Summary
Microsoft licensing for Infrastructure-as-a-Service (IaaS) providers is a minefield of options and obligations.
This article is a practical guide to understanding the licensing landscape, avoiding common pitfalls, and optimising your licensing strategy.
It is based on a discussion led by Alexander Golev, a partner in SAMexpert and a 20-year veteran in Microsoft licensing with extensive experience in the service provider space.
Defining IaaS and its Licensing Challenges
IaaS providers are the foundation of modern cloud computing, delivering the essential infrastructure for private and public cloud environments. They primarily provide rack space, hardware, and virtual machine rentals. While this service may appear straightforward, the associated Microsoft licensing requirements can be complex.
Pure IaaS providers often focus on licensing Windows Server. However, adding managed services on top of basic IaaS introduces additional Microsoft licensing needs.
Furthermore, using resources from other companies, including hyperscalers like AWS and Google, creates further licensing challenges. If you do this, you only have one year left to prepare for the negative changes coming in October 2025.
Microsoft Licensing Options for IaaS
Nowadays, it's not as simple as SPLA anymore. IaaS providers face a complex array of choices.
SPLA: Microsoft's traditional licensing program for service providers was initially designed with Software-as-a-Service (SaaS) providers in mind, not IaaS. Specifically, it was intended for ISVs who wanted to host their solutions themselves. Due to that, SPLA has fundamental challenges for infrastructure-as-a-service providers regarding, for example, the question of who is ultimately responsible for ensuring that all Microsoft software running on the provider's infrastructure is adequately licensed.
CSP-Hosting: This program, launched two years ago, remains a source of confusion. Licensing resellers often push it as a replacement for SPLA, but this is misleading. CSP-Hosting is an alternative, not a direct replacement. It's not a simple one-to-one transition; it's a completely different program.
Many resellers promote CSP-Hosting due to their financial incentives. They don't receive compensation for SPLA sales, so they push CSP to maximise their profits. Be aware of this likely bias when evaluating their recommendations.
Further complicating matters, some resellers lack a thorough understanding of CSP-Hosting. This lack of knowledge can hinder your ability to get accurate information and make informed choices.
BYOL: Since 2022, Microsoft has allowed clients to bring their own licenses for any product, including Windows Server, offering a way to avoid SPLA, at least partially. However, this model requires careful planning, especially for licensing virtual machines.
In addition, your clients will likely want to deploy other Microsoft software on their own, such as Microsoft SQL Server and Microsoft Office. They might also want to deploy Virtual Desktop Infrastructure (VDI) using Windows 10 or 11. Extended security updates for legacy operating systems are only available as BYOL; you can't provide them through SPLA. All of it introduces an array of "bring your own license" challenges.
Azure Stack HCI for Hosters: Microsoft has announced that it will introduce a multi-tenant version of Azure Stack HCI designed explicitly for hosting providers. This is distinct from the existing Azure Stack HCI, which is single-tenant. Microsoft made this promise to the Association of European Cloud Service Providers (CISPE).
The final product and its licensing requirements remain undisclosed. This development is worth monitoring, as it could significantly impact the IaaS landscape, particularly for providers interested in reselling Azure services. Microsoft is expected to position Azure Stack HCI for Hosters as a way for service providers to resell Azure services within their own data centres.
Is SPLA "about to die"?
Despite frequent predictions of its demise, SPLA is still alive and well. Microsoft has officially confirmed that it will remain available for at least the next five years.
Rumours of SPLA's impending death have circulated since 2015. A quick search on Reddit finds posts from nine years ago proclaiming that SPLA is on its last legs and will soon be replaced. Clearly, these predictions were premature.
However, while SPLA is not going away anytime soon, don't expect it to change or evolve. Microsoft focuses on finding an alternative, not modernising the existing program. There are signs that Microsoft is exploring different avenues, such as allowing SQL Server with Azure Arc to be run anywhere, including on service providers' infrastructure. This approach, where SQL Server is billed hourly through Azure, may be an attractive option for many clients.
SPLA remains the only native licensing program specifically designed for service providers, including those offering IaaS. It's a versatile program that can be used on various hardware configurations, whether single-tenant or multi-tenant, bare metal or virtualised.
