Microsoft Audit & SAM Engagements Daryl Ullman, Co Founder & Chief Consulting Officer daryl@emerset.com US Tel 646-475-2103 UK Tel 44-203-318-3611
About Emerset We do one thing Software Licensing 2
Agenda What is a Microsoft Audit? Audit Process Audit Mitigation Summary Q&A 3
What is a Microsoft Audit THIS DOCUMENT CONTAINS THE CONFIDENTIAL INFORMATION OF EMERSET LTD. AND IS PROTECTED BY INTERNATIONAL COPYRIGHT LAWS. DISCLOSURE OR COPYING OF THE CONTENT OF THIS DOCUMENT IS PROHIBITED. Emerset Consulting Group Inc. 2016. All rights reserved. THIS DOCUMENT CONTAINS THE CONFIDENTIAL INFORMATION OF EMERSET LTD. AND IS PROTECTED BY INTERNATIONAL COPYRIGHT LAWS. DISCLOSURE OR COPYING OF THE CONTENT OF THIS DOCUMENT IS PROHIBITED. Emerset Consulting Group Inc. 2016. All rights reserved. 4
What is a Licensing Audit? Whenever you install a Microsoft product, whether as an individual or a corporation, you agree to comply with the terms of the End User License Agreement (EULA) which specifically grants Microsoft the right to dictate how you use the software and also grants them permission to audit the use of their product(s). A Microsoft Licensing Audit can take the form of a 1. Self-audit 2. An on-site audit 3. Possibly as an automated script query in which the results are sent back to the auditor (in many cases, a Microsoft partner). 5
BSA WHO? This too is Microsoft The BSA (aka The Software Alliance) is a consortium of many of the world s largest software companies whose objective is to reduce software copyright infringement. It is well-funded by member companies and through the settlements it wins against offending companies. One of the main ways in which the BSA learns of piracy is via disgruntled employees. They have run campaigns such as the above Nail Your Boss! 6
Why Are Audits Increasing? The terms of your Volume Licensing (VL) Agreement grants Microsoft the right to perform an audit once each year with 30 days notice. Microsoft s policy dictates that Select, SPLA, ISV, Open, and Enterprise Agreement (EA) customers should expect an audit at least once every three years. Volume licensing generates a significant $40 billion + annually for Microsoft, and there is literally no cost to Microsoft to request and enforce an audit (especially if you are found to be more than 5% out of compliance); so don t expect to pass under the Microsoft audit radar. Increased pressure to close the revenue gap in midst of Microsoft s transition to the cloud 7
What Are The Risks Of An Audit? Unbudgeted spend Audit cost Legalization penalties Allocation of unplanned resources Management focus Negative PR Legal Action Damaged vendor relationship 8
Types Of Audits Don t be mistaken; these are all audits License Review SAM Self Audit Independent Auditor 9
Audit Initiation MS Compliance Group/Emplo -yee or MS Sales rep. Independent auditor or self audit (SAM) Audit Letter 30 day notice Start of Audit 10
Microsoft s Audit Rights Business and Services Agreement paragraph 8. Verifying Compliance. 11
Microsoft is out to get me why should I cooperate with their audit request? Microsoft is definitely not out to get you. The company attempts to audit all of its Volume Licensing customers once every three years, and a recent survey found that nearly 60 percent of respondents reported getting audits from Microsoft within the last year. In most cases, this is in the form of a Software Asset Management (SAM) Review in which you would be asked to perform a self-inventory of installed software to ensure that it is all appropriately licensed. 12
Audit Process THIS DOCUMENT CONTAINS THE CONFIDENTIAL INFORMATION OF EMERSET LTD. AND IS PROTECTED BY INTERNATIONAL COPYRIGHT LAWS. DISCLOSURE OR COPYING OF THE CONTENT OF THIS DOCUMENT IS PROHIBITED. Emerset Consulting Group Inc. 2014. All rights reserved. THIS DOCUMENT CONTAINS THE CONFIDENTIAL INFORMATION OF EMERSET LTD. AND IS PROTECTED BY INTERNATIONAL COPYRIGHT LAWS. DISCLOSURE OR COPYING OF THE CONTENT OF THIS DOCUMENT IS PROHIBITED. Emerset Consulting Group Inc. 2016. All rights reserved. 13
Audit Process Notification Letter to your CIO and/or CFO. Microsoft License Review = Microsoft License Objective to determine compliance issues Single Point of Contact Kick Off Meeting / Call Audit! ($) and cross/upsell opportunities ($) 14
Audit Notification Don t be mistaken. This is an Audit! 15
What kinds of things do I need to inventory for a Microsoft Audit? Your organization has to account for: OEM licenses Servers data Employee owned devices (including home PCs, tablets, and smartphones) Retail purchases Legacy systems Vendor-owned machines running organizational software. Vendors that have access to internal applications and customer-facing application DR servers Development and test environments 16
Microsoft Audit Process - Entitlements What documents do you need to prepare? License Statement Microsoft Business & Service Agreement (MBSA) Enterprise Agreement Enterprise Enrollment EAP ECI SCE Open Partner Licenses OEM Licenses Reseller Invoices 17
Microsoft Audit Process Data Collection Independent Auditor Self Inventory / SAM Self developed scripts MAP Tool / SCCM or 3 RD party tools A Software Asset Management (SAM) tool may be a good place to start, but there will almost certainly be additional work required to obtain an accurate and comprehensive usage assessment. Most inventory tools don t account for CAL types, nor do they perform adequate analysis of virtual scenarios or remote or employee-owned devices, including home PCs, tablets and smartphones. Differentiating between OEM licenses and retail purchases is also nearly impossible to do with only a SAM tool. 18
