What a Compliance Programme Is Actually For
A Microsoft licence compliance programme serves three commercial purposes, and organisations that understand all three build better programmes than those that focus on only one. The first purpose is audit defense: a validated, current ELP eliminates the most dangerous category of Microsoft audit risk — the undiscovered gap that gets surfaced by a Microsoft-incentivised SAM partner before you have had the chance to correct it. The second is cost optimisation: a compliance programme that only looks for gaps is incomplete; a well-run programme identifies over-licensing with the same rigour it applies to under-licensing, and the over-licensing finding is frequently larger. The third is negotiation positioning: an organisation that enters an EA renewal with a verified, independent ELP negotiates from a position of data rather than assumption. The difference in renewal outcomes between data-driven and assumption-based organisations is substantial.
Organisations that view compliance programmes purely as a risk management overhead miss the cost optimisation and negotiation benefits. Organisations that view them purely as a one-time exercise miss the ongoing audit protection. An effective programme integrates all three purposes and is sustainable across the EA cycle, not just a point-in-time project that atrophies between renewals. The full context for why this matters is covered in the Microsoft audit defense guide and the licence compliance audit guide.
The Four Foundations Before You Start
Before standing up a Microsoft licence compliance programme, four foundations need to be in place. Without them, the programme will produce incomplete data and incorrect conclusions. These are not prerequisites that require months of preparation — but they do require conscious attention before ELP work begins.
Foundation 1: Authoritative VLSC Access and Records
The VLSC (Volume Licensing Service Centre, now increasingly integrated into the Microsoft 365 admin centre and the Admin Centre Licences section) is your source of record for licence entitlements. Before building any ELP, validate that your VLSC record is complete and accurate. Specifically: confirm that all purchase orders from the full EA term are reflected in the licence record; verify that SA coverage dates are current and correctly attributed to the right licence families; and confirm that any AHB activations, licence mobility documentation, and SA step-up records are visible in the VLSC record. Missing purchase orders and lapsed SA documentation are among the most common sources of apparent ELP gaps that are, on investigation, actually VLSC record errors.
Foundation 2: Inventory Tool Selection and Validation
The inventory collection tool determines the quality of your discovered position. The primary tools used in enterprise Microsoft environments are SCCM/MECM (for Windows/Office/on-premises software), the Microsoft 365 admin centre (for cloud services), Azure Cost Management and the Azure portal (for Azure services), and supplementary tools including PowerShell scripts and third-party SAM platforms. The critical selection criterion is that the tool must be validated for accuracy against your specific environment architecture — particularly your virtualisation stack, where discovered instance counts can differ substantially from licence-required counts if the tool does not correctly identify host boundaries. See the how Microsoft audits work guide for the specific tool validation steps used in formal audits.
Foundation 3: Licence Rule Library
A compliance programme that compares deployed instances to licence counts without correctly applying Microsoft's product use rights will produce a systematically incorrect ELP. The licence rule library is a reference document (updated at least annually, given the frequency of Microsoft product terms changes) that captures the specific counting rules for every product in your estate. This should include: SQL Server virtualisation counting methodology for your specific virtualisation platform; Windows Server CAL stacking rules; the SA benefit application for each SA-covered product; AHB eligibility and activation requirements; and test/dev environment exemption criteria for each product family. Many compliance programmes fail at this step — they use generic licence counts rather than the product-specific rules that determine what actually requires a licence.
Foundation 4: Ownership Assignment
A compliance programme without clear ownership fails within one renewal cycle. Assign a named licence owner for each major product family — typically the product owner or the IT team responsible for that platform. The licence owner is accountable for maintaining accurate deployment records, for requesting licence adjustments when deployments change, and for reviewing the ELP annually. Central procurement or IT governance teams maintain the VLSC record and the overall ELP, but without product-level ownership, changes get missed and the ELP degrades. Document the ownership model in a simple RACI that is reviewed at each EA anniversary.
The Six-Step Programme Build
With the four foundations in place, the programme build follows a defined sequence. Each step has specific deliverables that form the evidence base for the programme going forward.
Tooling Choices: What Works in Practice
No single tool covers the full Microsoft licensing compliance picture, and the tools that are cheapest are rarely the ones that produce the most defensible ELP data. The following assessment reflects what works in practice across enterprise environments in 2026.
For On-Premises Software Discovery
SCCM/MECM remains the most reliable on-premises inventory tool for organisations that have it deployed. Its coverage of Windows-based workloads is comprehensive, and its integration with Microsoft's licence management capabilities makes VLSC reconciliation straightforward. Its limitation is virtualisation: SCCM discovers software at the VM level, not the physical host level, which requires additional mapping for SQL Server and Windows Server virtualisation licence calculations. Supplement SCCM with PowerShell scripts that enumerate host-level hardware inventory for hypervisor environments.