Despite its SaaS "centricity", SPLA is particularly well-suited for IaaS because it allows for unlimited virtual machines with Windows Server Datacenter. Furthermore, it eliminates the need for Windows Server CALs, making it a more cost-effective option than on-premises licensing.
While SPLA offers many advantages, it's not without its challenges. Compliance can be complicated, especially regarding Remote Desktop Subscriber Access Licenses (RDS CALs), which Microsoft auditors may try to pin on you even if you only provide virtual machines. However, there are strategies to mitigate these risks.
BYOL and Flexible Virtualization Benefit
SPLA isn't the only option available. Since 2022, your clients can bring their own Windows Server licenses to your infrastructure. This "bring your own license" (BYOL) model is becoming increasingly popular, and we are currently helping several mid-size European providers design BYOL-based Windows Server infrastructures.
Key Considerations for BYOL:
Dedicated Hardware: There are no specific limitations on dedicated hardware. As long as you're not using dedicated hosts from listed providers like Google or Amazon, any license can be used on dedicated hardware. This essentially functions as if the servers were on-premises, with the added benefit of potentially using SPLA licenses.
Virtual Machines: Licensing virtual machines with Windows Server under the BYOL model requires careful consideration. Building a separate infrastructure for BYOL virtual machines is crucial to avoid disrupting your SPLA profitability. When you license a host with Windows Server Datacenter through SPLA, the cost of those licenses is shared across all Windows Server VMs on that host. Any VMs covered by client-owned licenses are excluded from this cost-sharing, which can impact your SPLA margins.
Cloud Management Software: Most cloud management software doesn't currently support conditional deployment based on licensing rules. You might need to find workarounds to ensure that BYOL VMs are deployed on the correct infrastructure. However, some cloud management software vendors are aware of this limitation and are working on solutions.
Does embracing BYOL mean giving up license sales revenue? Not necessarily. You can still sell CSP licenses for virtual machines hosted in your public cloud. If you want to bundle CSP licenses with virtual machines as a single service, consider participating in the CSP-Hoster program.
When to Consider CSP-Hosting
Becoming a CSP-Hoster isn't essential, and you might choose to avoid it altogether. However, if you're considering bundling CSP licenses with virtual machines as a service offering, it's worth exploring the CSP-Hosting program.
Currently, there's a high barrier to entry: you must be a Tier 1 CSP. This requirement limits participation to larger, well-established organisations. However, Microsoft has promised to make the program more accessible in the future, though the timeline and specifics remain unclear.
CSP-Hosting has its pros and cons. Let's start with the positives:
Pre-activated Virtual Machines: CSP-Hosting offers a significant advantage: you can pre-activate virtual machines with CSP Hoster activation keys. Without this, you would need to provide non-activated VMs, potentially increasing the burden on your technical support team to guide clients through the activation process. As a CSP-Hoster, you receive your own activation keys, streamlining the client experience.
Cost Savings for Clients: Another benefit relates to cost. Clients who purchase Windows Server licenses bundled with virtual machines through CSP-Hosting don't need Windows Server CALs. This is similar to SPLA and can be a more cost-effective option for clients compared to BYOL alternatives, especially for small and mid-sized businesses. It's important to note that the cost-effectiveness of CSP-Hosting can vary depending on the client's specific licensing needs and existing licenses.
And now, the drawbacks:
Management Complexity: CSP-Hosting introduces some management challenges. It requires quarterly reporting of both bundled and BYOL licenses to Microsoft. Strictly speaking, there are only three product lines that you have to report: Windows Server, System Center, and SQL Server. These reports are subject to compliance verification. Managing this reporting process can be demanding without specialised tools. While the reporting cadence is quarterly, ongoing management and accurate data collection are required to ensure compliance.
Azure Stack HCI for Hosters
Azure Stack HCI for Hosters, if it's introduced, will become another alternative for hosting virtual machines for multiple tenants because it's a multi-tenant Azure Stack HCI. How that is going to work is subject to non-disclosure agreements so far. So, let's wait until Microsoft discloses this information and makes it public.
Are You Really Responsible for Every Microsoft License?
Let's address the elephant in the room: Are you, as an IaaS provider, responsible for the licensing compliance of all Microsoft software running on your infrastructure, even if it was deployed by your clients?
