Microsoft Software Asset Management (SAM) Guide 2026: ELP, Audit Defence and Cost Control

Why Microsoft SAM is Different from General SAM

Microsoft SAM carries unique complexity that separates it from software asset management for other vendors. Microsoft's licensing model combines perpetual licenses with Software Assurance coverage, subscription licenses across multiple commerce platforms (EA, NCE, CSP, direct), hybrid use rights that allow simultaneous on-premises and cloud deployment, CAL (Client Access License) suite requirements that multiply across server roles, and Azure consumption-based services that have no traditional licensing concept at all.

The EA True-Up mechanism compounds this complexity. Every year on the EA anniversary date, the organisation must report all licensed products at their current user and device counts, and pay for any uplift above the quantities at EA inception. True-Up is not optional — it is a contractual obligation. Organisations that do not maintain accurate licence tracking throughout the year arrive at True-Up with incomplete data and face Microsoft's version of reality rather than their own prepared position.

The 2026 landscape adds further dimensions: M365 subscriptions now span E1, E3, E5, and E7 tiers with different security and compliance capability inclusions; Azure Reserved Instances require separate tracking from pay-as-you-go consumption; GitHub Copilot, Dynamics 365, and Microsoft Copilot all carry their own licensing rules; and the move from on-premises perpetual to NCE subscriptions has created an environment where many organisations hold both perpetual and subscription entitlements for the same products simultaneously. Microsoft licensing advisory is no longer optional for organisations that take cost control and compliance seriously.

The Effective License Position: The Foundation of Microsoft SAM

The Effective License Position (ELP) is the cornerstone of any Microsoft SAM programme. An ELP is a reconciled view of every Microsoft software product — what is deployed or consumed versus what is licensed — expressed as a surplus or deficit for each product category. A positive position means you have more licenses than deployments. A negative position means you have a compliance gap. Both conditions are expensive: positive positions represent overspend; negative positions represent audit risk.

Building the ELP: The Entitlement Side

The entitlement side of the ELP captures every Microsoft license the organisation holds the right to use. For EA customers, the primary source is the Microsoft License Statement (MLS), which Microsoft provides through the Volume Licensing Service Center (VLSC) or its successor portal. The MLS lists all EA products, quantities, and Software Assurance coverage. This must be supplemented by True-Up order histories, any Open License or MPSA purchases, CSP subscriptions in the Microsoft 365 admin center, Azure Reservations from the Azure portal, and on-premises perpetual licenses from pre-EA purchase records.

A complete Microsoft entitlement record typically requires data from at least four to six different Microsoft portals and procurement records. Organisations without a structured licence record-keeping process routinely miss entitlements — particularly for older perpetual licenses purchased before the EA, SA continuation licenses from lapsed agreements, or open license purchases made by business units outside central IT.

Building the ELP: The Deployment Side

The deployment side of the ELP captures every Microsoft software installation and user assignment currently active in the environment. For on-premises products, this requires discovery tooling: Microsoft System Center Configuration Manager (SCCM/MECM), Microsoft Endpoint Manager inventory, or third-party SAM tools (Flexera, Snow, Certero, ServiceNow ITAM). For cloud subscriptions, the Microsoft 365 admin center reports active user assignments per license type. Azure consumption is tracked through Azure Cost Management and Billing. GitHub, Dynamics 365, and Power Platform each have their own admin portals with licence assignment reports.

The critical discipline is counting deployments by the rules Microsoft uses during an audit — not by how your SAM tool defines a deployment. Microsoft auditors apply specific counting rules for server CALs (based on the highest-entitled user or device touching the server), SQL Server licensing (core-based or CAL, with virtualisation multipliers), Windows Server (Standard vs Datacenter based on VM density), and Teams Phone (add-on licensing rules distinct from the base M365 assignment). A SAM tool that counts installations but does not apply Microsoft's licence calculation rules produces an ELP that will not survive audit scrutiny.

Microsoft SAM Tools: What Works and What Doesn't

The SAM tool market for Microsoft is mature and competitive, but Gartner has observed that by 2026, only 20 percent of organisations will rely on a single tool for their complete SAM practice — down from expectations set several years earlier. The reason is that no single tool handles every dimension of Microsoft's licensing complexity adequately. On-premises discovery, cloud subscription management, Azure consumption tracking, and licensing calculation rule accuracy each require different technical capabilities.

