A Microsoft Software Asset Management (SAM) engagement is not a neutral compliance review — it is a revenue recovery exercise. Understanding the process, knowing your licence position, and managing Microsoft's data access are the three foundations of a successful SAM response.
← Back to Software Audit Defense PlaybookMicrosoft SAM engagements are initiated by Microsoft or its authorised SAM partners and involve a detailed review of your Microsoft software deployments against your licence entitlements. Unlike Oracle's more adversarial LMS process, Microsoft typically frames SAM as a "collaborative review" — but the commercial outcome is the same: identifying licence gaps and converting them into licence purchases or subscription upsells.
This guide covers the SAM process in detail, the most common findings Microsoft surfaces, and the preparation and response strategies that consistently reduce exposure. For a broader context on software audit defence, see our Software Audit Defense Playbook. For Microsoft-specific negotiation strategy, see the Microsoft Audit Defense Guide and Microsoft EA Negotiation Guide.
A Microsoft SAM (Software Asset Management) engagement is Microsoft's primary mechanism for conducting licence compliance reviews. SAM engagements are typically conducted by Microsoft's internal SAM team or by authorised Microsoft SAM partners — independent consulting firms that have contracted with Microsoft to conduct reviews and receive a percentage of any licence gap they identify.
Microsoft SAM partners earn revenue based on the licence shortfall they identify. This commercial incentive structure means that SAM partners are motivated to maximise rather than minimise the identified gap. Some partners will apply Microsoft's most aggressive licensing interpretations and include disputed findings in their calculations. Understanding this incentive structure is essential to responding effectively.
SAM engagements are triggered by a range of commercial and technical signals, including:
Microsoft has two distinct compliance mechanisms: the SAM engagement (the typical entry point) and a formal contractual audit under the audit rights clause of your licence agreement. Understanding the difference matters because they carry different legal weight and obligations:
Want independent help negotiating better terms? We rank the top advisory firms across 14 vendor categories — free matching, no commitment.
| Factor | SAM Engagement | Formal Contractual Audit |
|---|---|---|
| Initiation | Microsoft or SAM partner invitation | Formal written notice from Microsoft Legal |
| Legal obligation | Voluntary (contractually) | Contractually required |
| Conducted by | SAM partner or Microsoft internal | Independent auditor appointed by Microsoft |
| Typical duration | 8–16 weeks | 16–52 weeks |
| Scope control | More negotiable | Determined by contract |
| Commercial framing | Collaborative review | Formal compliance assessment |
| Outcome | Licence purchase recommendation | Formal findings report + licence demand |
The key practical implication: a SAM engagement is technically voluntary — your licence agreement does not typically require you to participate in a SAM review (as distinct from a formal audit). This gives you meaningful leverage to negotiate the terms, scope, and timeline of the engagement before it begins. Most organisations choose to cooperate with SAM reviews because non-cooperation typically accelerates escalation to a formal audit, which carries stricter obligations and is more damaging commercially.
Microsoft or a SAM partner contacts your account team or IT leadership requesting a SAM engagement. The initial outreach is typically framed positively — "optimise your licence spend", "ensure you're not over-licensed", "prepare for your EA renewal". The request will include a proposed scope and timeline.
Action: Do not accept scope or timeline without review. Engage an independent SAM adviser first.Microsoft or the SAM partner proposes a scope covering specific products, entities, and time periods. They will request access to your inventory data or ask you to run the Microsoft MAP (Microsoft Assessment and Planning) Toolkit or System Center Configuration Manager (SCCM/MECM) reports.
Action: Negotiate scope; limit to products under your current agreement; agree data collection methodology.Your team runs the agreed inventory tools and submits the outputs to the SAM partner. The SAM partner may also request licence documentation — proof of purchase, volume licence agreements, Software Assurance certificates, and assignment records.
Action: Review all inventory outputs before submission. Cross-reference entitlements before sending any data to Microsoft or the SAM partner.The SAM partner analyses the inventory data against your entitlements and produces a Licence Position Report. This report identifies the gap between deployed software and owned licences for each Microsoft product family.
Action: Challenge any findings you disagree with; request the detailed methodology behind each gap calculation.Microsoft presents a commercial recommendation — typically a licence purchase proposal, often framed as an upgrade to Microsoft 365 subscriptions or an EA expansion. The recommended purchase is based on the identified gap plus potentially upsell products.
Action: Treat this as a commercial negotiation, not a compliance obligation. Your actual remediation cost should be significantly below Microsoft's initial proposal.Microsoft SAM reviews focus on both client-side (user devices) and server-side (data centre and cloud) deployments. The primary product areas examined include:
Get the IT Negotiation Playbook — free
Used by 4,200+ IT directors and procurement leads. Oracle, Microsoft, SAP, Cloud — all covered.
Deployed Microsoft 365 apps exceed the number of assigned user licences. Common in organisations that provision Active Directory accounts without corresponding licence assignments, or that use shared service accounts with full M365 access. Microsoft's telemetry data often surfaces this gap before the SAM review begins.
Insufficient Windows Server licences to cover virtual machine deployments. The most common scenario involves Standard edition licences where Datacenter would be required, or insufficient core counts to cover all VMs running on a physical host under Windows Server virtualisation rights.
On-premises SQL Server deployments running without active Software Assurance, particularly where Azure Hybrid Benefit has been claimed in Azure. AHB is only available to organisations with active SA — using AHB without SA is a compliance risk Microsoft consistently flags.
