RSS

Tag Archives: SPLA Compliance

SPLA Partners: It’s time to be proactive

01 Apr

One of the issues with SPLA is that the program is very reactionary. You report in the arrears, you bill clients based on what they used previously, and no one cares about compliance until you receive an audit notification. It’s time to be proactive in this reactionary world.

With over 20 years of experience working with cloud providers in various capacities, one thing they all have in common is the challenges of licensing. For many organizations, they license the same thing month after month, without any data or understanding of why, solely for convenience. When you are audited, there is a typical 3-year lookback period. If you do not understand the licensing requirements, you will be charged a penalty for licenses not reported during that period. That tells me two things: 1) You are out of compliance and will owe a significant unbudgeted expense. 2) You are not charging your customers correctly, either.

For a moment, set aside the compliance risk and consider how long it takes your sales organization to close a deal. Most sales cycles are typically 3-6 months. You spent all that time, resources, and education to land that customer. Fast-forward 3 years, and all along, you have been charging them incorrectly. You are then faced with either telling the customer they owe for those licenses (which is unlikely, as the customer will likely just leave) or you are forced to absorb the costs. That’s why it’s crucial to be proactive before audit time. In addition, this is your opportunity to eliminate risk before it becomes a risk.

How do you become proactive? It’s important to understand what you have installed now. You can do this by running scripts. If you were audited in the past, most auditors provide this script; if not, I have one used for audit purposes that I can send to you. The tool/script is only one side of the story, though. You have to understand how to connect what is installed to the licensing rules. We perform this analysis by creating an Effective License Position (ELP) report. It will show what you should be reporting now and potentially what you would owe if audited based on your SPLA usage report. We can correct the mistakes now and provide education to your customers about their options if for whatever reason what they are doing does not meet the licensing rules (as an example, no software assurance).

What you need is not a tool, what you need is a SAM program to help you create processes and policies now rather than later. Think about this, if you are reporting 100k a month or 5k a month, don’t you want to ensure it is right?

Have a question about this or other topics or would like to review more, please email info@splalicensing.com Together, we can navigate the treacherous waters called Microsoft licensing.

Thanks for reading,

SPLA Man

 
Leave a comment

Posted by on April 1, 2025 in Compliance

 

Tags: , , , , ,

Interview with John and SPLA Man

18 Sep
Interview with John and SPLA Man

I asked a hoster (large provider who wants to remain anonymous but used John as a alias) about all the changes at Microsoft and beyond. Here’s the reduced version of the transcript. I will post the video later.

Interview Q & A on everything hosting. Audits, CSP, Flexible Virtualization, More Audits 🙂

SPLA Man: Thank you, John for joining us today to talk about SPLA. Let’s start off on your background. You were a software engineer focusing on software development for a small ISV back in the early 2000’s If I understand this correctly. How in the world did you end up getting mixed up with SPLA? (Laughs)

John: (laughs) I do not know. When I graduated from Georgia Tech, I went to work for small firm in Atlanta, Georgia. We were building a financial application specifically for the banking industry. It was a massive undertaking but also took up A LOT of processing power to install it, on premise. We decided to host it from a datacenter we partnered with locally to provide it more or less like software as a service. When we did that, we didn’t really consider the licensing.

SPLA Man: In walks SPLA (chuckles)

John: Exactly. I still remember getting an email from Microsoft asking us about our product. Ironically, I was actually thinking they were going to partner with us but it turned out to be an audit inquiry.

SPLA Man: Oh no! How did they know what you were doing?

John: I asked them the same question, they found a marketing brochure we posted on our website that talked about hosting the application to customers. I guess they could see we didn’t have a SPLA Agreement.

SPLA Man: Ok. Before we go further, let’s take a step back, we will go through the audit, I am sure the audience will appreciate the feedback there. But going back to your career. You started off working for a small, I guess for no lack of a better word, ISV. How long did you work there?

John: I was there for a few years and it was eventually acquired by another software developer firm. I ended up resigning and going back to school to get my MBA. Once I graduated with my MBA, I went to work for a large datacenter, an infrastructure provider here locally as head of product development and datacenter management. I still work there today 15 years later. (Laughs)

SPLA Man: And I assume they had or have a SPLA agreement?

John: Yeah, that’s where I drew the short straw and took over managing SPLA. Reporting to our distributor and working with Microsoft and our customers.

SPLA Man: What year was this when you graduated and started managing SPLA?

John: I graduated in 2008, so right around then is when I took over the licensing along with other responsibilities.

SPLA Man I was going to ask, what portion of your day do you spend on licensing related inquiries and what was spent on your leadership responsibilities or whatever you were originally hired to do?

