Microsoft EA Contract Guide for Legal Teams: Key Terms and How to Negotiate Them

How the Microsoft EA Contract Stack Works

Before examining individual terms, legal teams need to understand that the Microsoft EA is not a single document — it is a contract stack. The EA itself is a framework agreement that incorporates by reference the Microsoft Product Terms (formerly the Product Use Rights and Online Services Terms), the Online Services Data Protection Addendum (DPA), any applicable Product-Specific Terms, and the specific Order Form and price list agreed between the parties. Changes to the incorporated documents during the EA term can affect the enterprise's rights and obligations even if the EA itself is not amended.

Microsoft updates the Product Terms monthly and the Online Services DPA periodically. Under standard terms, Microsoft can modify incorporated documents with notice periods that vary between 30 and 180 days depending on the type of change. Legal teams should ensure that the EA includes a clear notification mechanism for all incorporated document changes and, where possible, grandfather protections that maintain key rights negotiated at signing even if the underlying incorporated document is later amended.

Indemnity: What Microsoft Covers and What It Does Not

Microsoft's standard EA includes an intellectual property indemnity protecting the enterprise from third-party IP infringement claims related to Microsoft products — specifically, claims that a Microsoft product itself infringes a third party's intellectual property rights. This is a meaningful protection for proprietary Microsoft software. However, it explicitly excludes customer-created content, customer modifications to Microsoft products, and combinations of Microsoft products with non-Microsoft products where the infringement arises from the combination rather than from Microsoft's product alone.

For AI services in 2026, the indemnity boundaries are particularly important. Microsoft's Copilot Copyright Commitment extends IP indemnity coverage to Copilot generated content in certain circumstances — specifically, where the customer has enabled content filters and used the service as designed and documented. The Copilot Copyright Commitment is a published policy, not a contractual right, and its terms are subject to modification by Microsoft. Legal teams should request that the Copilot Copyright Commitment be incorporated by reference into the EA with specific protections against modification during the term.

What Microsoft's indemnity does not cover is equally important: business losses arising from AI output errors, hallucinations, or reliance on incorrect AI-generated content. This is standard across the AI industry, but it means enterprises must build their own operational safeguards rather than relying on contractual protection.

Liability: Caps, Exclusions, and What to Negotiate

Microsoft's aggregate liability cap under the standard EA is fixed at the total fees paid under the agreement in the 12 months prior to the claim giving rise to the liability. This cap applies to all claims, all services, and all incidents during that period. For an enterprise paying $50 million per year in Microsoft licensing and services, the cap is $50 million. For an enterprise paying $5 million, the cap is $5 million.

Within the overall cap, Microsoft further limits liability through exclusions. Indirect damages — including loss of profits, loss of revenue, loss of data, loss of goodwill, and consequential losses — are excluded entirely in most EA versions. Only direct losses are recoverable, and only up to the aggregate cap.

For practical purposes, this means that a serious Microsoft service outage affecting enterprise operations, a data breach involving Microsoft-processed personal data, or an AI-related incident that generates significant regulatory exposure may yield Microsoft liability that is a fraction of the enterprise's actual loss. Legal teams negotiating for large or regulated enterprises should address three specific liability improvements: an elevated cap for data breach scenarios involving personal data (linking the cap to potential GDPR regulatory exposure rather than fees paid), an exclusion from the liability cap for willful misconduct or gross negligence, and a data breach notification obligation with a specific timeline (72 hours to notify, matching the GDPR Article 33 standard, is achievable but must be explicitly negotiated).

Data Protection and GDPR Terms

Microsoft's Online Services Data Protection Addendum provides a comprehensive GDPR-aligned data processing framework for most commercial Microsoft services. Legal teams should confirm three things about the DPA as it applies to their specific contract.

Subprocessor Management

The DPA permits Microsoft to use subprocessors to deliver services, with Microsoft taking contractual responsibility for its subprocessors. Enterprises have the right to object to new subprocessors, but the practical exercise of that right — and what happens contractually if the enterprise objects and Microsoft proceeds — is often ambiguous. The January 2026 addition of Anthropic as a Copilot subprocessor illustrates why this matters: enterprises that had not reviewed subprocessor notification mechanisms only discovered the change when they conducted routine compliance reviews. Negotiate for email notification to a designated legal contact for any new subprocessor addition affecting services under the agreement, with a minimum 60-day notice period.

EU Data Boundary Scope

Microsoft's EU Data Boundary commitment covers the storage and processing of EU customer data within the EU for covered Microsoft commercial services. The commitment explicitly excludes certain AI services, and as of January 2026, Anthropic's subprocessing role for Copilot is not within the EU Data Boundary scope. Legal teams should request a written scoping statement identifying which services under their agreement are within and outside the EU Data Boundary commitment, rather than relying on Microsoft's public documentation which is both updated periodically and not incorporated into the contract as a binding commitment.

