Organizations with Enterprise Agreements (EA) should consider negotiating protections or special discounts up front to avoid compliance issues likely associated with Microsoft cloud services.

That’s the gist of a talk by Rob Horwitz, cofounder of Directions on Microsoft, an independent consultancy based in Kirkland, Wash. The Thursday public Web presentation, “Microsoft Cloud Compliance Risk,” was described as “speculative,” and “some of it could be wrong.” However, it’s based on how Microsoft’s current audit practices are applied to premises-installed software, and how those practices could affect organizations that use Microsoft’s services. Horwitz said that the talk represented Directions on Microsoft’s “early thinking on the issue.”

Directions on Microsoft specializes on Microsoft software issues, with a focus on licensing. It offers advice, publications and runs a series of Microsoft Licensing Boot Camps, as described here.

Currently, Microsoft doesn’t build compliance warnings into its software and services. Horwitz, who, along with other Directions on Microsoft analysts, formerly worked at Microsoft, said that there are many reasons why compliance checks for customers aren’t built into Microsoft’s software. License compliance is not Microsoft’s first priority, and the company doesn’t want to raise alarms. In addition, packaging and licensing issues can get decided late in the game, which doesn’t give the technical people enough time to address it. Lastly, the licensing is handled by different folks from the technical people, he said.

Horwitz noted that Office Professional Plus and SQL Server are examples of products that have no internal compliance checks. Microsoft decides when their use complies with the rules via audits. A high percentage of the time, auditors find compliance violations. This approach turns out to be a revenue generator for Microsoft, both directly and indirectly. It helps move customers in the right direction from Microsoft’s perspective, which is toward subscription-based licensing associated with its services, which provides Microsoft with a constant annuity stream. Compliance shortfalls are used by Microsoft as leverage. For example, if a customer is reconsidering an EA renewal, Microsoft can negotiate based on the customer’s compliance record.

Four Compliance Risks
Horwitz then proceeded to classify four kinds of risks that organizations face should they tap Microsoft’s services, even in the slightest way. The risks include:

– Mixing levels of the same service
– Hybrid deployments, where some users have subscriptions to services but some don’t
– “Multiplexing” or indirect access
– The use of Azure Virtual Machines

On the first compliance risk, mixing levels of the same service, Horwitz said that having a subscription to one high-end SKU or product could break the rules for others in an organization. One example is the Azure Active Directory service, which Horwitz described as “a good poster child for cloud license compliance issues.” It has Basic, Premium Plan 1 and Premium Plan 2 subscriptions, but Microsoft Online Services documentation is often obscure about the consequences if premium features get turned on for just some users.

One example of subscription mixing is the use of Azure AD Identity Protection, which is a service that detects anomalies indicating compromise, such as two log-in attempts from different geographic locations. Azure AD Identity Protection is a feature exclusive to Azure AD Premium Plan 2. If an organization has a subset of users on it, the feature is automatically turned on tenancy wide, and non-Premium Plan 2 users will be accessing the service as well. Another potential risk for getting a subscription mixing violation is the use of Office 365 Advanced Threat Protection (ATP), which works with Exchange Online Protection to detect previously unknown malware. The Office 365 ATP service requires the use of Office 356 Enterprise E5 or standalone user software licensing.

Hybrid deployments, the second risk factor described by Horwitz, entail risks for organizations when some users have subscriptions to Microsoft Online Services but others don’t. For instance, if only a subset of users in an organization have subscriptions to Azure AD, then the users without Azure AD subscriptions can still log onto the Azure AD subscription portal. If they do, then they are accessing that feature in Microsoft’s eyes and thus are noncompliant. Horwitz also pointed to the Exchange Online Protection service, which is licensed via an Exchange Online subscription and Exchange Server Enterprise Client Access Licenses with Software Assurance. All mailboxes can benefit from Exchange Online Protection, but not all users might be licensed.

The third issue, multiplexing or indirect access, is more obscure. No Microsoft document defines what it means, Horwitz explained. He defined it as a user that experiences any effect when a product is shut off. He pointed to Power BI as an example. It pulls data and may access Project Online or Dynamics 365 indirectly, and that requires licensing.