Perfecting Microsoft Licensing for IaaS Providers
Incorrect or mismanaged Microsoft licensing can expose your IaaS business to financial and operational risks. Complex licensing rules and the potential for non-compliance due to BYOL create challenges for IaaS providers. In addition, the core Microsoft licensing for hosting – SPLA – was not designed for IaaS and has serious flaws.
Overspending on licenses, audit anxieties, and the upcoming changes to the Listed Provider program in October 2025 add to the stress.
We give you a comprehensive yet simple system of managing Microsoft licensing for IaaS providers, offering strategies to optimise costs, ensure compliance, and mitigate risks.
Episode Transcript
Today, we'll specifically discuss issues relevant to infrastructure-as-a-service providers, such as the issues related to Microsoft licensing. Of course, I won't leave you with just proclaimed issues. This is not the event where we only agitate and don't give you solutions. We will tell you our recommended solutions. We'll outline them. If you need any further information, please follow us on any of our platforms. We talk about it a lot here. And if you need our professional help, obviously, you know where to find us.
Welcome, everybody. Welcome all our friends and followers.
My name is Alexander Golev. If you're here for the first time, I am a partner in a consultancy called SAMexpert.
I've been around Microsoft for over 20 years. Altogether, probably 30 years, 20 years in Software Asset Management. I started as a Microsoft evangelist. I was evangelising Windows NT 3.5 at its time, And somehow, I ended up in the Software Asset Management role. I came to the service provider world about ten years ago, helping a service provider win an audit.
So, let's finally delve into the topic of today's conversation: perfecting Microsoft licensing for Infrastructure-as-a-Service providers.
The majority of providers that we work with are infrastructure-as-a-service providers. The percentage of SaaS and platform-as-a-service or professional MSP services like IT support with hosting is lower than either pure infrastructure-as-a-service or infrastructure-as-a-service with a few sprinkles on top.
What is an Infrastructure-as-a-Service provider?
How do we define an infrastructure-as-a-service provider? What is an infrastructure-as-a-service provider? It's a business that provides the foundational platform for what we know these days as private cloud or public cloud hosting. If your services do not extend beyond providing rack space, hardware, and virtual machine rental, you are an infrastructure as a service provider.
As for the Microsoft licenses, pure infrastructure-as-a-service providers don't provide anything except the operating system, Windows Server. However, you may sometimes drop a few so-called managed clients into the mix with services on top of just renting virtual machines. That may introduce a few more Microsoft licenses you need to know about and care about.
In our experience, infrastructure-as-a-service providers don't always use only their own data centres. You may provide infrastructure-as-a-service services using other providers' hardware. It introduces additional complications to licensing. You can use their public cloud; you can use their rack space. You can even rent such resources from hyperscalers like AWS and Google. It's perfectly permitted. But it adds licensing complications we need to talk about today, too, as you only have one year left if you do to prepare for what's coming in October 2025. And it's not a positive change, not at all.
Microsoft Licensing Options for IaaS
What Microsoft licensing options do you have if you run infrastructure-as-a-service? It's not as simple as SPLA these days. There are quite a few options, and navigating them is not an easy task, even for a seasoned licensing consultant.
Obviously, there is SPLA, the traditional service provider licensing program from Microsoft. The main problem with SPLA for infrastructure-as-a-service is that it wasn't designed for infrastructure-as-a-service. If you read SPLA carefully, you will notice it's a SaaS-centric licensing program. It was intended for ISVs – Independent Software Vendors – who wanted to host their solutions themselves. Thus, there are fundamental challenges for infrastructure-as-a-service providers regarding, for example, the question of who is responsible for Microsoft licensing compliance.
In addition to SPLA, we now have CSP-Hosting. It has been around for two years, and it's still confusing. The way it's being pushed as an SPLA replacement by licensing resellers isn't helping either because It's not an SPLA replacement. It is an alternative, but it's not a replacement. It's not a one-to-one transition. It's completely different.
But if you speak to most resellers, they don't care. They aren't compensated on SPLA. It's purely financial interest. They're financially incentivised to promote CSP at all costs as Microsoft partners. You need to understand that. There's nothing bad about it. It's just a thing. And it's not like they have good knowledge and understanding of the CSP hosting program, which isn't helping either.