Microsoft Audit Process Data Collection I m using the Microsoft Assessment and Planning tool (MAP). Does this cover me in case of an audit? It is unlikely your company will ever be able to rely solely upon automation tools to conduct an accurate licensing or software inventory. Microsoft offers a free Assessment and Planning Toolkit (MAP) which leverages SWID (Software Identification Tags). The MAP Toolkit is quite effective in determining software installed on-premises and can be a good starting point for a software inventory, but it will not provide a comprehensive list of devices or users who may access on-premises systems. 19
Microsoft Audit Process - ELP Final deliverable from the auditing company - Effective License Position document (ELP) Qualified Device Count 13584 Qualified User Count 13038 Product Version Deployment Entitlement Active SA Entitlement Minus Deployment Downgraded from Reconciliation Downgraded to Net Licensing (After Downgrades) Incomplete Items: MSDN machines Visual Studio user analysis SQL Server developer user analysis Core CAL - Qualified Users Windows Server Exchange Server Standard SharePoint Server Standard *SharePoint Server Enterprise Lync Server Standard System Center Configuration Manager System Center Endpoint Protection 13,038 15,000 15,000 1,962 1,962 Win Pro - Qualified Devices Windows Enterprise w/ MDOP 13,584 15,000 15,000 1,416 1,416 Windows Server Windows Server Datacenter 2012 R2 84 89 89 5 5 Windows Server Datacenter 2008 R2 - - - - Windows Server Standard 2012 R2 462 714 50 252 252 Windows Server Standard 2012 - - - - Windows Server Enterprise 2003 R2-2 2 2 Windows Server Enterprise 2003 3 11 8 8 Windows Server Enterprise 2000-8 8 8 Windows Server Standard 2008 R2 1 1 - - Windows Server Standard 2008 - - - - Windows Server Standard 2003 R2-129 129 129 Windows Server Standard 2003 5 302 297 297 Windows RDS Device CAL 2012 5,329 6,200 871 871 20
Undergoing An Audit? Things To Consider Data confidentiality Which results are shared when, and with whom from Microsoft Sales? Can data gathered leave your premises? What is the performance impact of the Microsoft Audit tools proposed? Questions to ask the auditor Why is this data collected? What data will be collected? From where is this data collected? How will this data be used? What will Microsoft do with the data collected? Where will the Microsoft store the data collected? Who can access the data collected? What will happen with the data at the end of the audit? 21
Audit Mitigation THIS DOCUMENT CONTAINS THE CONFIDENTIAL INFORMATION OF EMERSET LTD. AND IS PROTECTED BY INTERNATIONAL COPYRIGHT LAWS. DISCLOSURE OR COPYING OF THE CONTENT OF THIS DOCUMENT IS PROHIBITED. Emerset Consulting Group Inc. 2014. All rights reserved. THIS DOCUMENT CONTAINS THE CONFIDENTIAL INFORMATION OF EMERSET LTD. AND IS PROTECTED BY INTERNATIONAL COPYRIGHT LAWS. DISCLOSURE OR COPYING OF THE CONTENT OF THIS DOCUMENT IS PROHIBITED. Emerset Consulting Group Inc. 2016. All rights reserved. 22
Why Is An Audit So Complex To Mitigate? Office 365 vs. on-premise Server Virtualization BYOD Desktop Virtualization 23
Microsoft Audit Process Settlement Letter L i c e n s e I n v e n t o r y 24
Who Pays The Cost Of An Audit? Typically you, the customer, incur most or all of the cost of the audit. If the audit reveals that your organization is using greater than 5% more than you have licensed, you, the Microsoft customer, will be required to pay legalization prices for all unlicensed products plus the cost of the audit. You may also be required to pay a fine if you are under licensed. A recent study found that more than half of respondents reported audit fees of $100,000 or more, and more than 20 percent of organizations reported true-up costs of $1 million or more. 25
Audit Mitigation Common Auditing Errors Device CALs vs. User CALs (audit counted all devices and did not recognize that many were licensed under User CALs). Multiple versions of Visio and Project (Standard and Pro on the same machine, a new and old version that wasn t removed when the product was upgraded). Inactive users within Active Directory that haven t been removed. BYOD devices that were counted as organizational devices. Use of wrong licensing metrics for SQL Server Windows Servers. Failure to recognize historical entitlements (products purchased 3-9 years ago). Licenses from mergers and acquisitions 26
Summary THIS DOCUMENT CONTAINS THE CONFIDENTIAL INFORMATION OF EMERSET LTD. AND IS PROTECTED BY INTERNATIONAL COPYRIGHT LAWS. DISCLOSURE OR COPYING OF THE CONTENT OF THIS DOCUMENT IS PROHIBITED. Emerset Consulting Group Inc. 2014. All rights reserved. THIS DOCUMENT CONTAINS THE CONFIDENTIAL INFORMATION OF EMERSET LTD. AND IS PROTECTED BY INTERNATIONAL COPYRIGHT LAWS. DISCLOSURE OR COPYING OF THE CONTENT OF THIS DOCUMENT IS PROHIBITED. Emerset Consulting Group Inc. 2016. All rights reserved. 27
Common Misunderstandings & Issues Not cooperating or delaying an Microsoft Audit is ok!? Misinterpreting a SAM review End users being reactive in terms of managing Microsoft licenses and becoming (too late) active/ pro-active at the start of an Audit. We are using Microsoft s MAP tool so we are compliant It s all in the details: - No clarity on the real license entitlements - No clarity on the real license deployment and licensable usage 28
Internal Preparedness For The Audit Risk Assessment Share and manage risks and potential outcome with management Internal Governance, Communication and Escalation Model Microsoft internal project team Project Manager Legal IT Vendor Manager Steering Committee C-level / Board Members Internal communication plan (data leakage prevention) 29
Additional Reading www.emerset.com/resources 30
Q&A 31