Summary
Your inbox dings, signalling the arrival of an audit notice from Microsoft. A rush of adrenaline ensues, but pause for a moment.
This isn't your typical audit notice; it’s not even a forgery. It’s a communication from a different internal team at Microsoft masquerading as an 'audit'. They ask you to self-certify or send your data to a third-party Microsoft partner. Beware: It is not the 'real' audit you signed up for in your license agreement.
So, why should you treat these communications with caution? Let's explore the importance of discerning the authenticity of such audit notices and ensuring they align with the terms of your licensing agreement.
Full SPLA compliance audit
A comprehensive SPLA compliance audit is what you officially signed up for when you put your pen to the Service Provider License Agreement and the Microsoft Business and Services Agreement.
What does the notice look like?
Typically, it's an email backed up by a hard copy sent via post.
The sender isn't a generic email address but an individual, a high-ranking official from Microsoft's LCC (License Contract & Compliance) department.
The notice will reference your MBSA agreement number(s) and specify a renowned auditing firm - usually one among EY, KPMG, Deloitte, or PwC.
It also informs you that the appointed auditor will reach out to schedule a "kick-off" call.
What gives them the right to audit you?
The answer lies in your MBSA and SPLA agreements - the Compliance Verification terms grant them the right to conduct an audit and obligate you to comply.
Do you have to react?
Absolutely. It's mandatory. You have a 30-day window to commence cooperation.
What should your next steps be?
First and foremost, don't let anxiety take over. Arm yourself with knowledge—our comprehensive Microsoft SPLA Audit Guide is a good place to start. We also recommend seeking assistance from a partner who specialises in SPLA Audit Defence.
Microsoft SPLA License Review Notification
Service providers in the United States may encounter an email alluding to a "SPLA License Review". Reports of similar communications sent to Canadian providers have been noted, although no concrete proof is available.
The email starts with "Microsoft has the right to verify software license compliance" and states, "Microsoft requests you to complete the SPLA License Review process". Crucially, this is not an audit that you've contractually agreed to.
What does the notice look like?
It is an email from an unidentifiable account within the @microsoft.com domain,
No specific individual is associated with the email,
There is a third party (Microsoft partner) cc'ed in the email with an address that starts with "v-dash", such as "v-somename@microsoft.com",
Accompanying the email are instructions and workbooks,
You're requested to gather an inventory and return it to the original email,
It demands completing the inventory process in 10 calendar days,
A call setup is proposed, and you "must" schedule it within 5 days.
What authorises them to demand such a review?
Nothing. You didn't agree to this. You didn't sign off on it. It's not within their contractual rights, nor is it your contractual obligation.
It's essential to understand that this review is entirely voluntary.
Top 5 issues with the SPLA License Review Notification
The fact that it's labelled a "Notification" while it's not. It is not the notice referred to in the MBSA. A more accurate term would be "Request". Using "Notification" is a manipulative tactic to make you believe it's mandatory.
Invoking the right to audit and then instructing you to partake in a process unrelated to the audit rights specified in the MBSA and SPLA.
Initially, there's no real person behind the communication. It's hard to determine if the email is genuine or a phishing attempt.
CCing a third party with whom you have no confidentiality agreement and asking for confidential information to be shared. An email address starting with "v-" (e.g., "v-somename@microsoft.com") doesn't belong to a Microsoft employee. "V" stands for "vendor".
Imposing unrealistic deadlines using strong language, even though the official audit you agreed to doesn't have time restrictions or deadlines.
Should you respond?
You're under no obligation to respond. You may choose to complete the review out of goodwill, but it's entirely your decision.
What should you do?
Firstly, don't let the notice intimidate you. It's designed to manipulate.
If, after considering all the risks, you decide to participate in the SPLA License Review, here's what we suggest:
Ignore the deadlines. Remember, they have no legal basis.
Respond to the original email asking them to authenticate themselves and to explain who is the third party in the CC.
Insist on an NDA with the third party. Don't proceed without it. Some of the data they ask for includes confidential information from your hosted clients.
Respond with your own timeline, and make it clear that you do not commit to any dates – you control the timelines.
Thoroughly review all data before sharing. Some of the requested data includes confidential information belonging to your hosted clients.
Could it be a precursor to an audit?
Yes, it could. However, consider this:
Auditing companies have limited resources. There are simply too many providers for a "grown-up auditor" to visit each.
A real audit costs Microsoft money. If the auditor doesn't find non-compliance, Microsoft foots the bill.
Would completing the Review ward off an audit?
Unlikely. The Microsoft LCC department is famous for its independence. It doesn't report to other partner groups or local Microsoft offices and operates according to its own plan and schedule.
Furthermore, if, during a review, Microsoft uncovers evidence or even suspicions of further issues with your historical SPLA reporting, your chances of being subjected to a "proper" SPLA audit may increase.
Can they initiate an audit if you ignore the request?
Possibly. See above.
Microsoft SPLA License Review (Self-Assessment)
There is another kind of a SPLA License Review Notice. This practice started in Europe in 2022 but has since spread to other regions, including North America.
Although its template bears similarities with the SPLA License Review we discussed above, the process is fundamentally different. It begins with "Microsoft has the right to verify software license compliance" and proceeds to say. "Microsoft requests you to complete an internal self-assessment process".
The good thing is, if you decide to comply, you won't share any data unless you decide to share some of it – read further. They want your declaration, not your inventory.
Importantly, though, it's not an audit that you agreed to contractually.
What does the notice look like?
It comes as an email from an anonymous account in the @microsoft.com email domain,
There is no named person behind the email,
There is no third party involved, unlike in the North American process,
It asks you to do a self-assessment and respond to the original email with either "we found no non-compliance" or with "adjustment details" in case you find yourselves non-compliant, which means both: paying for "any past deficiencies" found and correcting your reporting moving forward,
It alludes that you need to work with your SPLA reseller to submit a corrective order ("true-up order") in case you find yourselves non-compliant.