On top of that, as you usually provide only the operating system licenses, your clients will probably want to deploy additional Microsoft software on their own – software like Microsoft SQL Server and Microsoft Office. They may also ask you if they can deploy VDIs using Windows 11 or Windows 10 operating systems. So all of it, obviously, introduces bring your own license challenges. And by the way, extended security updates for legacy operating systems, if any of your clients run legacy VMs for any reason, are only available as bring-your-own-licence. You can't provide them as an SPLA provider or as an Infrastructure-as-a-Service Provider.
And we can't avoid mentioning Microsoft's recent promise to introduce Azure Stack HCI for Hosters. It's not the Azure Stack HCI that you may know. That one is single-tenant. They promised the Association of European Cloud Service Providers, CISPE, that they would soon announce Azure Stack HCI for Hosters, which is multi-tenant and explicitly designed for hosting providers.
Nobody yet knows officially what the final product is going to look like and what the licensing requirements will be. I suggest you keep it on your radar unless you already are. At the very least, it's going to be interesting. And if you want to resell Azure services, I suspect Microsoft will offer it to service providers with the exact agenda for the service providers to provide them with a channel to resell Azure services in their data centres.
We'll try to address the core issues of this complexity in today's conversation as much as we can, as much as time permits, including our recommendations for the best practices.
Now, let me try to deconfuse the licensing options as much as I can.
Is SPLA "about to die"?
First of all, SPLA is still around, and it will be around for at least five years from now. This is what Microsoft officially promised recently.
Quite a few people, I would even say too many people, have been proclaiming the death of SPLA since 2015. I went to Reddit today and found posts from nine years ago where people enthusiastically said that SPLA "is going to die" very soon and that a different licensing program will replace it.
It's still around. It's still alive and kicking. However, do not expect it to change or evolve because Microsoft wants to replace it with an alternative. They just need to find and define that alternative. And there are telltale signs that they are finding their way, not necessarily replacing it with a single program.
For example, they recently allowed SQL Server with Azure Arc to be run anywhere when it's connected to Azure Arc, including service providers. I would go with that option if I were an end client and needed an SQL Server that is not billed per month but rather billed per hour. I would still get a virtual machine, deploy SQL Server with Azure Arc, and pay through Azure. Maybe.
So Microsoft wants to replace SPLA. And they refuse to modernise it. Keep that in mind. It's still the only native licensing program for service providers, including infrastructure-as-a-service. There's no alternative. You may use it on single-tenant or multi-tenant hardware, bare metal, or virtualised; it doesn't matter.
You can use it everywhere as long as you provide services alongside these licenses. For Infrastructure-as-a-Service, obviously, we're talking about operating systems. Windows Server Datacenter permits unlimited virtual machines. Windows Server does not require basic Client Access Licenses – Windows Server CALs – in the SPLA program, simplifying licensing and making it cheaper than on-premise.
It's almost ideal for Infrastructure-as-a-Service. I say "almost" because there are some compliance complications, including remote desktop subscriber access licenses, which Microsoft may still pin on you during an audit even when you only provide virtual machines. And there are some things you can do to avoid that, which we'll also discuss today.
BYOL and Flexible Virtualisation Benefit
However, SPLA is not the only program that is available to you. Since 2022, your clients may bring their own Windows Server licenses to your estate.
At the moment, we are helping mid-size European providers define and design purely BYOL Windows Server infrastructures. It's absolutely possible and legitimate. If you allow your clients to bring their own licenses to your cloud infrastructure, why not? It's totally possible. You can avoid SPLA, at least partially.
If you decide to switch to this model, you must remember a few crucial points: mission-critical points.
Point number one, there are no specific considerations or limitations on dedicated hardware. This is a general point for all your licensing needs. You need to understand, unless you already know, that as long as you aren't using Google's or Amazon's dedicated hosts for your end clients, as long as you use your own or rent it from a different service provider, any license may be brought to the hardware that is single-tenant, that is dedicated to an end client. That end client can bring any license. It almost works as if it were on-premise servers with an additional benefit that now you can also drop SPLA on top of it to the mix.
