Summary
What are the Microsoft trends for hosting providers in 2024?
Key outtakes:
SPLA isn't going anywhere.
Providers are signing up for CSP Hosting not understanding the risks versus benefits,
SPLA and CSP-Hosting terms have been somewhat improved,
There is an updated SPLA agreement with new and updated terms and requirements,
BYOL has been much easier since October 2022 but hasn't seen a significant uptake yet,
BYOL is very complex to manage, with additional audit risks,
Windows Server per-VM licensing for BYOL is not fit for purpose,
There is uncertainty about using Listed Providers as Datacenter Providers from October 2025,
There is no reduction in compliance audits in sight,
Infrastructure (IaaS-only) providers are frustrated by the third-party responsibility terms in SPLA,
Watch out for more changes to SPLA and CSP-Hosting in 2024.
Is SPLA being retired?
No, SPLA is here to stay. In unofficial conversations, we hear that SPLA will remain the core licensing programme for service providers for at least five years (until 2029).
Microsoft does not have an alternative programme to offer, and we doubt that it will simply pull the rug and leave providers without a feasible alternative, which CSP-Hosting is not.
SPLA and CSP-Hosting are fundamentally different, and the latter is not a proper Cloud-era licensing programme:
It lacks support for elasticity,
It requires the end clients to procure CSP licenses with at least an annual commitment,
Consequently, it does not provide end-clients with "freedom from license management" – one of the "Cloud dream" main sales points.
Have you been lured into CSP-Hosting?
Most probably, you don't need to be a CSP-Hoster.
Many ex-QMTH providers were convinced to sign a CSP-Hoster addendum to the Microsoft Partner Agreement without understanding its risks and benefits.
The only benefit of the CSP-Hoster programme is the right to pre-build virtual machines using the provider's activation keys.
It is not an extension of SPLA. It is a Bring-Your-Own-License programme with the only additional perk mentioned above.
Yes, you read that right. Even when you provide the so-called "license-included" services, they are not truly "license-included" like in SPLA. The license is sold to the end client and then hosted for them. The licensee is the end client, unlike in SPLA. You may not use your (provider's) licenses to provide CSP-Hosting. It's BYOL in disguise.
There is otherwise no other benefit. You do not need a CSP-Hoster addendum simply to let your end clients bring their licenses. Since October 2022, BYOL has been available to every provider.
And the risk is the additional burden of verifying and reporting BYOL licences.
Microsoft recently made a few changes to the CSP-Hosting program, reducing that burden (read this article further to learn more), but it's still present. However, if you don't become a CSP-Hoster, you may still allow BYOL, but there is no stipulated requirement to report it.
SPLA and CSP-Hosting terms have been somewhat improved
Improvements to CSP-Hosting:
There is a shorter list of products to be reported,
The time-to-report is now 10 days as opposed to 24 hours.
Improvements to SPLA:
You won't need to report consumption by end-clients consuming over $1000 in SPLA licenses in a month,
You won't need to create a separate enrollment for each such end client.
SPLA agreement updates
There is a new form of the SPLA agreement, and we expect additional changes in the first half of 2024.
Most notably:
Stricter affiliate participation rules. Microsoft may reject your affiliate's participation, and you must keep Microsoft up-to-date on all changes in your affiliates.
Added definitions:
Listed provider – the same definition as in all other Microsoft terms and conditions documents and agreements, i.e. those listed here: http://aka.ms/listedproviders
Trade laws – all applicable import and export laws and regulations. We'll explain why it's important further in this article.
Simplified record keeping: removed the requirement to record the Entity Legal Identifier for end-user demonstrations and evaluations.
Stricter terms for using Software Services Reselers (SSR), Data Centre Providers (DCP) and Outsourcing Companies (OC): Microsoft requires you to ensure that all your SSRs, DCPs and OCs comply with "Trade laws". Microsoft also retains the right to prohibit you from working with any entity they believe is not compliant with "Trade laws".
Using Listed Providers as Data Centre Providers: It was already stipulated in SPUR but is now added to SPLA that you must stop using Listed Providers as DCPs after the 1st of October 2025. Additionally – and this is new – if a new Listed provider is added to "the list" on the 1st of October 2024 or later, you may use it as a DCP for one year from their status change date.
Microsoft's right to object to the end users being provisioned software services was removed from End User Agreement requirements.
Monthly reporting changes:
You must only provide the names and addresses of the end clients if they consume licenses for more than US$1000 per month—there is no need to provide their detailed quantities per product. The stipulation, however, is ambiguous as it says, "if the End User generated more than US$1,000" without clarifying what "generated" means.
There is no need to report demonstrations and evaluations.
BYOL troubles
BYOL is not seeing a significant uptake, even after Microsoft dramatically relaxed BYOL by introducing the Flexible Virtualisation Benefit in 2022.
The reasons we hear from providers:
There is no clarity about how BYOL will be treated and verified in compliance audits.
