In Microsoft licensing hell – Do my external admins need CALs?

Licensing is a pain. Not so much for the sake of cost, but more for the sake of never quite knowing that you’re compliant.

I was considering a case today. What if one of my customers wants to grant administrative access to a vendor to one of their servers for the purposes of setting up and administering an on-premise application?

My first instinct was yes – they do. After all, they are a user that needs to log in. But then I thought a bit more about it. CALs are after all assigned to physical persons or devices, I can’t just go say “I hereby assign this CAL to Vendor X’s support team”, because that’s not a physical person. Would I have to ask for specific names of the vendor’s technicians for the purposes of license assignment? And how would this be enforced? Maybe just creating a few named users and then just disclaiming knowledge of whether they share their personal accounts, making it their problem? No. There had to be some kind of exception.

So I go out on the Internet, and I found this slightly helpful but mostly unhelpful post from the Microsoft Volume Licensing Blog. As witnessed by the comments, the blog entry raises more questions than it answers. It’s not really the fault of the blog, licensing is hard, really for no good reason other than to make work for licensing lawyers.

This is what they write:

7 – Do I need CALs for my administrators?

Server software licensed using CALs permits up to 2 users or devices to access the server software for the purposes of administration without CALs. However, if your administrators also use the software for anything other than administration (for example, they check their email), CALs will be required for them as well.

You could be forgiven to still fret and say “Oh, okay, so if my vendor has 10 employees I only need 8 CALs” and open your pocketbook and still have the administrative nightmare about having to know about who they employ and manage CAL assignment, adding the two “free” CALs to your pool of CALs.

But that’s actually not the case. If you read what Microsoft said, they specifically say “Server software licensed using CALs permits up to 2 users or devices to access the server software for the purposes of administration without CALs.” (emphasis mine).

Why is this important? Well, because the rules regarding CAL assignments do not come into play! The only way I could reasonably interpret this would be “permits up to 2 users or devices at the same time“. After all, there is no permanent assignment of CALs going on.

The relevant language from Microsoft’s Product Terms does not contradict this interpretation:

16. Administrative and Support Rights
Customer may allow access to server software running in any permitted OSE by two users without CALs solely for administrative purposes. Customer may also allow remote access to other Products solely for purposes of providing technical product support to Licensed Users or on Licensed Devices.

So, my conclusion is, I’m okay. We don’t need to assign CALs ever to users who only work as admins on the server, as long as no more than two of them are ever working on the same time on any given server.

Now, I’d like to point out for the record. I’m not a lawyer, I’m not a licensing expert. I don’t work for a licensing company.

This is not licensing advice. This is just my opinion about how I interpret the licensing rules. After all, I’m just a sysadmin annoyed with the various “pain in the nets” and blogging about it.

And I find that this obfuscated interpretation lines up with common sense. So that’s the interpretation I’m going with.