Microsoft's stance is that the service provider is ultimately responsible for any piece of Microsoft software, regardless of who deployed it or who supports it. It's a major headache for IaaS providers, who often don't even want to know what their end clients deploy.
Many IaaS providers understandably feel that their responsibility ends with providing the infrastructure (physical and virtual machines). "We give them physical and virtual machines. That is our service. We don't even have access inside the machines." However, those who have undergone a Microsoft SPLA audit know that auditors will insist on scanning every machine in your cloud estate. They will then attribute any Microsoft software they find to your non-compliance unless you can provide solid evidence of BYOL.
This responsibility is explicitly stated in the SPLA contract. While a skilled lawyer might challenge the specific wording, Microsoft's intention is clear: they want you to be responsible for all Microsoft software used in your environment, even if you only provide the infrastructure.
Interestingly, even if you don't have an SPLA agreement and operate solely on a BYOL basis, Microsoft may still assert that you are responsible for compliance. While they might have fewer excuses to audit you in this scenario, it's not impossible. There's a hint of this in one of the exam questions on GetLicensingReady.com (a free Microsoft licensing certification resource). In the SPLA certification path, there is a question about who is responsible for licensing compliance in an Authorized Outsourcer with BYOL. According to Microsoft, the correct answer is "the provider", demonstrating Microsoft's thinking on the matter. Even in BYOL scenarios, they tend to place the onus of compliance on the service provider.
Fortunately, there are safeguards you can implement to protect your business and improve your position in an audit. While these measures won't prevent an audit or stop auditors from scanning your VMs, they will strengthen your case and help shift the focus to the end clients where appropriate.
Review your Terms of Service: Make it crystal clear what services you provide and where your licensing responsibility ends. There must be no doubt after reading your Terms of Service. Include stipulations that clearly outline where your clients' responsibility begins. If you have custom contracts with clients, amend them to include these stipulations. Demonstrating this will at least prove your intentions and that you have informed your end clients about their responsibility for the software you do not provide.
Include the End-User License Terms (EULT): Every end-client contract must include the EULT (End-User License Terms). It is a non-negotiable requirement of the SPLA program. Whether you have online terms of service, a master services agreement, or a custom contract, the EULT must be included. It can be challenging with government clients who often use predefined contract forms. However, it's essential to ensure the EULT is incorporated. The EULT informs end clients about licensing compliance and ensures their cooperation in the event of an audit. You should have received a PDF file with the EULT when you signed your SPLA agreement. Find it and ensure every end client accepts these terms.
Publish educational material: Empower your end clients by providing clear and accessible information about Microsoft licensing on your platform. Many clients make licensing mistakes simply due to a lack of understanding. If you're looking for good examples, Amazon does an excellent job of explaining Microsoft licensing terms on its platform. However, be cautious about using materials from other providers, such as Oracle, as the quality and accuracy of their information can vary.
You need a compelling story supported by evidence to successfully pass an audit. By taking these three steps, you are building that story.
The October 2025 Deadline
Drastic changes are coming in October 2025. They will primarily affect those who resell physical or virtual machines hosted by "Listed Providers" – currently Google, Amazon, and Alibaba. This is especially relevant for you if you leverage these providers' resources to offer IaaS services (for example, using Google's single-tenant hosts).
We work with several providers who utilise Google's single-tenant nodes. It's worth noting that Google doesn't provide Microsoft licenses on these nodes; they rely on a key Google partner to provide licenses via that partner's SPLA.
An end client wanting to use Google single-tenant nodes (dedicated hosts) has limited options for licensing Windows Server.
They can bring their own licenses, but these licenses must have been purchased before October 2019 or be on a contract signed before that date. The initial purchase date is key. The number of such licenses is rapidly diminishing.
The other option for clients is to rent SPLA licenses from a service provider who offers services on Google single-tenant nodes. This option will disappear in October 2025 when Microsoft prohibits the use of SPLA licenses on Listed Providers' platforms. This looming deadline is particularly concerning because Microsoft hasn't published any guidance on alternative solutions.
So, what can you do to prepare for these changes if you use Listed Providers' resources in your services?
Firstly, proactively engage with your Listed Provider. If you work with AWS, talk to AWS. If you work with Google, talk to Google. Raise your concerns now and understand their plans for addressing this challenge. Some listed providers might be developing their own solutions. For instance, we know that Amazon has been working on a solution, but we are unsure about Google's plans.