Microsoft's Native Tools

Microsoft provides several native tools with limited SAM capability. Microsoft Endpoint Manager (Intune/MECM) provides device and software inventory for enrolled Windows devices but does not extend to non-Intune devices, non-Windows platforms, or licence calculation. The Microsoft 365 Admin Center shows licence assignments per subscription but does not reveal over-assignment patterns, inactive users holding paid licences, or mismatches between assigned licence tier and actual feature usage. Azure Cost Management provides consumption visibility but not entitlement reconciliation. Microsoft's Assessment and Planning Toolkit (MAP) is outdated and rarely used in 2026. None of these native tools produces an ELP on their own.

Third-Party SAM Tools

Third-party SAM tools — Flexera One, Snow Software, Certero, Aspera, USU — provide broader discovery coverage, licensing normalisation, and ELP generation with varying degrees of Microsoft licensing rule accuracy. The universal caveat, confirmed by Gartner research, is that SAM tool ELPs do not automatically translate to audit defence. Microsoft auditors use their own counting methodology, their own data sources (they frequently request deployment data directly from Azure, M365, and MECM), and their own calculation rules. A SAM tool ELP that shows a clean position may still produce a different answer than Microsoft's audit calculation — and Microsoft's calculation governs the outcome.

The most effective SAM tool deployment combines automated discovery and ELP generation with human expert review of the ELP against Microsoft's current licensing rules. For complex licensing scenarios — SQL Server in virtualised environments, Windows Server Datacenter under dense VM configurations, CAL suite optimisation across Office, Exchange, SharePoint, and Skype/Teams — automated tool output requires specialist validation.

The EA True-Up: SAM's Annual Examination

The Enterprise Agreement True-Up is the annual licensing reconciliation that tests the quality of your SAM programme. On the True-Up date (the anniversary of the EA start date), the organisation submits a True-Up order reporting all licensed products at their current quantities. Any increase from the prior year's baseline quantities generates an additional charge. There is no credit for reductions — if you licensed 5,000 users for M365 E3 at EA inception and are now at 4,200 active users, you are paying for 5,000 until the EA renewal.

True-Up Preparation: The 90-Day Window

Preparing for True-Up effectively requires a 90-day preparation cycle. Beginning three months before the True-Up date, the SAM team should run a full ELP across all EA-covered products, reconcile the deployment position against the EA baseline quantities, identify compliance gaps that require uplift at True-Up, identify over-licensed products where deployment has fallen below EA quantities (and which can be addressed at renewal), and prepare the True-Up submission data in the format Microsoft requires.

Organisations that begin True-Up preparation two weeks before the submission date are working from incomplete data under time pressure. This is the environment in which organisations accept Microsoft's True-Up calculations without adequate verification — and Microsoft's field reps are experienced at leveraging the time pressure.

True-Up vs EA Renewal: The Timing Distinction

True-Up is a reporting mechanism. EA Renewal is a commercial negotiation. These are different events, though they often occur at the same time for organisations on the standard three-year EA cycle. True-Up determines the incremental licence quantities owed. EA Renewal determines the product mix, pricing, and terms for the next three-year term. Conflating the two — treating the renewal as merely an extended True-Up — is one of the most common reasons organisations fail to extract meaningful commercial concessions at renewal. Microsoft's field teams prefer this confusion. Independent Microsoft EA negotiation specialists ensure the two processes are managed separately and optimally.

Microsoft SAM in the Cloud Era: Azure and M365 Governance

The shift to cloud has not simplified Microsoft SAM — it has changed its complexity profile. On-premises SAM challenges (discovery accuracy, counting rule application) remain for hybrid environments. Cloud-era SAM adds new challenges: subscription lifecycle management, licence assignment accuracy, Azure Reserved Instance utilisation, and the intersection of on-premises perpetual rights with cloud subscription entitlements.

M365 Licence Assignment Governance

Microsoft 365 subscription SAM centres on licence assignment accuracy. Common overspend patterns include assigning E3 or E5 licences to users who require only F1 or F3 (Frontline Worker) licences for their actual job function, retaining licence assignments for leavers beyond the grace period, assigning full M365 licences to service accounts and shared mailboxes that qualify for lower-cost or no-cost licensing, and failing to right-size between E1, E3, E5, and E7 tiers as roles evolve. A quarterly M365 licence assignment review — comparing assigned licences against actual feature usage data from the Microsoft 365 Admin Center usage reports — typically identifies 5 to 15 percent licence reduction opportunity in large enterprise deployments.

With E7 now available at $99 per user per month, the tier decision has become more consequential. Assigning E7 to users who have not deployed Copilot or require Entra Suite capabilities is straightforward overspend at $42 per user per month above E3. SAM governance for M365 tiers must include an annual review of which users are actually using E5 and E7 capabilities, not just which users have been assigned those licences.

