Client Access Licenses are the quietest exposure in the Microsoft estate because nothing enforces them at runtime. A user connects to Exchange, SharePoint, a Windows Server file share, or a Remote Desktop session, and the connection succeeds whether or not a CAL exists to cover it. The obligation is real, but it is tracked entirely on the honor system, which means most enterprises have never produced an accurate count. When an audit arrives, it asks for proof of coverage that was never assembled, and the version rule, the suite bridges, and the external connector all complicate the reconstruction. The buyer side defense rebuilds the CAL position from access reality rather than purchase history, and across the practice this work supports the 79% average audit exposure reduction.
A Client Access License grants a user or device the right to access a Windows Server, Exchange, SharePoint, or Remote Desktop Services workload. The CAL is required in addition to the server license. Crucially, no technical control enforces the CAL at the point of access, so the connection works regardless. The obligation accrues silently as the user and device population grows, and the only moment it surfaces is when an audit asks the customer to demonstrate that every accessing user or device is covered.
Many Microsoft server workloads use a server plus CAL model. The server license covers the running software. A separate CAL covers each user or device that accesses it. Owning the server license alone leaves every accessing identity uncovered, which is the structural reason CAL gaps are so common and so large.
Rather than buy individual CALs per workload, most enterprises license the Core CAL Suite or the Enterprise CAL Suite, which bundle the common Windows Server, Exchange, SharePoint, and other CALs into a single per user or per device unit. The suite simplifies purchasing but does not simplify the count, because the audit still tests whether every accessing identity holds a valid suite or standalone CAL.
Microsoft and its appointed auditors target CALs precisely because the absence of enforcement means almost no enterprise maintains an accurate count. The server licenses are visible and usually correct, but the CAL layer is invisible until requested. The auditor knows that the reconstruction is hard for the customer, which tilts the engagement toward whatever count the auditor proposes unless the buyer rebuilds an accurate position from access data.
A CAL must be the same version as the server it accesses, or newer. A user accessing a current Windows Server with a prior version CAL is not properly covered. Estates that upgraded servers without upgrading the accompanying CALs carry a version exposure that is independent of the headcount, and it is one of the first things an audit checks.
Device CALs cover a device regardless of how many users share it, while user CALs cover a user across devices. Estates that mixed metrics, or that count employees but forget shared kiosks, service devices, and machines that connect without a named user, carry gaps that the headcount based estimate never captures.
External users and devices accessing a server workload need coverage too, either through CALs or through an External Connector license that covers unlimited external access to a server. Estates that expose SharePoint or other workloads to partners and customers without an External Connector carry exposure for every external identity that connects.
Each CAL workload is licensed by either the user metric or the device metric, and the two cannot be averaged. A user CAL covers one named user accessing the workload from any number of devices, which fits mobile and multi device workers. A device CAL covers one device accessed by any number of users, which fits shared workstations and shift environments. The optimization is to assign the metric that produces the smaller count per workload, and the audit reads whichever metric is actually licensed. The full optimization logic is covered in the user versus device CAL analysis. The reconstruction must pick the right metric per workload and count the matching population accurately.
Modern Microsoft 365 plans change the CAL picture because some plans include rights that bridge specific server CALs for the covered user. A user licensed under a qualifying M365 plan may already hold the Windows Server, Exchange, or SharePoint access rights they would otherwise need a standalone CAL for. The complication is that M365 coverage is per user, so device based access and users outside the M365 footprint still need traditional CALs. Reconstructing the position means layering the M365 derived coverage on top of the standalone CAL coverage and finding the population that falls between them, which is where the residual exposure concentrates.
The defense posture is to reconstruct the CAL position from the reality of who and what accesses each workload, rather than from the purchase history. Purchase records show what was bought, not whether it matches current access. The access based reconstruction produces a defensible count per workload, applies the version and metric rules, and isolates the genuine gap from the apparent one an auditor would assert from incomplete data.
The reconstruction documents each CAL workload and the actual user and device population that accesses it, derived from server logs, identity systems, and connection telemetry rather than headcount estimates. The version of each owned CAL is checked against the version of the server it must cover. M365 derived coverage is layered in per user.
Data sources include Active Directory and Entra ID, Exchange and SharePoint access logs, Remote Desktop connection records, and the license entitlement records. The access based count is the document that answers the CAL portion of any audit defense data request with evidence rather than estimate.
With the population reconstructed, the metric is optimized per workload and the M365 bridges are applied to remove standalone CAL needs where a qualifying plan already covers the user. The residual gap is specific and quantified, and the remediation is sized to the actual uncovered population.
The renewal is the moment to right size the CAL suites, align the metric per workload, and decide where M365 coverage replaces standalone CALs entirely. The EA renewal framework structures the CAL position so the reconstructed count holds and the suite mix matches the real access pattern.
The practice runs a CAL reconstruction engagement that rebuilds coverage from access reality across every server workload and produces a defensible position covering the version rule, the metric choice, and the M365 bridges across the estate.
The engagement produces a documented CAL position covering each workload, its access population, the version compliance, the metric choice, and the M365 derived coverage. The position is the basis for any compliance review and the foundation for the CAL commercial structure at the next renewal.
Three questions that recur once the mapping work begins.
Through the access data you produce. The audit asks you to demonstrate that every user or device accessing a CAL workload holds a valid CAL of the right version and metric. Because most estates never assembled that proof, the auditor reconstructs the access population from server logs and proposes a count. Rebuilding the position yourself first is what lets you answer with evidence rather than concede the estimate.
For some workloads and only per user. Qualifying M365 plans include rights that bridge specific Windows Server, Exchange, or SharePoint access for the covered user. The coverage is per named user, so device based access and any users outside the M365 footprint still need traditional CALs. The residual exposure concentrates in the population that falls between M365 coverage and standalone CALs.
Yes. A CAL must be the same version as the server it accesses, or newer. Upgrading a server without upgrading the accompanying CALs leaves the access improperly covered even when the headcount is correct. The version rule is independent of the count, and it is one of the first checks an audit runs because the answer is unambiguous and easy to assert.
The worksheet the practice uses to reconstruct CAL coverage across Windows Server, Exchange, SharePoint, and Remote Desktop Services from access reality, with the version and suite rules built in.
Two analyst calls. We rebuild your CAL coverage from actual access across every server workload, apply the version and suite rules, and surface the gaps while they are still cheap to close. Full audit defense practice.