Secondly, focus on educating your clients about bringing their own licenses and helping them navigate this process. You won't be able to provide SPLA licenses for these solutions anymore, so your clients must understand the rules around License Mobility and the October 2019 threshold.
For clients in Europe, there's an additional option. If your dedicated hosts from a listed provider are in Europe, you can advise your clients to use second-hand licenses. Buying and using second-hand licenses is perfectly legitimate in the EU and the UK. There are specialised companies that resell such licenses. If those licenses were initially purchased in Europe before October 2019, they can be used on dedicated hosts on a Listed Provider.
The last option is to migrate workloads from Listed Providers back to either your own data centres or to those of smaller providers. If you want to use a larger provider, there are many options beyond AWS and Google, such as Kyndryl, IBM Cloud, and Oracle Cloud.
Cost Optimisation and Savings in IaaS
While there might not be many options for optimising costs as an IaaS provider, the available ones are thankfully straightforward.
1. Consolidate SPLA-licensed Windows Server VMs
It's surprisingly rare to see this implemented, but it's a no-brainer: consolidate Windows Server virtual machines licensed via SPLA onto dedicated clusters. Keep these hosts separate from other workloads like Windows Client VDIs, Linux VMs, or even Windows Server VMs licensed with BYOL.
Why? Because consolidating your SPLA-licensed Windows Server VMs on specific hosts helps reduce SPLA costs. You'll only need to report SPLA usage for those particular hosts, increasing your SPLA margin per virtual machine.
Consider this your first and most important quick win for cost optimisation. Think of it this way: carve out a dedicated space for your SPLA-licensed VMs, effectively creating an "SPLA estate." It's a simple measure that can be implemented relatively easily.
2. Leverage Disaster Recovery Clusters
Pure disaster recovery clusters don't require SPLA licenses, offering significant cost savings. However, these clusters must be strictly dedicated to disaster recovery; you cannot run any production VMs within them. To benefit from this cost-saving measure, you must adhere to the rules outlined in your SPLA agreement regarding what can be run in these clusters.
As you can see, these cost-saving ideas are not complex. It's surprising how few providers take advantage of them.
Managing Microsoft Licensing in IaaS: Best Practices
How do you manage cost and compliance in the world of Microsoft IaaS?
As banal as it might sound, the foundational part (but not the entire solution) is that you need a tool. Without a tool, you'll waste significant resources trying to manage everything manually.
While we don't typically sell tools, we understand the headaches associated with managing SPLA, BYOL, and CSP Hosting, especially with Azure Stack HCI for Hosters on the horizon. Therefore, we strongly recommend using a tool.
This could be an in-house tool, or you could write your own scripts. However, if you take the scripting route, ensure your scripts account for every human error imaginable. Scripts designed for ideal scenarios often don't consider the potential for mistakes.
You might also consider an add-on to an existing enterprise tool, especially if you've mistakenly purchased a tool like ServiceNow for your SPLA management. We've seen instances where generic tools like ServiceNow or Flexera are deployed to manage SPLA, but they provide inaccurate data because their formulas don't align with SPLA's unique calculations.
While workarounds and add-ons are possible, investing in a dedicated tool like Octopus Cloud is the best advice. There aren't many dedicated SPLA management tools, which simplifies your choice.
In addition to using a tool, here are some best practices you can implement today:
Clarify your terms of service and update your end-client contracts: Ensure your terms clearly define the services you provide, where your licensing responsibility ends, and where your clients' responsibility begins. Make sure all your clients accept the End-User License Terms (EULT).
Collect evidence of BYOL: For all BYOL instances, diligently collect and maintain solid evidence. This includes written confirmation from clients that they are bringing their own licenses and proof of license documentation. Create a secure and organised system to store and update this information.
Plan infrastructure optimisation measures: Start planning the infrastructure optimisation measures we discussed earlier. Initiate this conversation with your technical department, as there might be technical or logistical obstacles to consider.
Closing Remarks
This concludes our brief exploration of Microsoft licensing for IaaS providers. We hope you found this information valuable.
If you have further questions or need assistance, don't hesitate to reach out to us for independent expert guidance.
Thank you for reading, and we hope to see you again soon!