Windows Server BYOL is commercially not feasible without an investment in a dedicated infrastructure. And then, it's nearly impossible when using Hyper-V.
Audit uncertainties around BYOL
Historically, the only BYOL route was the License Mobility Partnership. Yes, it had its limitations: fewer eligible products and provider eligibility requirements. But the compliance verification process was crystal clear when you played by the rules. You only had to present relevant License Verification Forms to the auditor.
CSP-Hosting introduced new reporting and verification requirements, but they lack clarity. There are no details about what qualifies as proof of license. In addition, since the reporting requirements are simplified, many products are out of the scope of compulsory reporting and verification.
And when you try to find license verification rules for all the other Microsoft products in all the other BYOL scenarios, you won't find them. There is no official guidance from Microsoft.
If you are a service provider — any service provider — the Flexible Virtualisation Benefit lets you permit your end users to bring any eligible licenses to your data centres—no authorisation is required anymore. Just don't be a Listed Provider. Imagine now that you have a compliance audit. How do you prove that an instance of a Microsoft product is licensed with BYOL and that the end client has the necessary licenses? There is no official guidance.
No wonder providers and end clients are cautious. The right exists. But the uncertainty is an impediment.
Windows Server BYOL
End clients may bring their Windows Server licenses per virtual machine. The rules are simple:
They need at least 8 core licenses per VM,
Windows Server licenses and all the CALs must have active Software Assurance or subscription.
However, providers aren't keen to allow it.
The first reason is money. When you provide Windows Server virtual machines using SPLA, the cost of the Windows Datacenter licenses for the host is evenly spread between all Windows Server virtual machines. If you let an end client bring their own Windows Server licences, the share of the Windows Server Datacenter costs per VM for all the other clients on the same host increases.
What's the solution? Deploy a dedicated Windows Server BYOL-only platform. But it's only simple on paper.
It may mean investing in new hardware and tools. Cutting out a part of an existing public cloud environment is not easy. And there's another problem. Most cloud management software does not have the functionality to deploy end-client-procured virtual machines in separate environments based on licensing rules and, what's often overlooked, to move them around when licensing status changes.
As if it wasn't already complicated, creating a 100% BYOL cloud infrastructure using Hyper-V is impossible. The physical operating system has to be licensed, which is only possible through SPLA in multi-tenant cloud environments.
No clarity about using Listed Providers as DCPs from October 2025
Currently, service providers may deploy their "DCP-eligible" SPLA licenses on AWS, Google and Alibaba. It allows you to provide complex solutions to your end clients and benefit from well-supported and trusted infrastructure.
For example, you may provide an ERP solution that runs on top of Windows Server and SQL Server, which your end clients access using Remote Desktop (RDS). If you deploy it in AWS, Amazon takes care of Windows Server licensing, and you may "bring" all the SALs from your SPLA.
On the 1st of October 2025, this solution will become non-compliant. As it currently stands, no Listed Providers provide Subscriber Access Licenses (SALs).
What will you have to do? Microsoft is silent on that. It's on you. So far, they have provided no help and no clarity.
Growing frustration of infrastructure providers
There is a significant number of providers that only provide the basic infrastructure. In essence, you can rent a Windows Server virtual machine from them, but they won't provide you with any more Microsoft licenses. Most of them won't manage the VMs for you and won't have access to your VMs.
Many such infrastructure providers are unaware that, per the SPLA, they are responsible for everything that runs inside Windows Server VMs. All Microsoft products inside all Microsoft OS VMs are in the audit scope. The realisation comes with the first audit. With more audits, provider awareness grows, as well as their frustration.
The problem is SPLA is not built for such providers. If you carefully read SPLA and SPUR and notice how Microsoft positions SPLA, you can quickly realise that it's a licensing programme designed for SaaS providers and outsourcing companies with complete control of the internals of hosted virtual machines.
In an audit scenario, it means assessing each such case individually and asking for Microsoft's mercy to be excepted from contacting each IaaS end client and asking them to run the inventory tools. It results in additional overheads and frustration and may even commercially damage the provider.
An urgent review of SPLA is a necessity.
Service Provider compliance audits aren't going anywhere
Microsoft reduced the number of end-client audits, but the service provider audits are as active as before. The average audit cycle is 3 years, however there's no way to say when Microsoft will knock on your door exactly. So, our Audit Survival Guide can still be quite handy.
More changes are coming in 2024
Experts expect further changes to SPLA, BYOL, and CSP-Hosting in 2024 due to the continuing conversations with Microsoft held by CISPE, the EU Commission, and the UK CMA.
Watch this space and follow us for updates and analysis.
Talk to a Service Provider Licensing expert
Do you have questions about SPLA, audits, and CSP-Hosting? We work with many providers across the globe daily. We also don't sell licenses, so our advice is truly unbiased.
Use the form below and tell us about your challenges. One of our senior partners will be with you as soon as possible.