But it gets serious when you want to license virtual machines with Windows Server, and that licensing is per virtual machine. For that purpose, if you want your end clients to host their own licenses in your Windows Server infrastructure, always consider building a separate infrastructure for BYOL. That is because it's going to mess up your SPLA profitability and your SPLA numbers. I'll explain now.
When you license the host with Windows Server Datacenter licenses, the costs of those licenses are shared by all the Windows Server virtual machines on the host. Any machines covered with end client licenses are effectively excluded from that SPLA cost sharing, thus affecting your SPLA margins. It should be obvious. You don't want to dilute the virtual machines you bill them for using SPLA licenses.
There is another concern, or you may say there's another consideration. Most of the popular cloud management software you use to manage your cloud does not support conditional deployment: choosing where to deploy a new virtual machine based on the licensing rules. However, workarounds are possible, and some of the cloud management software vendors are aware and working on a necessary improvement. Just keep that in mind. You may need to consider that when you design a purely "bring-your-own-license" infrastructure.
Does Windows Server BYOL necessarily deprive you of license sales revenue because you don't use SPLA anymore? No, it doesn't. And, yes, many infrastructure-as-a-service providers don't want to deal with license sales. But if you do, you may sell CSP licenses for the virtual machines hosted in your public clouds. Moreover, if you want to bundle CSP licenses with virtual machines in a single service, that's when you should consider participating in the CSP-Hoster program. That will be your cue to start thinking, "We probably want to look at the CSP-Hoster program."
When to consider CSP-Hosting
I'm not necessarily saying you need to become a CSP-Hoster. You can avoid that. There is still a pretty high barrier to entry into CSP-Hosting. You must be a Tier 1 CSP. But Microsoft has been promising for two years to democratise it one day. We don't know when and how it'll happen, but that was the promise when they introduced the program that it would not stay with purely Tier One CSPs. So far, unfortunately, that's a requirement.
CSP-Hosting has its cons and pros, and let's start with a couple of positives.
Firstly, it allows you to pre-activate the virtual machines with CSP Hoster activation keys, which otherwise you would have to provide non-activated and potentially have an additional load on your tech support explaining to the end clients how to activate the virtual machines they rented from you, which are not activated. If you're not a CSP hoster, you are only allowed to activate those machines on behalf of your end clients with their keys. If you're a CSP hoster, you get your own activation keys.
The second benefit is cost-related – costs to the end client. Windows Server bundled with virtual machines does not require Windows Server CALs, which is very much like in SPLA. So it may be cheaper for your end clients when they buy that license from you with the virtual machine than bring-your-own-license alternatives. I say it may be cheaper because it depends on what other licenses they have. It's not a one-size-fits-all benefit, but for the majority of small businesses and mid-sized businesses, that could be a good benefit, especially since they don't have to deal with Client Access Licenses.
And speaking of the negatives, there is one that is serious because CSP-Hosting introduces management complexities. You will have to report bundled and Bring-Your-Own licenses to Microsoft every quarter.
Strictly speaking, there are only three product lines that you have to report, fortunately: Windows Server, System Center, and SQL Server. That's it. Thanks to Microsoft for limiting reporting to just those three product lines. You still have to do it. These reports will be subject to compliance verification. So, without a specialised tool, it may become a burden on your internal resources to manage all this. Yes, the report is quarterly. But it must be managed and accurately reported.
Azure Stack HCI for Hosters
Azure Stack HCI for Hosters, if it's introduced, and I'm saying if, although it's promised in writing that it will be introduced, it will become another alternative for hosting virtual machines for multiple tenants because it's a multi-tenant Azure Stack HCI. How that is going to work is subject to non-disclosure agreements. So, let's wait until they disclose this information and make it public. Just as I said, let's keep it on our radar. It's an interesting development. I'm not necessarily saying it's going to be 100 per cent positive, but it's interesting.
