SAM Review vs Formal Audit: What's the Difference?
Microsoft rarely uses the word "audit" in its compliance engagement language, preferring terms like "SAM review," "licence review," or "compliance health check." This framing is deliberate — it reduces the adversarial tone and encourages customer cooperation that a formal audit notification might not. The legal basis, however, is the same: Microsoft's licence agreements contain audit rights provisions that authorise Microsoft to verify compliance. Whether the engagement is called a SAM review or an audit, the underlying commercial objective — identifying compliance gaps and converting them into licence purchases — is identical.
The practical difference is that SAM reviews are typically conducted through a Microsoft partner (an authorised SAM partner) rather than directly by Microsoft, and the tone is more collaborative. Microsoft's partner presents the engagement as a free service that helps you understand and manage your licence position. The partner has a financial incentive — a share of any licence purchases resulting from the review — which explains their motivation for the "free" service.
Understanding the full audit defense framework applies here: treat the SAM review as a commercial process from the first contact, not a compliance exercise. Your responses to data requests, your review of preliminary findings, and your settlement approach should be governed by commercial discipline, not a desire to appear cooperative.
Free Guide
Microsoft EA Negotiation Tactics
How Fortune 500 buyers slash Microsoft EA costs — true-up traps, ELP rules, and renewal leverage.
SAM partner incentives: Microsoft authorised SAM partners typically receive a percentage of the licence revenue generated through SAM reviews they conduct. This creates an obvious commercial incentive to identify maximum compliance exposure. A SAM partner conducting a review of your environment is not a neutral adviser — they are financially motivated to find gaps. Engage your own advisors independently of the SAM partner process.
What Microsoft SAM Reviews Cover
A Microsoft SAM review covers the full range of Microsoft products deployed in your environment, with particular focus on the highest-value product categories. The scope typically includes Windows Server and Client operating systems; Microsoft 365 and legacy Office suites; SQL Server, all editions; Azure consumption and hybrid licences; and Dynamics 365 products where deployed.
The data collection process involves deployment scanning tools — typically MAP (Microsoft Assessment and Planning) Toolkit or third-party SAM tools — that inventory installed software, hardware configurations, and user assignments. The outputs are used to map deployment against entitlement, using the licence terms applicable to your specific agreement structure (EA, MPSA, CSP, or direct purchase).
Most Common SAM Review Findings
Microsoft SAM reviews consistently surface findings in a predictable set of areas. Understanding these allows you to conduct pre-review internal checks that reduce your exposure before the SAM partner's scan.
Stay Ahead of Vendors
Get Negotiation Intel in Your Inbox
Monthly briefings on vendor pricing changes, audit trends, and contract tactics. Unsubscribe any time.
No spam. No vendor affiliations. Buyer-side only.
Windows Server virtualisation — specifically the counting of Windows Server licences required for virtual machine deployments — is the most frequent finding. The Windows Server Datacenter licence, which covers unlimited virtualisation on a licensed host, is frequently under-deployed relative to the actual VM count. Standard edition licences, which cover limited VM counts per licence, require precise counting that deployment tools often misrepresent.
SQL Server counts are frequently disputed, particularly in virtualised environments and on high core-count processors. SQL Server Enterprise licences are expensive, and under-licensing relative to actual deployment — particularly for SQL Server installations that have grown with database consolidation projects — is common.
Microsoft 365 and legacy Office licensing errors typically involve user assignments that have not been cleaned up as staff leave, departmental deployment that exceeds contracted seat counts, or use of features that require higher M365 plan tiers than currently licenced. The shift to NCE (New Commerce Experience) subscription terms in recent years has introduced additional complexity around contract lengths and auto-renewal provisions.
Preparation Steps Before the Review Begins
The most effective preparation for a Microsoft SAM review is to conduct your own internal licence position analysis before any SAM partner engagement begins. This allows you to identify genuine gaps and correct them quietly, and to identify the categories where SAM partner findings are most likely to be inaccurate, so you can prepare counter-evidence.
Locate and review all Microsoft licence agreements — EA, MPSA, CSP, and direct purchase records
Run internal deployment scan using your own SAM tooling — compare output to entitlement records
Review Windows Server VM counts across all virtualisation hosts — confirm Datacenter vs Standard coverage
Audit SQL Server deployments against current licensing — include virtual environments and dev/test exclusions
Validate M365 user assignments — remove leavers, confirm plan tier assignments are accurate
Document Azure consumption against any MACC or hybrid benefit arrangements
Engage independent Microsoft licensing advisors before SAM partner interaction begins
Controlling the Data Collection Process
When the SAM partner requests access to conduct their scan, review the specific data request against your contractual obligations. The audit rights in your Microsoft agreement have defined scope. Deployment data for in-scope products is typically required; network topology, security configurations, and business process data are not.
Review all scan outputs before they are submitted to the SAM partner. Deployment scans frequently capture data from environments that should be excluded — development and test environments (which may be separately licenced or contractually excluded from scope), disaster recovery environments, and decommissioned hardware that has not been cleaned from deployment records. Every excluded record should be documented with the contractual basis for the exclusion.
The "helpful" over-share trap: SAM partners sometimes encourage customers to share more data than required, framing it as necessary for a "complete picture." Over-sharing creates findings that would not otherwise exist. Provide exactly what the contractual audit rights require — nothing more. If the SAM partner asserts that additional data is needed, request the specific contractual provision that requires its provision.
Challenging SAM Findings
SAM review preliminary findings should be treated as a starting position, not a compliance verdict. Request the full methodology for each finding — the specific licence terms applied, the data sources used, and the calculation logic. Common errors include incorrect application of virtualisation rules, double-counting of licences with different assignment types, and misclassification of NCE subscription terms.
For Windows Server Datacenter findings, verify the specific version and edition of each host licence and the VM density it supports. Misapplication of version-specific virtualisation rights — particularly across 2016, 2019, and 2022 editions — is a frequent source of overstatement. For SQL Server findings, confirm that every core count is based on the correct physical or virtual configuration and that all applicable licence optimisations — developer editions, express editions, and test/dev exclusions — have been applied.
Formal counter-reports, presenting your own licence position analysis with specific evidence disputing each finding, are the most effective response to SAM preliminary findings. Engage Microsoft licensing specialists — not Microsoft itself or the SAM partner — to prepare this counter-report. IT Negotiations provides Microsoft advisory services including SAM review defence, consistently reducing preliminary SAM findings by 30–60%.
Settlement and Commercial Context
Microsoft SAM review settlements are typically structured as additional licence purchases rather than cash penalties. The SAM partner and Microsoft account team will propose specific product purchases at stated prices to resolve the compliance gap. These proposals should be negotiated, not accepted at face value. Microsoft's list prices for the products identified in SAM findings are almost never the appropriate starting point — comparable deals in the market, combined with forward commitment on renewal, typically yield 15–30% reductions from the initial settlement proposal.
Use the SAM review settlement as an opportunity to consolidate licences, renegotiate your EA structure, and address other commercial objectives alongside the compliance resolution. A settlement conversation that includes your Enterprise Agreement renewal, Microsoft 365 expansion plans, and Azure committed spend creates more leverage than a narrowly focused compliance discussion. Combine audit settlement with broader Microsoft EA negotiation for the best combined outcome.
Microsoft SAM Review in Progress?
IT Negotiations provides independent Microsoft licence advisory — separate from Microsoft and SAM partners. We challenge findings, prepare counter-reports, and negotiate settlement terms that protect your commercial position.
Get Independent Advice →