Azure Reserved Instance and Savings Plan Governance

Azure Reserved Instances (RIs) provide up to 72 percent savings versus pay-as-you-go pricing for committed virtual machine usage, but they require active governance to deliver value. Underutilised reservations — RIs purchased for VM sizes or regions that no longer match the current workload portfolio — generate waste equivalent to running the pay-as-you-go service and paying the reservation simultaneously. Azure Savings Plans, introduced as a more flexible alternative to RIs, provide savings across multiple services without committing to specific VM sizes, but their flexibility comes at a slightly lower discount ceiling than RIs for committed specific workloads.

Effective Azure reservation SAM requires monthly utilisation reviews through Azure Cost Management, identifying RIs with utilisation below 80 percent, evaluating whether exchange or cancellation is appropriate (RIs can be exchanged or cancelled with a 12 percent early termination fee), and aligning new RI purchases with workload projections rather than current consumption snapshots.

SQL Server and Windows Server Licensing Complexity

Server workload licensing remains the most complex area of Microsoft on-premises SAM in hybrid environments. SQL Server's licensing model (core-based licensing for physical or virtual deployments, with Software Assurance providing Azure Hybrid Benefit rights) creates significant variation in licensing cost depending on VM density, core allocation, and Azure deployment profile. Windows Server Datacenter versus Standard licensing decisions have a material cost impact under high VM density configurations. These products remain subject to Microsoft's most rigorous audit scrutiny because the per-unit value is high and the complexity creates a reliable compliance gap opportunity.

Microsoft Audit Defence: Preparing Before the Letter Arrives

Microsoft initiates audit activity through the Software Audit and Compliance Review (SACR) process for EA customers and through Direct Audit Requests for non-EA customers. The audit trigger is often a True-Up submission or renewal conversation that reveals a compliance gap, a report from Microsoft's internal licence tracking systems flagging activation anomalies, or a routine audit cycle selection. The key insight is that audit preparation should not begin when the audit letter arrives — it should be a continuous output of the SAM programme.

The audit penalty structure creates a strong incentive for continuous compliance. If Microsoft's audit finds unlicensed use at five percent or more of total product use, the organisation must reimburse Microsoft's verification costs and purchase the remediation licences at 125 percent of the then-current customer price. For large enterprises, this penalty structure can translate to seven-figure audit settlements. Organisations with mature SAM programmes and documented ELPs have measurably better audit outcomes — both in terms of the compliance position found during audit and in their ability to negotiate remediation terms.

Seven SAM Governance Practices for Microsoft Environments

1. Maintain a live ELP updated at least quarterly. A SAM programme that produces an ELP only during audit or True-Up is not a governance programme — it is reactive compliance. The ELP should reflect the current position continuously, with updates triggered by significant deployment changes (major projects, M&A activity, workforce reductions) and calendar-driven quarterly reconciliation cycles.

2. Separate entitlement management from deployment tracking. Entitlements live in procurement and legal systems (EA contracts, VLSC/MLS, reseller invoices). Deployments live in IT systems (MECM, Intune, Azure portal, M365 admin center). The ELP reconciles these two separate data sets. Organisations that treat either side as their single source of truth without reconciling the other have incomplete SAM.

3. Apply Microsoft's audit counting rules to your SAM data before Microsoft does. Windows Server core count rules, SQL Server virtualisation licensing, CAL suite optimisation, and Teams Phone add-on requirements each carry specific rules that differ from basic installation counting. Validate your ELP against Microsoft's current product use rights documentation at least annually.

4. Begin True-Up preparation 90 days in advance. Run the full ELP, identify gaps, prepare Microsoft's submission format, and review with independent counsel before submission. True-Up submissions are legally significant documents under the EA terms.

5. Conduct a licence assignment review before EA renewal. Identify over-licensed products where deployment has fallen below EA quantities — these are negotiation leverage for reducing the renewal baseline. Identify under-licensed products where the gap must be addressed either at True-Up or at renewal.

6. Govern M365 licence tier assignments actively. With M365 running across E1, E3, E5, and E7 tiers at materially different price points, tier assignment accuracy directly determines subscription spend. Quarterly reviews of actual feature usage against assigned tier prevent accumulation of E5 and E7 shelfware.

7. Engage independent expert review for complex licensing scenarios. SQL Server in virtualised environments, Windows Server Datacenter vs Standard decisions, Azure Hybrid Benefit optimisation, and CAL suite configuration all carry licensing nuances that require specialist expertise beyond what most internal SAM teams maintain.