Microsoft Software Asset Management (SAM) engagements average $3.2M in initial findings for enterprise customers, with the customer-side defence framework reducing those findings by 40 to 60 percent on settlement. The engagement is positioned as a no-cost compliance health check. It is a soft audit, structured to surface licensing gaps that flow into renewal pricing or a formal audit referral. Treating a SAM letter as a cooperative exercise is the most common, and most expensive, customer error.
This page is the 2026 defence framework for Microsoft SAM engagements: what triggers them, what Microsoft requests, the response posture that protects the customer position, and the escalation paths. Built from advisor-led SAM defence engagements during 2024 to 2026. For active formal audits, see audit defence guide and our vendor audit defence service.
What a SAM engagement actually is
A Microsoft SAM engagement is a structured review of the customer's Microsoft software deployment against the customer's licence entitlement. It is conducted by a Microsoft Authorised SAM Partner (typically a Microsoft-vetted advisory firm such as KPMG, EY, Crayon, or a regional partner) under a Microsoft-funded engagement letter. The output is a deployment-versus-entitlement reconciliation that identifies gaps.
The legal positioning matters. A SAM engagement is not a contractual audit under the Microsoft Business and Services Agreement (MBSA) audit clause. The customer is not contractually required to participate. The Microsoft account team will frame participation as a goodwill exercise, sometimes with implicit reference to renewal discounts. The reality is that any gap surfaced in the SAM becomes Microsoft's commercial input for the next renewal cycle, and any refusal to engage often results in escalation to a formal audit.
What triggers a SAM engagement
Microsoft's SAM targeting is data-driven. Eight signals routinely trigger a SAM letter to a customer:
| Trigger | Why Microsoft notices |
|---|---|
| EA renewal approaching (within 12 months) | Renewal is the largest commercial event; SAM findings shape renewal pricing |
| Major M&A activity | Acquisitions create licence transfer questions and deployment growth |
| Cloud migration in progress | Server licence questions and hybrid use scenarios |
| Significant Azure consumption with low M365 spend | Suggests deployment growth without commensurate licence purchase |
| Defender or Sentinel telemetry surge | Microsoft-visible deployment data that exceeds licensed scope |
| Industry sector targeting | Microsoft sector campaigns (healthcare, financial services, public sector) |
| Partner-flagged compliance signals | Microsoft CSP partners surface deployment-versus-licence mismatches |
| No formal audit in 3+ years | Cadence-based selection |
The single highest-correlation trigger is an EA renewal approaching. Microsoft account teams routinely commission SAMs 9 to 18 months before EA renewal to build the commercial input into renewal pricing. If a renewal is in your calendar, expect a SAM letter on the cadence.
What Microsoft requests
The standard SAM deliverable list spans seven categories. The customer should treat each request as scoped, not open-ended, and provide only what is contractually required. The list below reflects standard 2026 SAM partner engagement letters.
| Request category | Typical scope | Defence position |
|---|---|---|
| Active Directory user export | Full UPN export with licence assignments | Provide sample, refine scope to active users only |
| Server inventory | All Windows Server and SQL Server instances | Provide production scope only, separately tag dev/test |
| VMware deployment topology | vCenter cluster maps, host counts, vMotion configurations | Provide hard-partitioned scope only |
| Azure subscription inventory | All Azure subscriptions, Hybrid Benefit usage | Confirm contractual entitlement before sharing |
| SQL Server topology | All SQL Server installations, edition, core count, CAL deployment | Distinguish licensed vs developer vs evaluation |
| Microsoft 365 usage telemetry | Active user counts per service, Copilot adoption | Provide tenant-level only, not per-user |
| Power BI deployment | Premium capacities, Pro user counts | Confirm shared capacity vs Premium dedicated |
The customer-side counter-position on every request is the same: confirm the contractual basis for the request, provide only the minimum scope that satisfies a good-faith response, and never accept raw export requests without first running them through the customer's own SAM tool. Raw exports given to the SAM partner become Microsoft's findings input.
The customer response framework
The defensible response framework has six steps, executed in sequence. Compressing or skipping steps degrades the settlement outcome by 30 to 50 percent in our review of 80+ SAM engagements during 2024 to 2026.
Step 1, within five business days of the letter, send an acknowledgement that confirms receipt without committing to a timeline or scope. State that internal review is in progress. This is standard practice and not a refusal.
Step 2, within fifteen business days, identify the executive sponsor (CIO, CFO, or General Counsel), the internal project lead (typically a senior licensing manager or SAM lead), and the external advisor (independent licensing counsel, not the SAM partner). Establish the response governance.
Step 3, run an internal baseline before any data goes to the SAM partner. The internal baseline establishes what Microsoft is going to find, where the gaps actually exist, and what the customer's commercial response is. Going into the SAM without the internal baseline gives Microsoft the first-mover advantage on findings interpretation.
Step 4, agree the engagement scope with the SAM partner in writing. The default scope is broad. Narrow it to production deployments, exclude non-Microsoft estates, exclude any deployment under independent third-party licence, and exclude any environment that pre-dates the customer's MBSA execution date.
Step 5, manage the data flow. Every data set provided to the SAM partner must first be reviewed internally, scoped to the agreed engagement boundary, and sanitised of any deployment data that does not relate to Microsoft licences. The SAM partner is contractually committed to Microsoft; data shared with them is shared with Microsoft.
Step 6, respond to the draft findings. The SAM partner will issue a draft findings report. The customer has a contractual right to respond. The response should contest every finding with documented evidence, propose alternative classifications, and reserve the right to escalate disputed findings to formal arbitration. The draft-to-final compression on contested findings averages 25 to 45 percent.