John: (Laughs) I actually spent more time on licensing. Back then it was so confusing, it still is I suppose. There’s very few people who knew SPLA, that’s actually how I found you. I thought SPLA Man was nuts.

SPLA Man He is. (Laughs) But going back to your career, as a developer, was licensing ever a consideration? I always used to say, figure out the licensing first and then build the solution. But now with all the options it is the opposite.

John: I think, well, to answer your question, no. I never considered licensing. I knew licensing, actually let me rephrase, I heard of licensing, but I was hired to build applications. Licensing I always thought was something we would just document in our own terms and conditions or we would be informed by Microsoft.

SPLA Man: You mentioned you worked with Microsoft. How was that relationship?

John: My first job as a developer we didn’t work with them much. Later on with my current company, it was good. We would go to Seattle for their hosting conferences, I had a Microsoft rep who worked with us at the partner level. Any licensing questions we were told had to go through our reseller. It is still like that today.

SPLA Man: You still work with Microsoft or you have to get licensing advice from your reseller?

John: I only work with Microsoft for CSP. Licensing, I turn to you. (Laughs)

SPLA Man: Very nice. Alright, let’s go back to the audit.

John: (Laughs) Do we have to?

SPLA Man: Well, we don’t but I’m curious on your experience.

John: Alright. Well we were actually audited twice. Originally back, in I guess, 2006 or so we were audited because we were not using SPLA at all. We just bought the licenses outright from the direction of our distributor.

SPLA Man: Oh man. Were you mad with the distributor?

John: Nah. It wasn’t their fault. They weren’t even authorized for SPLA to begin with. I blamed our Microsoft rep. That didn’t really help.

SPLA Man : What was your experience like?

John: The first audit wasn’t bad. It’s not like our environment was huge, we owed money but we used the delta between what we purchased and what we owed by SPLA. The good news back then was that we were audited by Microsoft directly. In our second audit with my current company we were audited by KPMG.

SPLA Man: Couldn’t you argue for self-hosted in your first audit?

John: That information would have been helpful, SPLA Man. Just kidding. Well, self-hosted I am not even sure was around back then and we didn’t have software assurance. If we knew SPLA, it actually would have benefited us. Pay as you go fits well.

SPLA Man: So you were audited with your new company. Was the experience different?

John: Big time. We’re a much larger environment, thousands of VMs. It was a mess.

SPLA Man: How did you do your reporting?

John: So here I do blame our distributor a little bit. We used a script to track installments. We would then report to our distributor monthly. They did not have an online platform to submit it so we did it manually via a spreadsheet. It was never processed on their end and I believe that triggered the audit initially.

SPLA Man: Maybe. I think it is more based on revenue but if you do not report no matter who is at fault, Microsoft or any publisher will know. The thing with audits especially using an audit firm, Microsoft is going to want a return on their investment. Small datacenters get ignored in audits but won’t get audited because the return isn’t there. I’m guessing thats why you were not audited by KPMG in your first audit.

John:  You are probably right. 

SPLA Man:  So you were doing things manually, more or less. What was the audit process like?

John:  I didn’t work with Microsoft that much, mostly the auditor. And I get it; they are just doing their jobs, but it wasn’t fun. 

SPLA Man:  Can you explain? 

John:  You didn’t think this would be fun, did you SPLA Man? I’m kidding. It was really the time and effort. As we said, we were doing things manually. We didn’t have a process. So when the auditors asked us for information, we used their tooling system and sent all the data back to them. We thought, here’s our reporting, it’s all there. Which, in hindsight, was a mistake.

SPLA Man:  Oh wow. You sent them just the raw report of all installations?

John:  Yes, we wanted to finish this and move on. So we thought, “Here, take everything and tell us what we owe if anything.” We had no idea we were out of compliance.

SPLA Man:  So what was the outcome?

John:  I won’t explain specifics, but it was seven figures. Completely shocked.

SPLA Man:  So you just wrote a check and called it a day?

John: I wouldn’t make it that simple. In the end, we did owe the amount, but we broke it up and did an Azure commit for some of it.

SPLA Man:  How long did the audit last?

John:  Start to finish? Probably about a year.

SPLA Man:  So then what? Like how did you know what to commit for Azure?

John:  We didn’t, but we sure as heck were not going to write a check.

SPLA Man. Okay, so I guess what were the next steps?

John:  We worked with you. We had to get a plan. You recommended Octopus to help manage the licenses. It helped keep track of the deployments and streamlined, I guess, the process for us. We still have to understand the licensing, but the overall collection of data and billing helped us.

SPLA Man:  Yeah, anytime you can reduce the time spent on reporting, the better. So, now that you have gone through two audits, what do you do to prepare for the future?

