Moving Microsoft to AWS: the licensing issues
PART 1: Overview
The continuing transition from on-premise use of enterprise software to the cloud is inexorable, often only inhibited by management time or regulatory issues. But customers that are heavily invested in perpetual on-premise licenses are understandably reluctant to abandon that investment and buy afresh when transitioning.
Most software licenses allow use of third-party outsourcers – particularly if dedicated hardware is allocated. However, the move to the cloud is a more complex version of this with older license agreements not fully reflecting the detail. Is a move to an amorphous cloud, delivered out of 100’s of data centers worldwide just an extension of having your hardware managed down the road? Or is the shared cloud environment something fundamentally different – and not contractually available to your owned licenses?
It would be pleasant to think that such questions have an immediately accessible and understandable answer. But far from it: Microsoft has a hugely complicated matrix of rules, guidance and policies developed iteratively over the last 40 years. Much of it is impenetrable.
Over a series of articles, we seek to shed some light on the shifting position, and continuing uncertainties, around the licensing impact of one very active area: moving Microsoft servers from on-premise to Amazon Web Services (AWS).
“The emergence of dedicated hosted cloud services has blurred the line between traditional outsourcing and cloud services and has led to the use of on-premises licenses on cloud services’’ 
Amazon Web Services
What does AWS offer?
AWS offers a very broad range of cloud-based products across compute, storage, analytics and applications. Its principal compute offering EC2 (Elastic Compute Cloud) is both secure, and, critically, hugely resizable, allowing new server instances to be launched in a few minutes and virtually unlimited capacity.
The elasticity is obviously made available on the basis that (subject to certain limitations) AWS chooses where, at any moment, your instances are running or data is stored. AWS utilises multiple Availability Zones (AZs) for high availability and durability each with its own physically distinct, independent infrastructure.
Amazon also offers multiple different options such as On-Demand Capacity Reservations and Reserved Instances. However, these do not lock-down instances to fixed physical hardware.
What rights do you get with Microsoft licenses?
Whether you can move your on-premise licenses to AWS depends on the permissions you are granted by Microsoft’s own licensing rules.
Microsoft’s licensing is determined by a raft of documentation including the relevant agreement with Microsoft: Microsoft Products and Services Agreement, Select, Select Plus or Open agreement and/or an Enterprise Agreement.
In addition there are Microsoft’s ‘Product Use Rights’ now called ‘Product Terms’ as well as other guidance, policies and white papers that may or may not have legal force.
However, the ten key elements are these:
- Microsoft’s grant is for the (named) Customer to use the software;
- No rights are granted to third parties – the licenses are non-transferable;
- Sub-licensing is possible to ‘Affiliates’ (i.e. greater than 50% owned subsidiaries);
- License transfers are not permitted save to Affiliates or where there is a divestment;
- “use” or “run” means to copy, install, use, access, display, run or otherwise interact with;
- Depending on edition, server licensing can be either on a Server + CAL (Client Access Licenses) model or on a per-core basis;
- Before use, the license must be ‘assigned’ to a particular device or person as appropriate; 
- Use or running in third-party environments is not permitted  save that
- Outsourcers e.g. IaaS can be used provide that the servers or devices under their day-to-day management are and remain ‘fully dedicated’ to the customer , and also that,
- If Microsoft’s ‘Software Assurance’ is in place, this allows use in third-party shared environment for most products.
How do Microsoft’s usage conditions work with Amazon?
It will be seen, then, from the last two points that Microsoft does allow controlled usage in third-party environments, with an enhanced facility for license mobility if the customer has its Software Assurance (further explored later in this series).
However, even without this, customers can move their existing on-premise licenses into third-party environments but only onto servers or devices that are ‘fully dedicated’ to the customer.
How, then, does a Bring Your Own License (BYOL) facility work with Amazon where, its elasticity of usage implies that customer’s applications can and will be running across large number of servers, changing repeatedly? By definition, these physical hosts are quite obviously not dedicated to one customer.
Do you need to own the servers or devices used?
The rights given to outsource under IaaS or in AWS’s case its use within EC2, are predicated on the customer’s license being first ‘assigned’ to the particular server or device.
However, does this server or device in fact need to be owned by the customer – even if managed elsewhere?
Microsoft’s 2012 Product terms originally used this wording ‘Before you run any instance of the server software under a server license, you must assign that license to one of your servers’ (our emphasis).
This seems to imply that the relevant servers must be owned by you.
However, elsewhere in Microsoft’s documentation, at the time and now, there is a standard definition of ‘Licensed Server’and this does not reference any ownership condition:
‘Licensed Server means the single server … to which a license is assigned. For purposes of this definition, a hardware partition or blade is considered to be a separate server’.
Certainly the latest 2019 Product Terms seem to be a little clearer, simply stating that
‘Before Customer uses software under a License, it must assign that License to a device or user, as appropriate.’ 
‘Customer may install and use licensed copies of the software on Servers and other devices that are under the day-to-day management and control of Authorized Outsourcers, provided all such Servers and other devices are and remain fully dedicated to Customer’s use’ 
So, it seems that Microsoft are no longer interested in whether, for example, the server at the third party datacenter is owned by the customer – only that it is dedicated to that customer.
In looking at what the customer may do, we need to look at both Microsoft’s terms and Amazon’s explanations as to how it hosts Microsoft for customers.
EC2’s principal offering is one of instances with a tenancy of default; this means that programs are run on physical servers that may/do host multiple instances from different customers. So, these are shared environments that clearly would not satisfy Microsoft’s insistence as to third party hardware being dedicated to the customer.
AWS however fully recognises the need that certain customers have for dedicated hosts, offering not only its primary shared services but also bare metal, dedicated hosts and dedicated instances.
It confirms the position that using AWS is no different to using a traditional outsourcer. Even without Microsoft software assurance (see below), AWS’s dedicated hosts can, according to Amazon, be used:
‘Using Amazon EC2 Dedicated Hosts, you can access hardware fully dedicated to your use. This makes it possible to bring Microsoft software licenses ….’.
AWS has two defined ‘dedicated’ products: ‘Dedicated Hosts’ and ‘Dedicated Instances’. These have different characteristics and whether – and how – these conform to Microsoft’s requirements will be in Part 2 of this Guide.
Cerno Professional Services Ltd, 2019
 Section 9, Universal License Terms: ‘Before Customer uses software under a License, it must assign that License to a device or user, as appropriate’
 ‘Except as expressly permitted here or elsewhere in these Product Terms, Customer is not permitted to install or use licensed copies of the software on Servers and other devices that are under the management or control of a third party’.
 ‘Customer may install and use licensed copies of the software on Servers and other devices that are under the day-to-day management and control of third parties, provided all such Servers and other devices are and remain fully dedicated to Customer’s use’
 Section 9: Universal License Terms (November 1, 2019)
 Note the new use of the limitation ‘Authorised Outsourcers’: until November 2019, the possibility was for use on any servers or devices ‘under the day-to-day management and control of third parties …’