Microsoft EA Assessment: 20-Point Expert Checklist

The VLSC provides a full entitlement report showing every product licensed under your EA, the quantity, and the licence type. Many organisations have not reviewed this report outside of the annual true-up. Expert note: Pull the full VLSC entitlement report and cross-reference against your actual deployment. Products licensed but not deployed represent recoverable cost at renewal. Products deployed but not licenced represent compliance risk. Both issues should be resolved before the next true-up.

Microsoft EA Software Assurance includes a large portfolio of benefits — training vouchers, deployment planning services, home use rights, 24x7 problem resolution support — that are paid for through the EA but frequently left unclaimed. Expert note: Access your SA benefits register in the VLSC Benefits tab. For each benefit category, check whether benefits have been activated. Unactivated SA benefits are pure waste — you are paying for them whether or not you use them. Common unclaimed benefits include Microsoft training vouchers (worth $1,000–$3,000 per qualification) and deployment planning services for major Microsoft product upgrades.

Microsoft 365 E3 and E5 include rights to deploy on-premises equivalents of Office, Exchange Server, SharePoint Server, and Lync/Teams. Organisations that maintain hybrid on-premises deployments may be duplicating on-premises Server licence spend when these rights are already included in their M365 subscription. Expert note: Review your on-premises Server licences against the on-premises equivalent rights included in your M365 subscription. If you have redundant on-premises Server licences that are covered by M365 rights, these can be removed at renewal to reduce Server CAL and licence cost.

EA over-deployment is a compliance risk. The annual true-up process requires you to report and pay for any deployment above the authorised quantity. Unplanned over-deployment typically results from organic growth without licence tracking. Expert note: Compare your current deployment counts against authorised quantities for all EA product lines — particularly Microsoft 365, Windows, SQL Server, and Azure Active Directory Premium. Any over-deployment should be either covered in the next true-up or addressed through a licence count adjustment. Over-deployment identified and reported proactively is less commercially damaging than over-deployment identified by Microsoft during an audit.

Microsoft Intune, Entra ID Premium P1 and P2, and Autopilot licences are frequently included in E3 or E5 bundles but partially deployed. Users whose devices are not enrolled in Intune or whose identities are not protected by Entra ID conditional access are not benefiting from licences they are paying for. Expert note: Pull Intune device enrolment data and Entra ID conditional access policy coverage. Identify the gap between licensed user counts and users with active device management and identity protection. Closing this gap improves security posture without additional cost — the licences are already paid for.

Microsoft Azure Committed Use Discounts require a minimum annual Azure consumption commitment in exchange for discounted pricing. Under-consumption below the committed level wastes committed spend. Over-consumption above the committed level is billed at standard rates, missing further discount opportunity. Expert note: Pull your Azure consumption data for the past 3 months and annualise it. Compare against your current MACC commitment. If consumption is tracking below commitment by more than 10 percent, investigate whether Azure workloads have been reduced, migrated, or suspended. Persistent under-consumption should trigger a MACC renegotiation with Microsoft before the commitment period ends.

Azure Reserved Instances provide up to 72 percent discount versus pay-as-you-go in exchange for a 1-year or 3-year commitment to a specific VM type and region. Underutilised RIs result from VM resizing, region changes, or workload migration after the RI purchase. Expert note: Pull RI utilisation from Azure Cost Management. Any RI with utilisation below 70 percent for 30 consecutive days is a waste candidate. Evaluate whether the RI can be exchanged for a different VM size or region that better matches current workload patterns. Microsoft allows RI exchanges for Azure Compute — use this flexibility before accepting sunk cost.

Azure cost waste from idle resources is universally present in enterprise Azure deployments. Stopped VMs continue to incur storage and allocation costs. Unattached premium managed disks cost $15–$150 per month each. Orphaned public IPs cost $3–$7 per month each. Expert note: Use Azure Advisor recommendations in the Azure portal to identify idle resources. Focus on: VMs with less than 5 percent average CPU utilisation, unattached disks, unused public IPs, and empty storage accounts. Generating a monthly Azure Advisor report and acting on low-effort optimisations typically reduces Azure spend by 5–15 percent within 30 days.

Azure Dev/Test subscriptions provide significantly discounted pricing — 0 percent software cost on Windows Server and SQL Server, reduced compute rates — for development and test workloads. Production workloads running in Dev/Test subscriptions violate Microsoft's terms of service. Expert note: Inventory your Azure subscriptions and identify any workloads in Dev/Test subscriptions. Confirm these are genuinely non-production. If production workloads have been placed in Dev/Test subscriptions to reduce costs, this represents a compliance risk that should be resolved. If all workloads are legitimately development or test, ensure you are maximising the Dev/Test discount by routing all eligible non-production workloads through these subscriptions.

Azure Savings Plans (SP) provide up to 65 percent discount in exchange for a commitment to a specific hourly spend level across any compute type. Reserved Instances provide higher discounts (up to 72 percent) but lock you into a specific VM type and region. Expert note: Evaluate your Azure compute consumption pattern: if workloads are stable and use consistent VM types, Reserved Instances typically provide higher discount than Savings Plans. If workloads are variable in VM type or region — as is common in DevOps and data engineering environments — Savings Plans offer better flexibility. Most organisations benefit from a mix: RIs for stable base workloads, Savings Plans for variable capacity.