John:  Well, that’s where the Octopus team helps. We do SAM baseline reporting. It’s kind of like a mini risk assessment to ensure we are doing it correctly. The other thing is we try to stay on top of the licensing better, especially with all the new changes.

SPLA Man:  Yeah, I was going to ask. What do you think of all the new changes? Good, bad, indifferent?

John:  Yes. (laughs) I think the change is generally good. The only problem is Microsoft will always tell us SPLA is more expensive or that Azure is the best thing since sliced bread. The reality is it depends on the situation. We like SPLA. CSP requires us to more or less be a reseller. We do not like that. Of course, if our customers want Azure, we will not turn them down. We look at the new changes as another way to go to market. It’s not one program over the other. It’s what our customers want that matters.

SPLA Man:  We will dive into that more in a later podcast. Thanks for volunteering for another interview (laughs). But as a hoster, do you think SPLA will go away? I know I get asked daily.

John: No, they have tried to eliminate SPLA ever since BPOS. Remember that? No, seriously, I think SPLA will always be around. I appreciate your work and the work Octopus does to help create content and make our lives a bit easier. 

SPLA Man:  What about the new flexible virtualization? Do you help customers make the right decisions there?

John: Yes, we host our own training for customers. I know you have helped us and the rest of the Octopus Cloud team do that as well. I think that really has helped us with positioning. You are right; everyone is now a competitor. We have to make it easier for the customer. So I think the flexible virtualization is part of it but the other thing is, in many instances, customers do not want to mess with the licensing.

SPLA Man:  I agree. And thank you for mentioning training. I think that is super important. Anything else? How about this last question? What advice would you give to another hoster going through an audit?

John: I know we didn’t get into the specifics, but I would take my time and not rush through it like we tried. I would also prepare more. If you are not going through an audit now, you will eventually. Try to understand the risks now before it is too late. 

SPLA Man: Smart words. I always say, let’s eliminate risk before it becomes a risk. If you are not licensing correctly, you are not charging your customers right either. 

John: That’s exactly right.

SPLA Man:  Well, John. I appreciate your time today. Let’s do another interview. I want to dive into the flexible virtualization more and all that fun stuff.

John:  Interview for sure. I am not sure anything with Microsoft is fun. (laughs)

Thanks for reading,

SPLA Man

 
1 Comment

Posted by on September 18, 2023 in Uncategorized

 

Tags: , , , , , , , , , , , ,

What is a Service Provider?

18 Jul

The year 2017 has brought on A LOT of change for the hosting community.  A hosting company used to be an organization that hosted Exchange – fast forward to today and a service provider takes on a whole new meaning.  In this article, we will take a look at defining a service provider and how it applies to licensing.   Let’s play a little game called “Do they qualify”  Have a question?  Email info@splalicensing.com

An organization that provides or extends  litigation software (that they leased from the publisher) to law firms and other legal entities who are not wholly owned by the organization providing the solution. Does this organization qualify for SPLA?

Yes.  If you are an avid reader of splalciensing.com, you probably read my article on EMR Software The same holds true for any software (not just EMR) that runs on Microsoft technology that you do not own, but lease from a third-party.   Remember “AS”  If you are providing software AS a service that’s hosted from your datacenter environment,  SPLA must be part of the equation.  Why does this solution qualify for SPLA?

#1 they don’t own the software they are hosting

#2 they do not own the organization(s) who are consuming (using) the software for their benefit.

An organization who sells a product on a website to external users –   do they qualify for SPLA?

No.  Although they are selling something to consumers via the internet, the software used to deploy the solution benefits the e-commerce company, not the end-user.   Where SPLA does fit is if the web company decides to host a website on behalf of another organization.  The web company would fall under the SPLA rules.  Who benefits from the access is a key question to ask yourself.  Second question – is the access used to run their business or my own?

An organization who provides SharePoint to end users to share information.  Do they qualify?

No.  Simply sharing information does not qualify.  If the organization was hosting SharePoint on behalf of another organization, that’s SPLA.

A company hosts Exchange on behalf of another organization but does not charge for this access.  Does this qualify for SPLA?

Yes.  Microsoft doesn’t care how much money you make from the solution.  The question remains – are you providing this “as a service” for a third-party?

A company decides to use AWS as their datacenter provider to host an application they use internally.  Do they need SPLA?

No.  In this example, you are the end-user.  AWS has a SPLA to cover all infrastructure products they host on your behalf.  If you were to use AWS as a datacenter provider to host SharePoint to your end customers employees; you would pay AWS for Windows and SQL and report on your SPLA SharePoint SAL licenses.

 

I have 25 Linux machines that I host for my customers.   Do I need SPLA? 