The SAM partner is not your advisor: The SAM partner is contractually engaged by Microsoft and remunerated by Microsoft. Their professional duty is to deliver findings to Microsoft. The customer-side advisor must be independent of the SAM partner, independent of Microsoft, and engaged before the SAM partner's first request lands. Buying SAM advisory from the same firm that runs the engagement is a structural conflict.
Common SAM findings and their defence
Six finding categories dominate Microsoft SAM outputs in 2026. Each has a customer-side defence position that materially reduces the assessed claim.
| Finding category | Typical claim | Defence position |
|---|---|---|
| SQL Server core licensing on VMware | License all hosts the SQL VM could move to | Microsoft Product Terms permits per-VM core licensing; soft partitioning is Oracle's policy, not Microsoft's |
| Visual Studio Subscriptions deployment | One Visual Studio subscription per developer using the product | Subscription is per-user, but only chargeable when the user actually uses the software |
| Windows Server CAL shortfall | One CAL per user accessing any Windows Server | External Connector covers external users; multiplexing reduces internal counts |
| Microsoft 365 E5 over-deployment | Users licensed for E5 also need security add-ons | E5 includes the security stack; the add-on assertion is incorrect |
| Azure Hybrid Benefit (AHB) misuse | AHB applied without sufficient on-prem licence | Review the on-prem licence count and AHB application carefully; many findings are arithmetic errors |
| Dynamics 365 user classification | Self-Service users reclassified as Professional | Apply the official user-type taxonomy; reclassification requires specific functional access |
The SQL Server on VMware finding is the largest by claim value in 2026 SAMs. Microsoft's position in SAMs is sometimes that VMware vMotion-enabled clusters require licensing of every host the SQL VM could move to. This is a Microsoft sales position, not a Microsoft contractual position. The Microsoft Product Terms permits per-VM core licensing with Software Assurance, and the soft-partitioning argument is structurally Oracle's, not Microsoft's. Customers who accept this finding at face value pay 5x to 20x their actual exposure.
Settlement math
SAM engagements rarely result in a published assessed claim. The findings flow into the renewal commercial conversation. The customer accepts a renewal price uplift in exchange for Microsoft writing off the findings. The settlement math operates as a trade.
| Initial finding range | Typical renewal uplift accepted | Effective settlement rate |
|---|---|---|
| $500K to $2M | $200K to $600K (3-year EA uplift) | 30 to 40 percent of initial finding |
| $2M to $5M | $500K to $1.4M (3-year EA uplift) | 25 to 35 percent |
| $5M to $15M | $1M to $3.5M (3-year EA uplift) | 20 to 30 percent |
| $15M+ | Custom commercial settlement | 15 to 25 percent |
The settlement rate improves with deal size because larger settlements involve more legal scrutiny and Microsoft's appetite to litigate large licence claims is low. The defence framework targets the lower end of each settlement band, typically a 40 to 60 percent reduction against the initial finding.
Escalation to formal audit
Microsoft can escalate a SAM engagement to a formal audit under the MBSA audit clause. The trigger is typically customer refusal to engage, customer non-response to data requests, or a finding that suggests material wilful non-compliance. The formal audit is more adversarial but also more procedurally constrained.
Customers facing an escalation threat should consult independent licensing counsel immediately. The formal audit clause carries specific procedural rights for the customer, including reasonable notice (typically 30 days), business-hour scheduling, and confidentiality protections that the SAM engagement does not. The escalation threat is sometimes a negotiation tactic rather than a commitment, and the right response is procedural, not capitulation.
For audit-stage defence, see audit defence guide and Oracle audit defence for the cross-vendor playbook. For the EA-level commercial context that shapes SAM outcomes, see Microsoft EA complete guide and Copilot pricing 2026. For the broader Microsoft commercial framework, see the Microsoft vendor hub.
Data room hygiene during a SAM
The data room established for the SAM engagement is where most preventable errors occur. The SAM partner will request inventory exports, deployment maps, and user lists. The customer-side discipline is to treat the data room as a controlled environment, not a shared folder.
Four data room rules apply throughout the engagement. First, every export is reviewed by the internal SAM lead before release. Second, every file shared is logged with date, recipient, and scope. Third, no raw SQL Server Management Pack or VMware vCenter export goes to the SAM partner without manual review and scope filtering. Fourth, every data set has an explicit retention horizon agreed in writing with the SAM partner, with deletion confirmation required at close.
The data room discipline matters because the SAM partner can request the same data set multiple ways. A request for "all SQL Server installations" framed in three different ways across the engagement can yield three different exports if the data room is uncontrolled. Microsoft's findings methodology uses the highest count from the available data. Disciplined data hygiene produces consistent exports and removes the highest-count interpretation.
Action for customers with a SAM letter
If a SAM letter has landed, three actions are urgent. First, do not respond substantively until the internal baseline is complete and the response governance is established. Acknowledge receipt without commitment. Second, engage independent licensing counsel within 10 business days. The most expensive SAM outcomes correlate with delayed external engagement. Third, run the internal baseline against the customer's own data, not the SAM partner's requested data. The baseline determines what is actually exposed, and the response framework flows from that.
The defence framework, executed from receipt through settlement, typically takes 6 to 9 months. Microsoft SAM engagements that close in under 6 months on the customer side tend to close at the high end of the settlement range. Time is the customer's friend in a SAM, not Microsoft's. For engagement, see our vendor audit defence and software licensing advisory.