What gives them the right to ask you to complete a self-assessment?
Nothing. You did not agree to it. You did not put your signature under it. It is not their contractual right. And it is not your contractual obligation.
You must understand that the self-assessment is voluntary.
Problems with the SPLA License Self-assessment Review notice
It refers to the right to audit and then asks you to complete a process unrelated to the right to audit as stipulated in MBSA and SPLA.
Initially, there is no human being behind it. It's difficult to understand whether that's even a legitimate email, not a phishing attempt. Most of the time, they are legitimate emails, but it doesn't mean a malicious person will not piggyback on them, so check authenticity every time. Some notices contain SPLA and MBSA IDs, making them more authentic. Some don't.
Even though the language is less intimidating than in the USA "notice", Microsoft asks you to complete the process in 45 days, which you are not obligated to do.
Do you have to react?
You don't have to react. You may decide to be nice and complete the review, but it is up to you.
What we suggest doing
If, after assessing all the risks, you decide to complete the SPLA License Review Self-assessment, here is what we suggest doing:
Ignore the deadlines. Again, ignore the deadlines. They have no legal weight.
Respond back to the original email asking them to authenticate themselves, just in case.
Respond with your own timeline, and make it clear that you do not commit to any dates – you control the timeline.
Ask them to confirm that if you place a corrective order ("true-up"), Microsoft will accept it in the context of any potential real SPLA audit. SPLA does not stipulate positive corrections at all. The agreement has no legal or contractual framework for positive corrective orders — when you pay to correct the mistake. The only provision mentions the cases when you overpay.
Do a proper self-assessment. Look back 3-5 years. Correct the mistakes, and place a corrective order.
Do not respond with a one-liner if you did not find any non-compliance. Write a detailed letter explaining what tools you used, how the process went, and what calculations and comparisons you did. Get a SPLA licensing expert to review it before you send it so they can check that your interpretations and calculations are correct and compliant with SPUR.
Can it be a precursor to an audit?
Probably. We know cases when a "real" audit came just a few months after the self-assessment declaration.
That is why it is essential to take it very seriously. Either ignore it entirely or do a proper self-assessment, correct past mistakes, update your process moving forward and let Microsoft know what you did.
The biggest mistake you can make is to respond with just "we found no non-compliance".
They know, and we know, that achieving 100% SPLA compliance is extremely difficult, and past mistakes are impossible to correct. After you report to your SPLA reseller for the previous calendar month, you only have 60 days to correct any mistakes.
So, responding with "we are squeaky clean" is a red flag for Microsoft.
If you are indeed compliant, and it means that you have been compliant in the last 3-5 years – the notice does not specify the "depth" of reporting history, then write a detailed letter explaining what tools you used, how the process went, what calculations and comparisons you did. Convince them.
If I complete the Self-assessment process, will it prevent an audit?
Even if you do it properly, there is no guarantee. The Microsoft LCC department is famous for being "independent". They do not report to other partner groups and local Microsoft offices. They have their own plan and schedule.
Moreover, we have reasons to suspect that your self-assessment declaration may be used against you during an audit as legal proof that you knew what was going on in your estate, and you won't be able to call the "benefit of the doubt" card later.
Anti-corruption and sanctions compliance audit
This type of audit, albeit not new, has recently gained more traction due to the unstable geopolitical situation.
In these audits, Microsoft does not verify your license compliance. They check your business practices for compliance with the US export laws.
How does that apply to you if you are not in the USA? It's not you. Microsoft is subject to these laws. They must comply, and their business partners (you) must comply, too.
The assigned auditor will verify the following:
That you don't provide services to sanctioned entities,
That you have anti-corruption processes and procedures,
That you have the relevant policy documents,
That you perform end-client background checks,
That you regularly conduct the necessary training for your employees.
Why is this audit a real problem?
It may be counterintuitive, but non-compliance with "Trade Laws", as Microsoft calls them in the most recent editions of SPLA and MBSA, is a more serious breach of contract than missing license payments. The latter may be resolved commercially. The former puts Microsoft in a legally vulnerable position.
If you are found non-compliant, your SPLA may be terminated.
So, although you don't have to run the scripts, collect data, and argue around a historic compliance view produced by the auditor, you should never treat this audit lightly.
What does the notice look like?
Typically, it's an email backed up by a hard copy sent via post.
The sender isn't a generic email address but an individual, a high-ranking official from Microsoft's LCC (License Contract & Compliance) department.
The notice will reference your MBSA agreement number(s) and specify a renowned auditing firm - usually one among EY, KPMG, Deloitte, or PwC.
It also informs you that the appointed auditor will reach out to schedule a "kick-off" call.
The notice is very similar to the "big" license compliance audit. The giveaway is an additional sentence mentioning export laws and regulations.
What gives them the right to audit you?
The answer lies in your MBSA and SPLA agreements - the Compliance Verification terms grant them the right to conduct an audit and obligate you to comply. This type of audit is included in the terms.
Do you have to react?
Absolutely. It's mandatory. You have a 30-day window to commence cooperation.
What should your next steps be?
We recommend seeking assistance from a partner who specialises in SPLA Audit Defence. In addition, we also suggest hiring a legal advisor.
Talk to a SPLA expert
We are not Microsoft partners, affiliates, resellers or dependants. All the advice you get from us is honest, with zero nonsense and zero hidden agenda.
Contact us immediately after receiving a notice from Microsoft, and we'll give you much-needed peace of mind. Even if you are mid-way, write to us to ensure you do everything correctly.