Coming up next in today's event:
Safeguarding your business for BYOL compliance,
Preparing for October 2025,
Cost optimisation, which is possible in Infrastructure-as-a-Service,
and how to manage all of it properly: what you can do today to start improving your management processes and tools.
Are you really responsible for every Microsoft license?
There's an elephant in the room, and the name of the elephant is licensing compliance for the software that your end users deploy in your infrastructure, regardless of the fact that you only provide virtual machines.
Microsoft insists that the service provider is ultimately responsible for any piece of Microsoft software, regardless of who deployed it and who supports it. And it's a massive headache for infrastructure-as-a-service providers. They don't even want to know what their end clients deploy.
"We give them physical and virtual machines. That is our service. We don't even have access inside the machines." I can't count the number of times I've heard this. And those of you who have had at least one SPLA audit, and there are people on the call who have, you know that the auditors will stubbornly insist on scanning every machine in your cloud estate regardless of your end-client arrangements. Then, they will attribute every piece of Microsoft software they find in the inventory to your non-compliance unless you can provide solid evidence of bring-your-own-license.
Fortunately, there are safeguards you can put in place starting from today that should make your life easier in that regard. It will not stop the audit. It will not stop them from insisting on scanning every VM, but it will improve your position in that dispute. These measures won't automatically dismiss the auditor's demand, but they will make it easier to try and minimise the audit scope and move the focus onto the end clients.
And first of all, today or tomorrow, review your Terms of Service. Make what services you provide crystal clear. There must be no doubt after reading your Terms of Service. Include the stipulations for where your license responsibility ends, and their license responsibility starts.
If some of your end clients have custom contracts, which is often the case, especially with government contracts or large clients, you have to amend the standard contracts and potentially re-sign them because otherwise, where is the line between you and them? So insist on it politely, or bear the consequences. Demonstrating this bit will at least prove your intentions and that you have informed your end clients properly and clearly about their responsibility for the software you do not provide.
The second consideration for SPLA is you must include the so-called EULT – End-user License Terms in every end-client contract. It is your contractual responsibility to Microsoft. It's a stipulation in SPLA. It must be included in every end-client contract, whether you have online terms of service, a master services agreement, or a custom contract. We see issues asking government clients to modify the predefined government contract form. You still need to do it. There are ways to resolve this case by case in a negotiation after an audit, but you'd rather be prepared. There is a PDF file that you were given when you signed your SPLA. Find it and ensure every end client accepts the EULA terms.
There are two benefits to doing that. By accepting the terms, end clients are informed about licensing compliance, and they agree to cooperate in the event of an audit.
Third, publish educational material on your website. Teach your end clients Microsoft licensing on your platform. They will appreciate it. Many of the mistakes they make are due to a lack of knowledge. Amazon does it brilliantly. I always suggest that if you don't want to write it yourself or don't want to come to a consultant like us to write this for you, look at Amazon.
Copy and paste what they do. Modify it, obviously. They are just explaining Microsoft licensing terms. I would be careful about looking at other providers because the quality of that material is not always great. For example, I would never advise copying Oracle's end client guides on Microsoft licensing for Oracle Cloud. They are slightly incorrect – I would put it this way – or confusing.
You need a compelling story supported by evidence to successfully pass an audit. And by doing these three things, you are building that story.
Where does it say that you're responsible for your end-client compliance? SPLA says it in the contract. A good lawyer may challenge how it is worded in SPLA. We've had cases when lawyers were laughing at how it's said in SPLA, but it's a contract. It's not a law. And Microsoft's intentions are still clear from those stipulations. They want you to be responsible for everything that your end clients do in your estate, even when you only provide the infrastructure.
Suppose you don't have an SPLA agreement and you are purely an infrastructure-as-a-service provider based on a bring-your-own-license basis. There are providers popping up these days that do that. They don't have SPLA. It's all bring-your-own-license. Thanks to Microsoft, it's allowed now.
Microsoft will still insist that you are responsible for compliance. They have very few reasons to come and audit you, but I'm pretty sure they will come up with something. And there's a hint in one of the exam questions on GetLicensingReady (it's a free-of-charge Microsoft licensing certification resource, the only one that's left). In the SPLA certification path, I saw a question recently where they asked who is responsible for licensing compliance in an Authorised Outsourcer with Bring-Your-Own-License, and the correct answer is "the provider". You may imagine that Microsoft vetted those answers, and that's how they think.
