By Yair Knijn · June 25, 2025

You claimed Azure Hybrid Benefit. Can you prove the licenses on audit?

Somebody on the platform team flipped Azure Hybrid Benefit across the Windows Server and SQL estate, the per-hour rate dropped because the license is no longer baked into the VM price, and a six-figure line walked into the savings column. Finance booked it. Nobody answered the question a licensing auditor opens with: which Software Assurance entitlement covers this VM, and can you put the document on the table.

Here is what the toggle actually does. Hybrid Benefit is not a discount you switch on; it is a license substitution you assert. You are telling Microsoft you already own the rights, with active Software Assurance, and are carrying them to Azure instead of renting again. A saving you cannot trace to a named entitlement is not money in the bank; it is an open finding sitting in your subscription.

How Hybrid Benefit savings become an audit exposure

The reduced rate applies the instant you set licenseType on a resource. Nothing checks your entitlement then. Azure does not call your Software Assurance contract to confirm the cores are free; it takes you at your word. The gap between what you claimed and what you own stays invisible until someone reconciles it, and that someone is usually Microsoft.

The finding I see most is the boring one: a Windows Server Standard license counted on both sides of a migration. The on-prem host should have retired when the workload moved, the decommission slipped, and now one license backs a physical box and an Azure VM at once. Standard forbids that, and every month it ran double is benefit you never had.

Mapping Software Assurance entitlements to claimed cores

The arithmetic is per-VM and it does not round in your favour. Windows Server licenses in 16-core packs, and the benefit needs the VM at 8 vCPUs or more to count. A 16-core Datacenter entitlement with live SA covers two 8-core VMs, or one 16-core VM, and not a core past that. SQL Server starts at a 1-vCore minimum, and one Enterprise core license converts to four Standard cores. Draw the line from a named entitlement to a named resource, or you have not proven the claim, only made it.

• Pull the on-prem entitlement total per SKU: edition, core count, and whether SA is active right now rather than lapsed.
• Pull every Azure resource carrying licenseType, with its vCPU count and edition.
• Subtract. Any claimed core with no entitlement behind it is your exposure, in cores.

What a Microsoft licensing audit actually checks

Microsoft can verify eligibility whenever it chooses, and the review is mechanical. Deployed core counts get reconciled against entitlement records, then SA has to be active for every period you claimed. SA lapses in March, the VMs keep claiming through December, and those nine months stop being a renewal conversation. They are unlicensed usage.

Clawback math: the discount plus the back-billing

Finance takes the hit twice. The auditor does not just turn the benefit off going forward; the unentitled usage gets repriced at the full non-benefit rate for the whole stretch it ran, and you back-pay the difference you had booked as savings. The number reverses, then you owe the gap on top.

Booking the savings only when you can defend it

None of this needs a new tool; it needs the steps in order. Reconcile entitlements against claimed cores, confirm SA is active for the period, and book whatever survives. Carry the unmapped remainder as a known risk, not as savings. The defensible number is almost always smaller than the toggle implies, and it is the one that holds up under audit.

Cloud Horizons holds the entitlement map and the live licenseType inventory together, so the saving you book and the license you can produce are the same line. See how FinOps reconciliation turns a Hybrid Benefit claim into a position you can defend rather than a finding waiting to open.