Microsoft's approach to software compliance differs fundamentally from Oracle's and SAP's — and that difference creates different risks. While Oracle and SAP conduct formal compulsory audits, Microsoft operates primarily through the Software Asset Management (SAM) programme: a network of Microsoft-certified SAM partners who offer "free" compliance reviews to enterprise customers. These engagements are positioned as a customer benefit. They are, structurally, data collection exercises that create the compliance findings Microsoft uses to generate incremental licence sales at renewal.
Understanding how the SAM programme works — and how to participate in it without creating unnecessary exposure — is one of the most important Microsoft management skills for enterprise IT leaders. This guide covers the SAM engagement mechanics, the specific products that drive compliance risk in 2026, and the defence approach for organisations facing a SAM-initiated compliance finding. For the broader audit defence framework, see our Software Audit Defence Guide. For the full Microsoft commercial landscape, our Microsoft EA complete guide provides essential context.
How Microsoft SAM Engagements Actually Work
A Microsoft SAM engagement begins with an invitation — typically from your Microsoft account team or a SAM-certified partner — to participate in a "complimentary licence compliance review." The framing is proactive, customer-centric, and positioned as risk management rather than an audit. This framing is not entirely false: the SAM process does identify compliance issues. But it also identifies them in a way that consistently produces findings that benefit Microsoft commercially.
The SAM partner deploys a discovery tool — typically Microsoft Assessment and Planning Toolkit (MAP) or a commercial equivalent — that collects deployment data from your environment. The data is analysed against Microsoft's product use rights (PUR) and the results are presented in a SAM Assessment report showing compliance status across your Microsoft estate.
The SAM Report and What Happens Next
A SAM Assessment that identifies compliance shortfalls generates a licence "delta" — the gap between installed and licenced quantities. This delta is translated into a purchase requirement, typically framed as a discounted purchase available through the engagement. The discount is real but limited, and the purchase requirement is calculated using Microsoft's standard retail pricing as the baseline — not the Enterprise Agreement pricing the customer typically pays.
Organisations that accept the SAM report at face value and proceed to purchase based on the identified delta consistently overpay. The delta calculations routinely include: products counted at full licence requirement that are covered by existing SA, Unified, or OEM entitlements; products where the deployment evidence is ambiguous; and products where alternative licence counting approaches (device-based vs user-based) would produce materially different results.
The SAM Engagement Decision: Whether to accept a SAM engagement invitation should be a business decision, not an IT reflex. Participation is voluntary for most enterprise customers. Before accepting, assess your likely compliance position in the key Microsoft product areas (M365 tier compliance, SQL Server virtualisation, Azure EA commitment status) and determine whether the SAM process is likely to produce findings that cannot be effectively challenged. If significant exposure exists, addressing it proactively before the SAM engagement produces more favourable outcomes than allowing the SAM process to document it first.
The Four Microsoft SAM Risk Areas in 2026
SAM engagements in 2026 concentrate on four product areas that account for the majority of enterprise Microsoft compliance exposure.
Microsoft 365 Tier Compliance
Users assigned M365 E3 licences who are using E5 features (advanced security, Purview, Copilot) represent the most common Microsoft compliance finding. The E3/E5 boundary is particularly porous in security and compliance workloads.
Azure EA Commitment Consumption
Azure consumption that exceeds EA monetary commitments is invoiced at list price. Customers who over-committed or under-consumed Azure EDP or EA Azure credits face asymmetric exposure at year-end true-up.
SQL Server Virtualisation
SQL Server deployed in VMware clusters requires per-core licencing at the cluster level unless the deployment qualifies for hard partitioning. The rules mirror Oracle's virtualisation exposure but are less well-known.
Microsoft Copilot Usage
Microsoft 365 Copilot requires an M365 E3 or E5 base licence plus a Copilot add-on. Organisations where Copilot has been deployed to users without the add-on face per-user shortfall claims that can be substantial in large deployments.