Again, have a good lawyer and a good consulting partner. These terms can be challenged, but remember that this is the default approach.
What we're going to discuss next:
Preparing for October 2025,
Cost optimisation for infrastructure as a service,
And how to manage all of it properly.
The October 2025 Shenanigans
Let's talk very quickly because not everyone on the call is affected by what is about to happen in a year from now. It concerns those of you who resell physical and virtual machines hosted by so-called listed providers: Google, Amazon, and Alibaba, for now.
When you resell those resources from those listed providers to your end clients, when you provide an infrastructure-as-a-service, for example, Google's dedicated hosts, that's when it affects you.
We consult American infrastructure-as-a-service providers that use Google single-tenant nodes. Google famously does not provide any Microsoft licenses on single-tenant nodes. They do it through a partner, strictly speaking. A big partner does most of it, But nobody stops other providers from doing the same.
An end client right now, what they can do now on a Google dedicated host, it's a very good example. They can bring their own licenses, and the options there are extremely limited compared to regular providers. The licenses must be bought before October 2019 or on a contract that was signed before October 2019. It doesn't matter whether Software Assurance was renewed or not. What matters is when the license was initially bought. There's an unfortunate limitation of what licenses are eligible, and there's a quickly diminishing number of such licenses right now in the market.
The other option they have right now is to rent SPLA licenses from a service provider. They may rent SPLA licenses when the provider provides them services on that Google dedicated host. So this second option will become impossible in only a year from now. You will be prohibited from using your SPLA licenses on listed providers in any way. What makes it worse is that Microsoft hasn't published any guidance on what to do when that date comes.
So, what can you do about it if you use the listed providers' resources in your services?
Firstly, work actively with your listed providers. If you work with AWS like this, talk to AWS. If you work with Google like this, talk to Google. Raise your concerns now. Learn what their ideas are, if they have them at all. I know that Amazon is working on a solution. They have been working on the solution. I need to update that information. Not sure about Google. We'll know soon.
The second thing you need to do is educate your clients on bringing their own licenses and help them sort it out. Because you won't be able to provide SPLA licenses for such solutions anymore. Yes, it means learning the rules around License Mobility and understanding the October 2019 threshold.
In Europe, if you're in Europe and your dedicated hosts from a listed provider are located in Europe, you may advise your clients to use second-hand licenses. It's perfectly legitimate in the EU and in the UK to use second-hand licenses to buy them on the second-hand market. There are specialised expert companies that resell such licenses. If those licenses were originally purchased in Europe before October 2019, they may be used on dedicated hosts on a listed provider, so bear that in mind.
The third option is to migrate such workloads back to either your data centres or the data centres of smaller providers. The world does not end with AWS and Google. There's Kyndryl, there's IBM Cloud, there's Oracle Cloud, and there are other clouds and service providers of various shapes and forms. It doesn't necessarily have to be a tiny provider to where you are moving your end clients' workloads.
Cost Optimisation and Savings in IaaS
There aren't many options for an Infrastructure-as-a-Service provider to optimise costs. Fortunately, the ones that exist are simple enough to understand. You will get them after I explain it. It's elementary.
Option number one, and it's a pity that we rarely see this because it's a no-brainer. Consolidate production Windows Server machines licensed via SPLA. The word "production" here also includes development machines that are hosted for the end clients. They're all classed as production in SPLA. And dedicate hosts for such machines. Do not dilute Windows Server costs with Windows Client VDIs, Linuxes, and even Windows Server VMs licensed per virtual machine (with bring-your-own-license).
Consolidating your SPLA Windows Server virtual machines on specific hosts will help you reduce SPLA costs because you will only need to report SPLA on those hosts. Consequently, it will increase the SPLA margin per virtual machine. So consider this as your first and most important quick-win cost optimisation measure. It's not that you need to move Linuxes away. It's not that you need to move Windows clients away. Think about it differently. Take Windows Server virtual machines that you pay for through SPLA and put them aside. This is your SPLA estate. These are the costs. It's a very simple measure. You can start doing it today. There'll be technical issues. There'll be people against it. There'll be people saying your provisioning system doesn't allow it, but at least you can start planning it.
