I work for a software and services company. We are looking at setting up a Windows Remote Desktop Services system on Azure (or AWS) that will be accessed by some of our customers to use our internally developed software package. I know we will need RDS CALs/SALs for this system deployment and we are working towards enrolling in the Microsoft SPLA program in order to provide RDS User SALs for the solution.
My question is in regards to how we track and report the RDS User SALs so our reported numbers for the SPLA would (hopefully) pass an audit. For us to properly report the number of RDS User SALs, my company would need to know how many users (people) at our customer sites could potentially be accessing our software in any given month (I fully understand we need to report the number of users that could access, not just the number that did access). In our customer environments (mostly the manufacturing sector), there is a pretty high turnover rate of employees. Having us track every customer employee that needs access to our system (i.e., have a separate user account in our system for every customer employee) would be a near impossible task due to the turnover rate. In fact, on the technical/implementation side, shared Windows User Accounts are often used at these customers for a group of employees (imagine a shared computer next to a manufacturing production line, which multiple people use throughout the day, and everyone signs into this computer with a shared/generic Windows Account and accesses our software/solution on that computer).
Would a legal document (such as an license or subscription agreement signed by the customer) that states they will not allow more than X unique employees access the system during a given month suffice for an audit of our SPLA reporting? Obviously we would allow a customer to increase or decrease this number as needed (thus increasing or decreasing our reported license number). How do other service providers handle this type of scenario and are there any “best practices” for reporting we should be aware of (in particular, to make sure our numbers are auditable when the time comes)?