Top Findings from a Microsoft Audit: Re-Cap

Updated: Nov 2, 2021

Microsoft conducts customer compliance reviews almost twice as often as other vendors, so it’s prudent to expect it. Software audits generate 15 to 30 times their cost, and audit teams are highly motivated to discover as many disconnects as possible between what you’ve paid for and what you’re using. Savvy customers don’t wait for an audit letter from Microsoft before preparing themselves, and are constantly refining and inspecting their environments, especially related to the following top three areas.

SQL Server is the number one out-of-compliance area in a Microsoft audit.

Everybody uses this product, and it’s where an audit yields the highest ROI. The licensing is complicated and SQL Client Access Licenses (CALs) are hard to count. Also, software asset management (SAM) tools don’t always recognize SQL Servers or collect the data needed to accurately count them.

Under the terms of SQL CAL-based licensing, you are required to have a CAL for each direct or indirect user of the SQL Server. Unless you can show a process for tracking these users, you could be on the hook for more licenses.

The second most frequent audit finding is with Microsoft Developer Network (MSDN) licensing.

MSDN is the user-based license required for test and development work using Microsoft software.

It’s challenging for organizations to control user access to the development environment. Microsoft requires an MSDN license for everyone who touches an MSDN developing machine, not just the developers.

Audits uncover a wide variety of employees, contractors and consultant who have logged on to development machines for one reason or another, triggering the need for more MSDN licenses. Organizations are surprised to learn that even support and configuration staff need to have their own individual MSDN licenses.

The third top finding is the Enterprise Agreement (EA) device and user counts don’t match up.

The EA includes a commitment to license all users or devices in the organization. When counting users or devices to make this commitment, companies often rely on HR records. But Microsoft defines users more broadly, and includes contractors, contingent staff, consultants, and potentially anyone with a user account in an active directory. Invariably, this means you need more Microsoft licenses.

And finally,

Forewarned is forearmed. If it seems like the compliance deck is stacked against you, you’re not far off. Many people believe audits aren’t about compliance at all, but about revenue. Audit preparation and defense requires resources and expertise. Most organizations don’t have the needed skill sets in house, but are open to hiring outside help. Consultants can conduct a mock audit, review current practices to see where you’re exposed, and educate the staff about the audit process. This can be an effective way for IT organizations to assess and mitigate risk, and prevent costly surprises down the road.