Microsoft Defender for Endpoint is licensed per device. If your Defender licence count significantly exceeds your enrolled endpoint count, you are paying for licences not providing protection. Expert note: Compare your Defender for Endpoint licensed count (from VLSC or M365 admin centre) against the enrolled device count in the Defender portal. The gap represents either unlicensed devices (compliance risk) or over-purchased licences (cost waste). Resolve the gap before renewal.

Microsoft Sentinel is priced on data ingestion volume. High-volume data sources — verbose firewall logs, DNS query logs, proxy traffic — can drive significant Sentinel cost without proportional security value. Expert note: Pull the Sentinel data ingestion report from the Azure portal. Sort data sources by ingestion volume. For the top 5 volume sources, assess the security value they provide. High-volume sources that generate few useful alerts are candidates for reduced ingestion frequency, exclusion, or routing to a cheaper storage tier (Azure Data Explorer) rather than Sentinel's hot analytics tier. A 20 percent reduction in Sentinel ingestion volume is achievable in most deployments with careful data source review.

Microsoft Purview is available in Information Protection P1 (included in E3) and P2 (included in E5). P2 includes automatic classification, advanced DLP policies, and insider risk management. If your deployment only uses manual labelling and basic DLP, P1 capabilities may be sufficient, making E3 more appropriate than E5 for affected user cohorts. Expert note: Map your current Purview deployment against P1 versus P2 feature boundaries. If no P2-exclusive features are in use, document this as justification for E3 downgrade for the affected user population. Confirm with your compliance team that P1 DLP policies are sufficient for your data classification and compliance requirements.

Entra ID Premium P2 (included in E5) adds Privileged Identity Management (PIM) and Identity Protection over P1 (included in E3). If PIM and Identity Protection are not deployed, P2 provides no incremental security value over P1. Expert note: Review Entra ID PIM deployment status in the Entra admin centre. If PIM is not configured for privileged accounts — Global Admins, Exchange Admins, Security Admins — the organisation is not using the primary P2 differentiator. Either deploy PIM (a security best practice with no additional cost) or consider whether E3 with P1 is sufficient for non-privileged user cohorts.

Microsoft E5 Security includes capabilities that overlap with many third-party security tools: endpoint detection and response (replacing CrowdStrike for some deployments), email security (replacing Proofpoint or Mimecast), identity protection (replacing Ping Identity for some use cases). Expert note: Map your third-party security tool stack against Microsoft E5 Security inclusions. Identify tools whose core functionality is duplicated by Microsoft capabilities you have already paid for. For each identified duplication, assess whether the Microsoft tool meets your requirements at equivalent quality. Where it does, removing the third-party tool at renewal generates a saving that partially or fully offsets E5 cost.

Microsoft EA renewals require procurement, legal (contract redlines), finance (budget approval), and IT (scope validation) input. Each track requires 2–4 weeks. Starting 120 days before expiry gives every team adequate time. Expert note: Map your EA renewal to your internal approval process. If your procurement cycle requires 6 weeks for finance sign-off, your commercial negotiation must conclude at least 6 weeks before the expiry date. Identify critical path constraints early and build your external engagement timeline around them.

Microsoft EA pricing varies significantly based on commitment level, product mix, relationship history, and negotiation sophistication. Buyers without benchmarking data have no basis to challenge Microsoft's initial proposal. Expert note: Source benchmarking data showing the per-unit pricing and discount levels achieved by organisations of similar size and product mix. Advisory firms, procurement consortia, and peer CFO networks are the primary sources. A benchmark showing that peers are achieving 30–35 percent discounts off list price when you are currently at 22 percent creates a specific and defensible target.

Microsoft EA negotiations proceed better when buyers present documented proposals rather than verbal requests. A written counter-proposal creates a formal record, enables internal approval, and signals procurement sophistication. Expert note: Your counter-proposal should cover: (1) proposed per-unit pricing by product line; (2) scope adjustments — licence count changes, product additions or removals; (3) uplift cap request (CPI or fixed percentage); (4) Azure MACC adjustment; and (5) contract terms — true-down rights, Copilot true-up mechanism, termination provisions. Submit as a formal document, not a conversation.

Microsoft periodically increases M365 list prices — the March 2022 increase raised some SKUs by 15–25 percent. EA contracts that reference list price minus a fixed discount percentage expose buyers to list price inflation. Fixed per-unit pricing for the EA term eliminates this risk. Expert note: Negotiate fixed per-unit pricing for the EA term, not 'list price minus X percent'. If Microsoft resists fixed pricing, negotiate an annual uplift cap of 3–5 percent. For Azure, negotiate MACC pricing that locks in discounts regardless of list price changes. Price protection is a standard ask in enterprise Microsoft negotiations and is achievable for accounts above $1 million annual spend.

Microsoft EA negotiations sometimes result in verbal commitments from Microsoft account teams that are not reflected in the formal EA documents. Buyers who sign without reconciling verbal agreements with final documentation lose the benefit of those commitments. Expert note: Before countersigning, prepare a written confirmation of every commercial commitment made during the negotiation — pricing, volume flexibility, Copilot true-down rights, Azure MACC levels — and obtain written confirmation from the Microsoft account team. Reconcile this confirmation against the final EA documents line by line. Raise any discrepancy before signature. Do not rely on email chains as a substitute for EA document accuracy.