No.  You have 25 Linux machines.  If you had 24 Linux machines and 1 Windows VM, you would have to license the host machine to cover that Windows VM through SPLA.

My reseller told me I didn’t need SPLA because the access qualifies for Self-Hosted.  The auditors told me it does not qualify.  Why?

All software used to deploy the solution has to be self-hosted eligible.  I bet you are running an application that does not qualify as part of your solution.  This would be SPLA.  Secondly, if you did not buy the software with software assurance, that is out of compliant.

Thanks for reading,

SPLA Man

 
Leave a comment

Posted by on July 18, 2017 in Compliance, Uncategorized

 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Epic Community Connect for Healthcare Organizations

11 Jul

In this article we will review how Epic Community Connect effects your Microsoft licensing position.  This is a follow up to my earlier post which can be found here

What’s the concern?

If you host/extend Epic (or any EMR software that you do not own) to outside clinics or other healthcare facilities SPLA must be licensed.

What’s an outside organization?

If your organization (who hosts Epic/EMR) does not have at least 51% ownership of the other entity, that would be considered an outside organization as it pertains to this solution.

I’m confused…big time.  Why would I license SPLA when I was told to license through my Enterprise Agreement?

The EA is for your own internal employees.  The Service Provider Licensing Agreement (SPLA) is for companies who host Microsoft software to third parties.

Wait.  I just went to your website and I am not an employee.  Are you saying you have a SPLA agreement?

No.  I don’t host an application or any server whatsoever.  I do pay a web company to host my website.  The web company is under a SPLA agreement if they use Windows Server.

What are my options now?  I already deployed Epic and I don’t have a SPLA.  

I would work with a SPLA Reseller who can walk you through the steps and how to be compliant.  You can email me at info@splalciensing.com if you have additional questions.

Thanks for reading,

SPLA Man

 

 
Leave a comment

Posted by on July 11, 2017 in EMR Software, Uncategorized

 

Tags: , , , , , , , , , , , , , , ,

Top 5 Compliance Trends for MSP’s and SPLA

05 Jul

There are so many license changes and gotchas with SPLA, Azure, AWS, and all the others that I thought I would highlight for you some of the trends we see when it comes to compliance.

  1. Licensing Office Standard when Office Professional is installed.  In many cases, an IT administrator will inadvertently install Office Pro, report Office Standard to their procurement team who in return reports it to the reseller.  The IT admin will leave the company, and the procurement team continues to report Standard not knowing Pro is installed until audit time.  In this situation, Microsoft will check when Office was installed, and take the delta of what was reported (STD) v. what should be reported (Pro).  Don’t make this mistake.  Many partners are only charging their customers for Standard pricing!
  2. Not reporting SPLA at all.  Sounds silly, but many providers focus on developing software and not on the licensing.  We have found instances in which the procurement manager (who was in charge of reporting SPLA) left the organization and no one else took over their responsibility.   The reseller continues to email the procurement manager but obviously the email goes unnoticed.  After many months, their SPLA will be terminated and all licenses will have to be trued up.  The problem with this scenario is not just unexpected licensing expense, but when your SPLA terminates, you must sign a new one.  When you sign a new SPLA, you must adhere to the latest SPUR use rights.  As an example, if you had a SPLA prior to the Windows core licensing change, you could continue to report processors.  If your SPLA terminates, you would be forced to license by core now instead of later when your previous agreement (that is now terminated) expired.
  3. Using a VL copy of Office to deploy Shared Computer Activation (SCA).   SCA is specific to Office 365.  If you install Office Pro Plus VL, it goes against the product use rights in which Office (without SCA) cannot be installed on shared hardware.  It takes a lot of negotiation power and time to prove you are SCA eligible, the customer purchased Office 365, and you inadvertently installed the wrong product.
  4. Using License Mobility without License Mobility.  This is by far the most popular compliance trend.  Many organizations do not know what is installed in their datacenter when it comes to customer owned licenses.  Be sure to have the right documentation, addendum, and licensing to ensure compliance.
  5. Leasing an application, hosting the application, and purchasing volume licensing agreement to offer software as a service.   A healthcare company may lease an EMR application, host the application to other healthcare organizations, and license the infrastructure through volume licensing.  If your organization does not own the application you are hosting, you must license it through SPLA.  Self-Hosted for ISV is only eligible for providers who develop and own the application.  This means the code, the rights, everything must be owned by the organization.  Leasing the application and using other plugins you may have developed does not qualify.

I hope this provides you a little insight into the world of compliance.  If you find yourself out of compliant, let us know and we can connect you to the right resource.  info@splalicensing.com

Thanks for reading,

SPLA Man

 
Leave a comment

Posted by on July 5, 2017 in Compliance

 

Tags: , , , , , , , , , , , , , , ,