Power Apps and Power Automate flows using premium connectors (Dataverse, custom connectors, REST APIs) where users only hold seeded licences through Microsoft 365. Microsoft 365 licences include limited Power Platform entitlements that do not cover premium connector usage.
Users making or receiving external PSTN calls through Microsoft Teams without the required Teams Phone licence (formerly Phone System) and a calling plan or operator connect agreement. Microsoft's Teams usage data frequently surfaces this gap.
Users classified as requiring only "Team Member" licences or M365 seeded access but performing activities that require full Dynamics 365 user licences. Microsoft's Dynamics 365 licensing is activity-based — not just access-based — making misclassification common and consistently surfaced in SAM reviews.
Devices enrolled in Microsoft Intune for device management without corresponding per-user or per-device Intune licences. Organisations that extended Intune management to non-M365 users often create gaps here (see Microsoft Intune Licensing Guide).
If you have received a SAM engagement request, the 30 days before you commit to any scope or timeline are the most important. Use this period to build your licence position and identify and remediate gaps before Microsoft's team sees them.
Conduct an independent inventory of all Microsoft software deployments using your own SAM tools (SCCM, ServiceNow ITAM, Snow, Flexera, or equivalent) before running any Microsoft-provided tools. Your data should tell you where the gaps are before Microsoft sees them.
Gather all volume licence agreements, proof-of-purchase records, Software Assurance certificates, and assignment records. Identify any gaps in your documentation that may affect your ability to prove entitlement.
Audit your Microsoft 365 admin centre for unassigned licences, guest users with full access, and shared mailboxes or service accounts using licensed features without explicit licence assignment. Reclaim unused licences before the SAM data collection phase.
Confirm that every Windows Server and SQL Server licence used to claim Azure Hybrid Benefit has active Software Assurance. AHB claims without SA are a common SAM finding — and one that is straightforward to remediate before Microsoft identifies it.
Review which Power Apps and Power Automate flows use premium connectors and confirm that the users running those flows hold appropriate licences (per-user Power Apps, Power Automate Premium, or equivalent add-ons beyond their M365 seeded entitlement).
Map every Dynamics 365 user to their actual activities and verify that their assigned licence covers those activities. Team Member licences are frequently misapplied to users performing full operations — this is consistently one of the top SAM findings for Dynamics customers.
Any compliance gaps you identify and remediate before the SAM data collection phase cannot be included in Microsoft's findings. Purchasing licences to close known gaps before the SAM snapshot date is always more cost-effective than negotiating them as part of a SAM settlement.
An independent SAM specialist — not affiliated with Microsoft or its SAM partners — can review your position, identify remediable gaps, challenge Microsoft's findings methodology, and represent your interests in the commercial negotiation. See Best Microsoft Negotiation Consulting Firms.
Received a Microsoft SAM engagement request?
SAM engagements are voluntary until they escalate to a formal audit. Before agreeing to participate, negotiate the scope — specific product families, specific legal entities, specific time periods. Broad scope = maximum exposure. Every product excluded from scope is a product where Microsoft cannot create a compliance finding.
If Microsoft proposes a specific SAM partner, you typically have the right to request an alternative or to conduct the review using your own SAM tools and present the results. Partners have financial incentives to maximise findings — selecting your own preferred partner (or conducting a self-assessment) removes this conflict.
The "snapshot date" for the SAM inventory is critical — it determines which deployments are assessed. Negotiate a snapshot date that gives you time to remediate identified gaps. A 30–45 day window between agreeing to participate and the snapshot date is reasonable to request.
Never submit raw inventory tool outputs directly to Microsoft or the SAM partner. Review every dataset for over-reporting (software installed but not deployed), legacy installations, test environments that may qualify for specific licence types, and correctly licensed items incorrectly flagged as gaps.
Request detailed methodology documentation for every finding in the Licence Position Report. SAM partners frequently apply worst-case licensing interpretations. Many findings are disputable — particularly around virtualisation, multi-tenant hosting, user activity mapping for Dynamics 365, and Power Platform seeded entitlement limits.
If your EA is due for renewal within 12–18 months, the SAM engagement is effectively a pre-renewal compliance review. Frame the commercial resolution as part of your EA renewal negotiation, not as a standalone compliance purchase. Microsoft's field sales team is incentivised to close EA renewals — use this to convert SAM findings into renewal discounts and credits.
Where your SAM findings relate to specific product gaps (SQL Server SA, Windows Server, individual standalone licences), propose consolidating to Microsoft 365 subscription tiers rather than purchasing individual licences. Microsoft 365 E3 or E5 consolidation often provides better value than point-purchase remediation and resets your entitlement baseline on a subscription model Microsoft prefers.
A credible assessment of Google Workspace, open source alternatives for specific products, or AWS for server workloads demonstrates that your organisation has alternatives to Microsoft and weakens Microsoft's commercial position during the SAM resolution phase.
Microsoft increasingly attempts to flag indirect access scenarios — particularly around Dynamics 365 integrations with third-party systems or custom applications that access Microsoft data. Many of these claims are contestable. Review each indirect access finding against the specific licence terms applicable to your agreement.
SAM partners will often produce a "joint findings summary" for sign-off. Never sign any document that acknowledges Microsoft's Licence Position Report as accurate without independent legal review. Any signed acknowledgement can be used by Microsoft in subsequent formal audit or litigation proceedings.
Don't let Microsoft's SAM partner control the process. An independent adviser can build your licence position, remediate gaps before the snapshot, and negotiate a significantly better commercial outcome.