By Yair Knijn · April 3, 2025
No asset inventory, then a Microsoft true-up: the half-million-euro bill the IT manager never budgeted
The IT manager signs the renewal at the seat count the licensing portal shows, because that number has never been wrong before. The wrong assumption is that the portal reflects deployment. It reflects what was bought, not what is running, and the gap between those two is exactly what a true-up reconciliation exists to find.
When the vendor opens an engagement, the manager goes looking for proof of what is actually deployed and finds a spreadsheet last touched two reorgs ago. With no discovery data, there is no count to defend. The estate gets reconciled at the auditor's number, and the bill arrives in a quarter nobody budgeted for.
What a true-up actually reconciles, and why your spreadsheet loses
A true-up compares entitlement against measured use. The auditor's measurement comes from tooling that reads your tenant directly: Get-MgUser license assignments, sign-in logs, Defender and Entra service plan activations. Your side of the table is supposed to be an equivalent measurement, sourced from your own asset records, timestamped, and tied to real machines and identities.
A spreadsheet is not a measurement. It is an assertion, and the auditor has no reason to accept an assertion over their own telemetry. A late-2024 survey found roughly 62 percent of organizations had been audited by a major software vendor in the past year, up from about 40 percent in 2023. The frequency is rising, and the side without timestamped deployment data always concedes the count.
Over-deployed E5 features: the entitlement gap that drives the bill
The expensive findings rarely come from raw seat counts. They come from features. Someone enables a premium audit policy, turns on Defender for Endpoint, or assigns Entra ID P2 for conditional access, and every identity touched by that service plan now needs an E5 entitlement it may not have. Industry reviews put median Microsoft 365 true-up findings at roughly $300k to $500k for an estate in the 1,000 to 5,000 seat range, and over-deployed E5 service plans are the usual driver.
The pattern is consistent: a tenant buys E5 broadly to justify advanced audit logging, when only a fraction of users genuinely need premium audit events. Without records showing which identity got which feature and when, you cannot argue scope. The auditor assigns E5 to everyone the service plan touched, and you pay the delta retroactively.
Shelfware in reverse: paying for shortages while licenses sit unused
The cruel part is that under-licensing and waste coexist. The same estate that owes a true-up on Defender is often sitting on dozens of E3 seats assigned to disabled accounts, shared mailboxes, and people who left in March. A clean inventory nets these against each other. You reclaim the dead seats, redeploy them, and shrink the shortfall before money changes hands.
Without records, you lose both ways. You pay the true-up at full count because you cannot prove the over-deployment was narrow, and you keep paying for shelfware because nobody has a list of what to reclaim. The vendor has no incentive to point out your unused licenses. That reconciliation is your job, and it only works if the data exists.
Using asset lifecycle records as your audit-defense data room
The defensible position is built before the engagement, not during it. What turns an audit from a negotiation into a verification is a record set the auditor can check against their own telemetry and find consistent:
- License assignment per identity, with the date it was granted and the ticket that authorized it
- Service plan activations tied to a change record, so you can show feature scope was deliberate and bounded
- Deprovisioning events for every leaver, proving the seat was released and is available to reclaim
- A reconciliation history that shows the count has been maintained, not reconstructed in a panic
When that history exists, the auditor's telemetry and your records agree, and the conversation is short. When it does not, every gap is resolved in the vendor's favor by default.
An operations desk earns its keep here by making asset lifecycle a byproduct of normal work rather than a separate project. Every grant, change, and deprovision lands as a timestamped record in the customer workspace, so the data room assembles itself months before any vendor asks for it. Our asset lifecycle records are built to be the thing you hand an auditor, not the thing you wish you had started two years ago.