And speaking of production machines, I promised you to come back to this. What's the alternative in SPLA? It's not non-production, it's disaster recovery. Did you know that pure disaster recovery clusters don't require SPLA licenses? but they must be dedicated to disaster recovery. You can't be half-pregnant in licensing. You can't run any production virtual machines in disaster recovery clusters. You can't run anything in those clusters unless you follow the rules of what and where you can run in those clusters that are stipulated in your SPLA agreement. It's not hidden knowledge. It's not forbidden knowledge. It's there. It's in your agreement. So, as long as you follow those rules, your disaster recovery machines consolidated in a disaster recovery cluster don't require SPLA licenses. This is a huge cost-saving measure. Fortunately, we do see providers that follow those rules, play it by the book, and thus reduce the cost.
As you can see, these ideas are not difficult to understand. And it's pretty surprising that there aren't that many providers that implement these cost-saving measures. Just do it. Just do it. It's not rocket science.
Managing Microsoft Licensing in IaaS: Best Practices
So how do we manage all this? It seems simple, but you still need to manage it. And this is a million-dollar question. How do we manage cost and compliance in the world of Microsoft Infrastructure as a Service?
And I will repeat the banality: you need a tool. Otherwise, you will waste a lot of resources on proper management.
We don't normally sell tools, but dealing with headaches with SPLA, BYOL, and CSP hosting management. And, well, Azure Stack HCI is coming. I'd rather you have a tool. It can be your in-house tool. You can write scripts, but make sure they account for all the human errors because that's the downside of the scripts: they're designed for the desired configuration. They don't account for potential human errors. It may be an add-on to an enterprise tool if you mistakenly bought ServiceNow for your SPLA. We see those cases. We see instances of Flexera deployed to manage SPLA, providing inaccurate numbers because the formulas differ. It just doesn't know how to calculate SPLA.
But people write add-ons and workarounds; it's all possible. However, my best advice is to get a dedicated tool like Octopus Cloud. Just find a dedicated tool. There aren't that many. It's a very simple choice. You don't have to have an RFP between five or ten providers. There are only two working tools, really.
In addition, what you can start implementing today or tomorrow are the recommendations I just gave you concerning clarifying your terms of service and updating your end-client contracts. And make sure all of your clients accept EULT – end user license terms.
For all the known instances of Bring-Your-Own-License, begin collecting solid evidence of BYOL. Ask all such end clients to confirm that they bring their own licenses in writing. As a second step, ask them to provide you with proof of license. Then, create a secure, organised, dedicated system to store and update such information. You will need it in case there's an audit.
And the next recommendation is to begin planning the infrastructure optimisation measures we've just discussed. Initiate this conversation with your technical department today or tomorrow because there may be obstacles. Let them start thinking about it. It's in your financial interest. You can reduce the cost. You can increase profitability or competitiveness. These will be your foundational steps to safeguarding your infrastructure as a service business that involves Microsoft licenses.
Audience Q&A
This is the time when you ask your questions, I have a couple I've just received in direct messages.
The first one was, "Where can I find the end-user license terms?" I already answered that question. It's a PDF you must have been given with your SPLA. It hasn't changed since about 2013, so if you find an old copy, it's still valid. If you have an old version, feel free to use it. If you don't have it or can't find it, reach out to your SPLA reseller. SPLA resellers are obligated to help you find it. This is how you find it. It's a standard PDF form.
The other question, "You once mentioned the SPLA compliance readiness checklist. Can I still get a copy?" Yeah, absolutely. Just send me an email to ask@SAMexpert.com, and we'll share the checklist with you. There's no problem with that.
Thank you all for your participation in today's event. I wish you a very productive rest of the week and all the success in your service provider journey.
Goodbye, and I hope to see you again on our regular live streams, which we have almost every Wednesday. Thank you very much.