences on every readable secondary in their estate.
Unlimited Virtualisation Rights and the SA Requirement
SQL Server Enterprise Edition with active Software Assurance grants unlimited virtualisation rights on a licensed host — licence all physical cores and you can spin up as many SQL Server VMs as the hardware supports. Without active SA, that right disappears entirely. Each VM must be individually licensed based on its assigned virtual core count, subject to a minimum of four cores. Organisations that let SA lapse during a cost-cutting exercise and continued running their virtualised SQL estate on the assumption that unlimited virtualisation rights were permanent are now facing five- to seven-figure remediation bills.
Remediation Steps
Audit your SQL Server estate at the host level, not the instance level. Export your VMware or Hyper-V inventory and cross-reference every SQL Server instance against its host's physical core count and SA status. Identify all AlwaysOn secondary replicas and confirm whether each is configured as readable. For any readable secondary, either licence it fully or reconfigure it as non-readable (restricting to synchronisation-only mode) before your next True-Up date. If SA has lapsed on hosts running multiple VMs, model the cost of reinstatement against the cost of individual VM licences — for dense virtualisation environments, SA reinstatement is almost always cheaper.
Concerned about your SQL Server virtualisation exposure?
We run independent EA compliance reviews across complex hybrid estates.Finding 2: Windows Server Core Licensing Gaps
Windows Server licensing shifted to a per-core model in 2016, but audits in 2025–2026 continue to surface estate gaps stemming from the minimum licensing rules and the SA requirement for VM-based licensing.
The Minimum Core Rules
Windows Server Datacenter and Standard editions require a minimum of 8 core licences per physical processor and a minimum of 16 core licences per server. Organisations that purchased only the number of cores physically installed — without checking for the per-processor minimum — frequently find themselves under-licensed at the server level. The processor minimum is particularly relevant for single-socket servers running high-density VMs: a server with one 12-core processor still requires 16 core licences, not 12.
VM-Based Licensing and Software Assurance
The option to licence Windows Server by virtual machine — rather than by physical host — was introduced in October 2022 and is available only to customers with active subscription licences or licences with active Software Assurance. If your organisation adopted VM-based licensing after that date but did not confirm SA was active across all relevant licences, the VM licensing model is not valid and you revert to physical core licensing obligations. Given that Windows Server Datacenter at physical host level costs significantly more per VM than VM-based licensing at scale, the commercial exposure of inadvertent SA lapse can be substantial.
Remediation Steps
Run a full server inventory using Microsoft Assessment and Planning Toolkit or a third-party SAM tool. For each physical server, confirm that licences cover both the physical core count and the per-processor and per-server minimums. Check SA status for all Windows Server licences where VM-based licensing has been adopted. Any SA lapse should be flagged to your Microsoft account team before your True-Up — purchasing SA reinstatement at True-Up is typically more cost-effective than absorbing a full compliance settlement retroactively.
Finding 3: Microsoft 365 Copilot Under-Licensing
Copilot under-licensing is a relatively new finding but it is growing fast. M365 Copilot is priced at $30 per user per month as a standalone add-on, or included in the forthcoming M365 E7 bundle at $99 per user per month. The compliance risk arises from the gap between pilot deployment and formal licence assignment — and from Copilot features that are being enabled in adjacent products without buyers realising that formal Copilot licences are required.
The Pilot-to-Production Gap
Most enterprises that deployed M365 Copilot ran a 300-seat pilot in 2024 or early 2025. A common pattern: the pilot concluded, formal rollout never happened, but the 300 pilot licences expired while informal usage continued through shared accounts, Teams-embedded Copilot prompts, or Microsoft 365 Chat features that users assumed were included in their E3 or E5 base licence. Microsoft's usage telemetry captures every Copilot interaction — including prompts, responses, and the licences assigned at time of access. Audit exposure from unlicensed Copilot usage is charged at the $30 per user per month add-on rate, not at any discounted EA price. Under NCE, monthly-term Copilot licences carry no volume discount and are priced at list — only annual or multi-year commitments provide pricing advantages.