Data Retention and Deletion

Microsoft's standard DPA commits to deleting customer data within 90 days of agreement termination. For enterprises with specific data retention requirements — either longer retention for regulatory reasons or shorter retention for data minimisation — the 90-day default requires explicit negotiation. For AI services specifically, confirm the data retention period for Copilot interaction data, prompt logs, and any AI-generated outputs stored within Microsoft's infrastructure.

Audit Rights: The Clause Most Legal Teams Under-Negotiate

Microsoft's standard audit rights are broad. The company can audit licence compliance once per year with advance notice, using an external auditor of its choosing, with the enterprise bearing the cost of remediation for any licensing shortfall. The auditor's fees are Microsoft's cost under standard terms, but any discovered shortfall is billed at list price unless explicitly negotiated otherwise.

The elimination of automatic volume discount tiers from November 2025 significantly amplifies the audit risk. Under the previous tier structure, an underpayment discovered during audit would be assessed at the enterprise's discounted tier rate. Under the post-November 2025 structure, without explicitly negotiated audit rate protections, Microsoft could assess shortfalls at the new Level A list rate even for enterprises that previously received Level D pricing. Legal teams must negotiate that audit shortfall pricing is capped at the enterprise's contracted rate, not list price.

Additional audit protections worth negotiating include a minimum 30 business day advance notice, a restriction to licences purchased and used within the current EA term (not historical periods), a limit on the audit period to 12 months of back-payments for any identified shortfall, an enterprise right to contest audit findings through an agreed dispute resolution process before any payment is due, and a prohibition on Microsoft sharing audit findings with third parties without the enterprise's written consent.

Choice of Law and Jurisdiction

Microsoft's standard EA terms specify the governing law and jurisdiction based on the customer's location — US enterprises fall under Washington State law and US federal law, while EU enterprises typically fall under Irish law and jurisdiction. For enterprises with material operations in multiple jurisdictions, the choice of law clause can create complications, particularly where data protection disputes involve conflicting regulatory requirements across jurisdictions.

Large enterprises with specific jurisdictional requirements — such as those subject to sector-specific regulation in banking, healthcare, or defence — can negotiate modifications to the choice of law clause. This is a term that Microsoft will resist modifying but will accommodate for large accounts where the regulatory requirement is genuinely compelling and documented. The negotiation is best conducted at the executive level with clear regulatory justification, not as a standard clause redline.

Service Level Agreements and Credits

Microsoft publishes SLAs for its commercial cloud services, committing to financial credits if uptime falls below the committed threshold. The M365 SLA commits to 99.9 percent uptime, with 25 percent service credit for availability between 99.0 and 99.9 percent and 50 percent credit for availability below 99.0 percent. Azure services have product-specific SLAs that vary by service and configuration.

Three aspects of Microsoft's SLA deserve legal attention. The SLA credit is calculated on the fees paid for the affected service in the affected month, not on business impact. The SLA credit is the exclusive remedy for service disruptions — it explicitly replaces any other contractual claim the enterprise might otherwise have for damages arising from the disruption. And claiming SLA credits requires the enterprise to submit a formal claim within 30 days of the incident, a requirement that most enterprises are not operationally prepared to meet consistently. Negotiate for an extended claim window of 90 days and consider whether elevated credits or alternative remedies are available for critical workloads.

Key Contract Review Checklist for Legal Teams

• Contract stack completeness: Confirm all incorporated documents are listed, the version in effect at signing is identified, and the notification mechanism for future changes is clearly specified.
• IP indemnity scope: Verify that the Copilot Copyright Commitment is referenced and that the scope of AI-related indemnity covers the enterprise's primary use cases.
• Liability cap adequacy: Assess the 12-month fee cap against GDPR regulatory exposure and negotiate an elevated data breach cap where appropriate.
• Data breach notification: Confirm a 72-hour notification timeline is specified, not just "without undue delay."
• Subprocessor notification mechanism: Verify that email notification to a named contact is required for all subprocessor additions affecting services under the agreement.
• EU Data Boundary scoping: Request a written statement of which services are within and outside the EU Data Boundary commitment for your agreement.
• Audit rate protection: Confirm that any audit shortfall is assessed at the contracted enterprise rate, not at list price.
• SLA credit claims window: Negotiate a 90-day claims window and confirm the credit calculation methodology for critical services.
• Choice of law justification: If regulatory requirements impose a specific jurisdictional requirement, document and present this at the executive level before the EA is finalised.
• AI output liability exclusion: Confirm that the contract clearly allocates responsibility for AI output accuracy to the enterprise's operational controls, and ensure internal AI governance policies are aligned.