Microsoft's MAP Toolkit is the tool Microsoft's SAM partners use — it is free, reasonably comprehensive for discovery, but produces exactly the raw output that SAM partners use to generate their findings before exemption analysis. Using MAP for your own programme is fine, but understanding its limitations (virtualisation mapping, SA benefit recognition) is essential before treating its output as your ELP.
For Cloud Services Discovery
The Microsoft 365 admin centre Licences section is authoritative for M365 licence assignment. Azure Cost Management provides billing-based consumption data. Neither tool produces a compliance-ready ELP — they show assigned or consumed, not licence-required under the terms. The licence usage tracking guide covers the specific admin centre reports that support ELP construction for cloud services.
Third-Party SAM Tools
Third-party SAM platforms (ServiceNow ITAM, Snow License Manager, Flexera, and others) can consolidate on-premises and cloud discovery and provide more sophisticated ELP modelling than Microsoft's own tools. The investment is justified for enterprises with complex multi-vendor licence environments. For organisations where Microsoft is the dominant licensing challenge, the cost of a full third-party SAM platform may not be justified — particularly given that Microsoft's own tooling, supplemented by expertise in licence rule application, can produce a defensible ELP at lower cost.
Maintaining the Programme Through the EA Cycle
A compliance programme built once and not maintained provides diminishing protection as deployment changes accumulate. The quarterly ELP refresh is the minimum maintenance cadence — more frequent in periods of significant change (M&A integration, major platform migrations, rapid headcount growth). The specific events that should trigger an out-of-cycle ELP review include: any server cluster addition exceeding 10% of the existing fleet; any software deployment rollout affecting more than 200 users; any significant workload migration to Azure; and any M&A transaction that brings new entities into the EA scope.
The annual ELP review, conducted in the quarter before the EA anniversary or true-up submission, is the most important scheduled review. This review should produce the authoritative ELP that supports the true-up submission. See the true-up compliance guide for how ELP data translates into a defensible true-up submission.
Programme Cost and ROI
The cost of running a Microsoft licence compliance programme depends on the tooling choices, the complexity of the environment, and the degree of external expertise engaged. For a 2,000–5,000 seat enterprise with a mixed on-premises and cloud Microsoft estate, programme costs typically break down as follows: tooling (SCCM or third-party SAM) ranges from $0 (if SCCM already deployed) to $80K/year; internal resource cost for quarterly ELP reviews (2–3 days per quarter for a senior licence manager) is approximately $40–60K annually; external advisory support for annual ELP review and renewal preparation typically adds $30–60K.
Against this, the value delivered: the average Microsoft audit settlement for an unprepared organisation with 3,000–5,000 seats runs to $1.8M. A compliance programme that prevents one audit finding per EA cycle — or significantly reduces the settlement figure when an audit does occur — delivers programme ROI of 10:1 or better. The over-licensing identification component (15–25% of Microsoft spend in most enterprises) adds a further $150K–$400K in annual cost reduction for a typical mid-enterprise. The renewal negotiation benefit — an organisation entering renewal with a validated ELP vs one operating on assumptions — adds a further $80–200K in improved renewal pricing.
| Programme Component | Annual Cost | Annual Value Delivered | ROI |
|---|---|---|---|
| Tooling (SCCM/SAM platform) | $0–80K | — | Infrastructure |
| Quarterly ELP refresh (internal) | $40–60K | Audit risk reduction | Indirect |
| Annual ELP + renewal advisory | $30–60K | $80–200K renewal improvement | 2–4x |
| Over-licensing identification | Included above | $150–400K cost reduction | 3–6x |
| Audit prevention / defense | Included above | $500K–1.8M per audit cycle | 8–20x |
| Total Programme | $70–200K | $730K–2.4M cycle value | 8–12x |
When to Bring in External Support
External licensing expertise is most valuable at three points in the compliance programme lifecycle. At programme initiation, external expertise accelerates the build by bringing licence rule libraries, proven inventory methodologies, and ELP construction frameworks that would take months to develop internally. During annual ELP review, external validation of your internally-produced ELP identifies rule application errors before they become audit exposure. At EA renewal, the externally-validated ELP is the foundation for renewal negotiation — an independently-verified position carries more weight in negotiation than an organisation's self-reported position.
Critically, external support should be genuinely independent. A Microsoft-aligned reseller or SAM partner that offers to "help you build a compliance programme" is not an independent adviser. Their involvement creates data visibility for Microsoft's commercial teams and does not provide the adversarial challenge that makes a compliance programme genuinely defensible. For independent programme design and advisory, see Microsoft Negotiations — our compliance programme advisory has no commercial relationship with Microsoft and is fully aligned with your cost and risk objectives. The broader rationale for independent representation is covered in the third-party audit defense guide.