Copilot Studio and Agent 365 Exposure
Beyond M365 Copilot for end users, Copilot Studio (which operates on a per-session or per-message consumption model) and Agent 365 (bundled in E7 but chargeable as a standalone) are also areas of emerging audit risk. Organisations that have deployed custom agents via Copilot Studio without tracking consumption against purchased credit pools may find that their consumed sessions exceed entitlement at renewal reconciliation.
Remediation Steps
Run a Copilot usage report from the Microsoft 365 Admin Centre and cross-reference active users against assigned Copilot licences. For any user who has generated Copilot interactions without an assigned licence, either assign licences retroactively (purchasing them at your current EA rate before True-Up) or disable Copilot access for that user. Review Copilot Studio session consumption against your purchased credit entitlement. If you are approaching E5 renewal, model whether upgrading to E7 — which bundles Copilot at $99 compared to approximately $117 for E5 plus standalone Copilot — eliminates the audit exposure at a net cost saving.
Finding 4: Dynamics 365 Finance and Operations Role-to-Licence Mismatches
January 15, 2026 marked the activation of Microsoft's automated licence enforcement within Dynamics 365 Finance and Operations. The enforcement mechanism is direct: if a user is assigned duties or privileges that exceed their licensed role, the system disables the relevant functionality after a 14-day grace period. Audit exposure in D365 is therefore becoming self-evident — but the commercial remediation question is more complex than simply purchasing additional licences.
What Triggers Non-Compliance
The D365 F&O licence structure is built around role-to-licence mapping. A user licensed at the Team Member tier ($8 per user per month) can only perform light tasks — read records, update simple forms, and submit timesheets. The moment a Team Member is assigned security roles that include journal entry, invoice approval, or supply chain transaction processing, they require a full Finance ($210 per user per month), Supply Chain Management ($180 per user per month), or Operations Activity licence ($50 per user per month). Many organisations grew their D365 estates organically, assigning roles based on business need without systematic licence validation. The January 2026 enforcement made those mismatches immediately visible — and chargeable.
The Base and Attach Discount
D365 F&O is also affected by the base-and-attach pricing architecture. A user who holds a qualifying base licence (Finance, Supply Chain Management, or Customer Engagement) can add further D365 modules as attach licences at significantly reduced rates — typically $20–$30 per user per month for additional functional areas. Organisations that did not structure their D365 licensing correctly at deployment are often paying full list price for modules that should qualify for attach pricing. Audit remediation conversations are an appropriate moment to restructure towards base-and-attach and potentially reduce per-user cost by 40% or more on the attach modules, even while resolving the compliance gap.
Remediation Steps
Export your D365 user security role assignments and cross-reference each role against Microsoft's published licence requirement matrix. Identify all users assigned roles that exceed their licensed tier. For each non-compliant user, determine whether the correct licence is a full module subscription or an attach licence. Where users have been over-assigned roles for convenience rather than business necessity, restrict role assignments to match existing licence entitlement. Engage your Microsoft account team before your next True-Up to confirm the remediation plan — early disclosure typically avoids the 125% penalty clause.
Finding 5: Power BI Premium to Fabric Migration Gaps
Microsoft's phased transition from Power BI Premium capacity (P-SKUs) to Microsoft Fabric (F-SKUs) has created a significant compliance grey zone. Organisations that migrated to Fabric F-SKUs but did not correctly retire their Power BI Premium capacity licences are paying for both. Conversely, organisations that retained P-SKU licences while their actual workloads shifted to Fabric consumption models may find that their P-SKU entitlements have lapsed in a way that creates retroactive exposure on the Fabric side.
Orphaned P-SKU Capacity
The most common finding is orphaned Power BI Premium P-SKU capacity that continues to run after the operational workloads have been migrated to Fabric. Because P-SKU billing is not automatically terminated by workload migration, many IT teams that successfully moved to Fabric discover they are still paying for unused Premium capacity — while simultaneously having under-provisioned Fabric F-SKUs that are running above the 70% CPU utilisation threshold that triggers over-consumption billing.
