The first things to do to avoid a nasty SPLA audit surprise
Bad news: You are responsible for every piece of Microsoft software in your data centres, even if you did not install or support it.
Good news: Microsoft gave you the legal tools to protect yourselves and your business from rogue installations by your end customers.
What is a SPLA provider responsible for
Microsoft didn't do a good job explaining to SPLA providers their obligations and the tools it provides.
First of all, everything in your data centres, whether in a public cloud, co-location, or your end customer's hardware, is your responsibility unless you have evidence to the contrary and contractual tools to protect you.
We are often involved in SPLA audit defence. About 80% to 90% of our clients begin the audit journey unaware of their compliance responsibilities. We often hear: "We only support operating systems".
Unfortunately, unless it's contractually clear, supported by evidence, and your end-client agreements comply with SPLA terms, auditors will add all the rogue Microsoft software installations by your end-clients to the audit bill.
And so that you are prepared for the "bill shock", the average share of operating systems and databases across SPLA audits is only around 20%. The rest, 80%, is in subscriber access licenses: RDS, Office, Project, Visio, and Visual Studio.
What can you do to protect (indemnify) your provider business?
Strictly speaking, SPLA is designed to bundle licenses in your services. You are not licensed to resell SPLA licenses to your end clients. You are supposed to have admin access to all the virtual machines you rent out.
The reality, however, is that there are often end clients requiring extra IT security: government, intelligence, security, and finance. There's very little chance they will voluntarily give you access to their virtual machines.
Is there anything you can do to avoid being penalised for what they installed without your knowledge of it?
End-User License Terms (EULT)
Surprisingly, the most straightforward tool is the most often overlooked.
Microsoft requires you to include End User License Terms (EULT) in every end-client contract. EULT has stipulations for:
End client responsibility to Microsoft for license compliance,
Agreement to share all the compliance-related data with Microsoft in case of an audit.
It's easy to see how EULT protects providers.
But what if you want to let your end clients bring their own licenses to your data centres to let them deploy Microsoft software using the licenses they already have? It's only natural to do so if you provide pure IaaS.
Then you have two scenarios:
Permit BYOL without becoming a CSP-Hoster.
In any case, here's what you need to do:
Publish educational materials explaining to your end clients how BYOL works, terms and conditions,
Refer to these requirements in your end client agreements,
Require your end clients to provide license evidence,
Maintain a register of all license evidence,
Collaborate with Microsoft if they suspect that an end client is non-compliant.
In addition, CSP-Hosters have to follow stringent CSP-Hosting BYOL Reporting requirements.
Your services resellers and SPLA partners
You may have partners that resell your services. Almost every client of ours has a software services reseller channel.
You may also have other providers that use your services as a "Data Center Provider". And they may also have their resellers and their end customers. All these workloads may end up in your data centres.
You must ensure that all your partners include EULT in all their end-client agreements. SPLA requires it.
What to do if you only sell your services via an online portal?
Do what Amazon does:
Publish your contract templates,
Publish your end-user license terms,
Publish user-friendly explanatory pages about licensing on the web,
Make it a part of your public offer, a box they tick when they procure your services.
If you made all the efforts in good faith, Microsoft only expects you to help Microsoft resolve issues they suspect with compliance of your end clients. It stops being your non-compliance responsibility.
Talk to a SPLA expert
We are an independent consulting business that sells no licenses or Cloud services. That is on purpose, so our advice is unbiased. We have specialised in SPLA for years and saved our clients over $500 million in audit fees and license costs.
Please send us a message using the form below, and we'll get in touch as soon as possible for a no-obligation call.