The choice between the user CAL metric and the device CAL metric is the single largest lever on Client Access License cost, and most enterprises made it by accident rather than by analysis. A user CAL covers one named person across every device they touch. A device CAL covers one machine across every person who uses it. The right metric depends entirely on the ratio of users to devices in a given population, and the wrong metric can double the count for no benefit. Worse, estates that mixed the two metrics within a single workload without tracking which identity holds which create exactly the ambiguity an audit converts into a finding. The buyer side defense models the ratio per workload and assigns the metric that minimizes the count, work that across the practice supports the 79% average audit exposure reduction.
Every CAL workload is licensed by one of two metrics, and the choice is made per workload, not per enterprise. The user metric assigns a CAL to a named person who may then access the workload from a laptop, a phone, and a desktop without additional licenses. The device metric assigns a CAL to a machine that any number of people may use. The economics turn entirely on the ratio of users to devices, and because the metric is chosen once and rarely revisited, most estates carry a metric that no longer fits the population it covers.
The two metrics are mirror images, and each is efficient for a specific population shape. Reading the population correctly is the whole game, because the same workload can cost twice as much under the wrong metric for no functional difference.
The decision is a simple ratio. A population where each person uses several devices is cheaper on user CALs, because one user CAL absorbs all their devices. A population where many people share a few devices is cheaper on device CALs, because one device CAL absorbs all its users. The break even is one to one, and real populations sit clearly on one side or the other once segmented properly.
Microsoft and its appointed auditors focus on the metric question because mixed and undocumented metric use is endemic and easy to challenge. When a single workload is covered by some user CALs and some device CALs with no clear record of which identity holds which, the auditor can assert the higher count, and the customer cannot disprove it without a reconstruction. The ambiguity, not the metric itself, is what gets monetized.
The two metrics cannot be averaged or netted against each other within a workload. A workload with a hundred user CALs and a hundred device CALs does not cover two hundred arbitrary connections. Each CAL covers its specific identity type, and an auditor counts user access against user CALs and device access against device CALs separately.
A metric chosen years ago for a population that has since changed shape is a quiet exposure. A device heavy environment that went mobile now overpays on device CALs while accruing uncovered device access. A user environment that consolidated onto shared terminals overpays on user CALs. The metric should be revisited as the population evolves, and it rarely is.
Device CAL environments must account for every device that connects, including headless service machines, kiosks, and shared terminals that no named user owns. User CAL environments must account for every named identity including service accounts that represent people. The population the metric must cover is often larger than the headcount or the managed device count suggests.
The optimal metric is chosen by segmenting the access population for each workload and computing the user to device ratio within each segment. A segment with a ratio above one to one, more devices than users, is assigned user CALs. A segment with a ratio below one to one, more users than devices, is assigned device CALs. The segmentation matters because an estate wide ratio hides the truth: the same enterprise often has a mobile knowledge worker segment that wants user CALs and a shared terminal segment that wants device CALs, and the optimal position assigns each segment its own metric. The model produces the minimum defensible count, which is both cheaper and easier to prove than a single metric applied uniformly.
Modern Microsoft 365 licensing is per user and increasingly supersedes the traditional CAL metric question for the populations it covers. A user under a qualifying M365 plan carries the relevant access rights as a named user, which effectively imposes the user metric for that population regardless of their device count. This simplifies the mobile knowledge worker segment, because M365 already licenses them per user. The device metric remains relevant for the populations M365 does not cover well: shared terminals, shop floor devices, and headless machines where assigning a per user M365 plan to each connecting person would be wasteful. The optimized position layers M365 user coverage over a device CAL base for the shared device populations.
The defense posture is to segment each workload's access population, assign the cheaper metric per segment, and document which identity holds which CAL so the position is unambiguous. The documentation is what defeats the auditor's ability to assert the higher count, because every connection maps to a specific covering CAL of the matching type. The optimization and the documentation are the same exercise.
The model segments each workload's population by user to device ratio and assigns the optimal metric to each segment. Mobile and multi device populations are assigned user CALs or covered by per user M365 plans. Shared and headless device populations are assigned device CALs. The result is a mixed but deliberate metric position, documented down to the identity.
Data sources include identity systems, device management inventories, and workload access logs. The segmented model is the document that answers the metric portion of any audit defense data request and removes the ambiguity an auditor would otherwise exploit.
With the segments modeled, the renewal is the moment to acquire the right mix of user CALs, device CALs, and per user M365 coverage that matches the documented population. The metric mix is set deliberately rather than inherited, and the documentation that supports it is maintained as the population evolves.
The EA renewal framework structures the CAL and M365 metric mix so the optimized position holds commercially and the count stays minimized through the term. Revisiting the metric at each renewal keeps it aligned as the workforce shape changes.
The practice runs a metric optimization engagement that segments every CAL workload's population, assigns the cheaper metric per segment, and produces a documented, unambiguous position across the estate.
The engagement produces a documented metric position covering each workload, its segmented population, the assigned metric per segment, and the M365 supersession where it applies. The position is the basis for any compliance review and the foundation for the CAL metric structure at the next renewal.
Three questions that recur once the mapping work begins.
No. The two metrics cannot be averaged or netted within a workload. A workload with one hundred user CALs and one hundred device CALs does not cover two hundred arbitrary connections. User access is counted against user CALs and device access against device CALs, separately. This is why undocumented mixed metric use is so often where an audit finding forms.
Compute the user to device ratio within each segment. A segment with more devices than users is cheaper on user CALs, because one user CAL absorbs all their devices. A segment with more users than devices is cheaper on device CALs. The key is to segment first, because the same enterprise usually contains populations that sit on opposite sides of the break even and want different metrics.
Partly. M365 is per user and effectively imposes the user metric for the populations it covers, which simplifies mobile knowledge workers. It does not solve the shared device populations, where assigning a per user M365 plan to every connecting person on a shop floor terminal would be wasteful. The optimized position layers M365 user coverage over a device CAL base for those shared device scenarios.
The worksheet the practice uses to model the user to device ratio per workload and population, and assign the CAL metric that produces the smaller defensible count before an auditor reconstructs it.
Two analyst calls. We model the user to device ratio across every CAL workload and population, assign the optimal metric, and clean up the mixed metric ambiguity before an audit exploits it. Full audit defense practice.