Remediation Steps
Pull a capacity utilisation report from the Power BI Admin Portal for all P-SKU workspaces. Identify any P-SKU capacity where utilisation has dropped below 20% in the 90 days following your Fabric migration. Schedule P-SKU capacity retirement at your next billing cycle. For Fabric F-SKUs, export CPU and memory utilisation data and compare consumed capacity units against purchased entitlements. If F-SKUs are regularly exceeding 70% utilisation, right-size upward before Microsoft initiates a capacity review — over-consumed Fabric capacity is increasingly a trigger for advisory SAM reviews.
Finding 6: True-Up Reporting Gaps — New Users and New VMs
The True-Up mechanism is designed to catch exactly this category of gap: any new licences consumed during the EA year beyond the quantities committed at signing must be reported at the annual True-Up date (the anniversary of your EA start date). Missing the True-Up deadline, under-reporting new users, or failing to include new server deployments creates a compliance shortfall that compounds across multiple True-Up cycles.
How the Gap Accumulates
In a typical large-enterprise EA, the HR system is not tightly integrated with the software asset management platform. When 200 new employees join during the year, IT provisions accounts but the SAM team does not always receive a timely feed. At True-Up, the reported user count reflects the original baseline plus whatever additions were manually tracked — rather than the actual deployed count. After three True-Up cycles of systematic under-reporting, the accumulated gap can represent tens of thousands of unlicensed user-months. Microsoft's telemetry from Azure AD (now Entra ID) active user counts and M365 sign-in logs makes this discrepancy immediately visible at audit.
The NCE Complication
Under Microsoft's New Commerce Experience, monthly-commit subscriptions are priced at full list price with no EA volume discount, while annual-commit NCE subscriptions carry up to a 5% discount and three-year commitments offer improved pricing with reduced flexibility. Organisations that add True-Up overages under monthly NCE commitments — rather than rolling them into annual commits at the next True-Up — pay materially more per licence-month than those who manage True-Up proactively against annual commitment terms. EA discounts for online services stand at 10–20% off list under current terms, making it financially important to ensure overage additions are captured at the discounted EA rate rather than at NCE monthly list price.
Remediation Steps
Establish a quarterly licence reconciliation process that compares your HR headcount feed, your Azure AD active user count, and your EA committed licence quantities. Any positive delta should be flagged to procurement with sufficient lead time to be included in the next True-Up at your EA rate rather than as ad hoc NCE monthly additions. For server-side deployments, integrate your Azure Arc inventory and on-premises VM management platform with the SAM feed so that new Windows Server and SQL Server deployments are automatically surfaced for licence assignment review. A quarterly cadence — rather than waiting for the annual True-Up — consistently produces lower compliance exposure and better commercial outcomes.
Want a proactive compliance review before your next True-Up?
Redress Compliance runs buyer-side SAM reviews across all six finding categories.The Proactive Remediation Framework
Across 500+ Microsoft licensing engagements, the buyers who achieved the best outcomes in audit scenarios had one thing in common: they identified and remediated gaps before Microsoft made contact. The moment Microsoft opens an audit, commercial leverage shifts decisively — any shortfall must be purchased at list price within 30 days of the settlement demand, audit costs may be charged to the customer, and the relationship with your account team becomes adversarial rather than collaborative.
The practical framework for proactive compliance management has four components. First, maintain a centralised entitlement register that captures every Microsoft licence, its term, its SA status, and the users or assets it covers — not just at EA signing, but updated quarterly. Second, run an automated reconciliation between your entitlement register and your deployment inventory (Azure AD, Entra ID, Azure Arc, VMware, SQL Server management tools) on a quarterly cycle. Third, treat each finding from the reconciliation as a Q4 negotiation lever: Microsoft's fiscal year closes June 30, and account teams have maximum incentive to close transactions in April–June — purchases required for compliance remediation are better timed for Q4 than for any other quarter. Fourth, engage independent counsel before any audit letter response — the initial response to a Microsoft audit notice sets the terms of the entire engagement, and buyers who respond without preparation consistently accept less favourable settlement terms.
Microsoft's audit programme is not going away — and with AI-driven telemetry, automated D365 enforcement, and the elimination of volume discount buffers since November 2025, the cost of reactive compliance management has never been higher. The six findings above account for the majority of material exposure we see across the EA customer base. Addressing them systematically, on your own timeline, and before the Q4 pressure window, gives you the best possible commercial position going into renewal.