Microsoft 365 E3 vs E5: Where SAM Findings Concentrate
The Microsoft 365 licence tier boundary is the most active source of SAM compliance findings in enterprise environments in 2026. The E5 tier includes advanced security capabilities (Defender P2, Sentinel SIEM integration, Purview Information Protection), advanced compliance tools (eDiscovery Premium, Audit Premium), and the Microsoft 365 Phone System — capabilities that many organisations have activated on E3 licences without upgrading. SAP detection of E5 feature usage on E3-licenced users is straightforward, producing reliable, contestable findings.
The counter-position is nuanced: Microsoft 365 feature activation does not always constitute use. An organisation that has enabled Defender P2 at the tenant level but where users are not actively using P2-specific capabilities may have a legitimate argument that E5 features are not being "used" within the meaning of the PUR. Our Microsoft E3 vs E5 cost analysis and Microsoft security licensing guide provide the framework for assessing whether an E3-to-E5 upgrade is legally required or commercially preferable.
SQL Server in Virtualised Environments
SQL Server Enterprise Edition deployed in VMware clusters faces the same hard partitioning issue as Oracle — without the same level of customer awareness. Microsoft's product use rights require that SQL Server be licenced for all cores in a VMware cluster unless the deployment meets hard partitioning requirements that VMware does not satisfy by default. Organisations running SQL Server on VMware without cluster-level core licencing have exposure that SAM engagements reliably identify.
The defence approach — documenting VMware cluster configuration and workload isolation — is the same as for Oracle. The Azure Hybrid Benefit further complicates SQL Server compliance in hybrid environments: organisations using AHB must have active Software Assurance coverage on all SQL Server licences used under AHB, and SAM engagements frequently identify AHB usage without corresponding SA coverage. Our SQL Server licensing guide and Azure Hybrid Benefit guide provide the relevant compliance framework.
Managing SAM Without Creating Leverage for Microsoft
The most effective Microsoft compliance management strategy is not to avoid SAM engagements indefinitely — it is to ensure that when a SAM engagement occurs (voluntarily or under EA audit rights), you are prepared to contest the findings effectively and control the commercial outcome.
Pre-SAM Compliance Assessment
An internal compliance assessment conducted before a SAM engagement — using the same methodology Microsoft's SAM partner will deploy — provides the information necessary to contest SAM findings before they become formal documentation. The internal assessment identifies genuine shortfalls that should be remediated and methodology differences that should be challenged.
Key areas to assess internally: M365 licence tier compliance using Microsoft 365 Admin Centre usage data and Entra ID licence assignment data; SQL Server deployment inventory including virtualisation host configuration; Azure consumption versus committed EA spend; and any third-party products subject to Microsoft licencing (Teams Phone, Power Platform premium features, Dynamics 365).
SAM Partner Selection
When participating in a SAM engagement, you have the right to select the SAM-certified partner conducting the review. Not all SAM partners have equal incentives: those most closely aligned with Microsoft account teams tend to produce findings that favour Microsoft commercial outcomes. Selecting an independent SAM partner — or requiring that the engagement methodology be shared and agreed in advance — provides meaningful protection against methodology-driven overcounting.
Contesting SAM Findings
SAM findings are not binding until you agree to them. The finding presentation is the beginning of a negotiation, not the end of a compliance process. Technical challenges to methodology, entitlement credits, and alternative counting approaches consistently reduce initial SAM findings by 20–40%. Advisory firms with former Microsoft SAM professionals — including Redress Compliance — provide the methodology knowledge and commercial negotiation support that consistently produces better SAM engagement outcomes for enterprise clients.
For Microsoft-specific negotiation strategy, including the EA renewal framework and the MACC commitment approach, see our Microsoft EA complete guide, Microsoft Azure Consumption Commitment guide, and our Microsoft advisory practice. Our Microsoft Licensing Guide white paper provides the comprehensive reference for enterprise Microsoft compliance management.