/
  • Last updated
/
  • 5 min read

How to Detect and Reclaim Idle Microsoft 365 Licenses

by Ann Conte, IT Technical Writer
How to Detect and Reclaim Idle Microsoft 365 Licenses blog banner image

Instant Summary

Summarize Blog

This NinjaOne blog post offers a comprehensive basic CMD commands list and deep dive into Windows commands with over 70 essential cmd commands for both beginners and advanced users. It explains practical command prompt commands for file management, directory navigation, network troubleshooting, disk operations, and automation with real examples to improve productivity. Whether you’re learning foundational cmd commands or mastering advanced Windows CLI tools, this guide helps you use the Command Prompt more effectively.

Free Trial

Key Points

  • M365 license reclamation can mitigate license sprawl and cut costs from unused E5 seats, inactive users, and orphaned accounts.
  • For consistent policy enforcement, define clear “inactive” thresholds for licenses (e.g., 30–60 days no sign-ins or activity) and identify exceptions (e.g., executives, legal holds, and service accounts).
  • Use Microsoft Graph API and PowerShell automation to identify idle licenses from sign-in logs and usage data, then safely remove or downgrade SKUs; log every action for traceability and compliance.
  • Adopt group-based licensing in Microsoft Entra ID (formerly Azure AD) to prevent future license sprawl—automate assignments by role or department and sync membership with HRIS or ITSM workflows.
  • Integrate license management into offboarding and role-change processes, ensuring entitlements are reclaimed or reassigned automatically as users leave or shift roles.

License sprawl can grow quietly without you even noticing. Extra E5 seats, unused add-ons, and licenses left on disabled accounts burn cash and complicate audits. However, managing Microsoft 365 (or M365, formerly Office 365) licenses isn’t that difficult.

First, you must detect waste from usage and sign-in data. Once that’s done, you should automate the removal or downgrade via Graph and PowerShell, attach the workflow to offboarding, and prove savings with a running register.

A guide on how to reclaim unused M365 licenses automatically

📌 Prerequisites:

  • You need to have admin consent for Graph API and a service principal scoped to license operations
  • You need to have access to Microsoft 365 usage reports and sign-in activity
  • You must already have a documented offboarding process with handoffs to HR or ITSM
  • You should also have role-based access (RBAC) that separates build, review, and approval steps.
  • A shared repository for scripts, runbooks, and the License Cleanup Register is required for this guide as well.

Step 1: Define policy and what “inactive” means

Before getting started, you must know what “Inactive” means for your organization. Is it 30 days, 60 days, or something else entirely? This sets clear expectations and gives you actionable criteria, so your actions and responses remain consistent.

First, you must set inactivity thresholds by role. For example, standard users can have 30 days before being marked inactive, while contractors get 7 days. Then, start identifying protected categories such as legal hold, executives, or service accounts.

Once you’ve set thresholds for inactivity, decide what action to take for each scenario. For example, you can:

  • Remove license
  • Downgrade SKU
  • Move to a holding group for review

Step 2: Detect idle and misassigned licenses from data

Now that you have defined thresholds for Microsoft 365 license inactivity, you need to see which licenses actually fit that criteria. Remember, you must use facts, and not your gut feelings, for this action.

Go to the Microsoft 365 admin center, and go through all your Microsoft licenses and look for the following information:

  • Sign-in activity and last interactive sign-in per user
  • Workload usage like Exchange, SharePoint, OneDrive, and Teams activity
  • Disabled, blocked, or unassigned users who still have licenses

Flag users that meet your “Inactive” criteria. Once you’ve gone through the whole list, generate a CSV report of candidates with user, SKU, last activity, exceptions, and proposed action.

Step 3: Automate removal and downgrade safely

Once identified, remove or downgrade inactive licenses. In enterprise setups, this should be automated to ensure that changes are reliably and reversibly executed.

To do that, you should:

  • Use Microsoft Graph and PowerShell to remove or change assigned licenses with pre-checks and dry runs.
  • Sequence operations to downgrade first when data retention is needed and fully remove when safe.
  • Log every action with timestamp, operator, user, SKUs before and after, and reason code.

When removing and downgrading Microsoft 365 licenses, remember to have a defined process for approval when it comes to admin accounts and bulk accounts. Don’t let technicians do these things at their own discretion. You should also implement a short grace window for reversal when appropriate.

Step 4: Restructure to group-based licensing

To stop the license sprawl from returning, you should restructure your workflows to use group-based licensing instead.

To do that, you must:

  • Assign licenses to Azure AD (now Microsoft Entra ID) groups by role or department instead of per-user.
  • Automate group membership from HRIS or ITSM workflows so staff and role changes sync to licenses.
  • Remove direct assignments and document the new model. Upload the documentation to a documentation platform and make it easily accessible to all pertinent parties.

Step 5: Attach to offboarding and role changes

Off-boarding and role changes usually mean changes in licensing activity as well. Make cleaning licensing up during these events part of your regular workflows.

First, add a license-removal step to the offboarding checklist with timing for data access needs. When there are role changes within your organization, move users between licensing groups so entitlements follow the job, not the person. And remember to track each completed offboarding in a register so you have a clear record of all your licenses.

Step 6: Prove savings and pass audits

Maintain a License Cleanup Register listing reclaimed seats, downgraded SKUs, approvals, and how much money you saved because you did those things. To keep clients up-to-date, you can publish a monthly scorecard per client that shows reclaimed seats, net spend change, and exceptions open past SLA. You should also keep a runbook and evidence folder for audits, including policy, scripts, and logs.

These actions keep everything transparent, show the relevance and impact of your actions to your client, and help you stay compliant with regulatory boards.

NinjaOne integration ideas for managing unused software licenses

  • Discovery and reports: You can schedule scripts to export sign-in and usage data, then surface candidates for removal in tickets with CSV attachments.
  • Automation at scale: NinjaOne users can run approved Graph or PowerShell jobs across tenants, log outputs back to the ticket, and tag by client and action type.
  • Exception handling: Using NinjaOne tools, you can auto-open review tasks for protected users and expire exceptions on schedule.
  • ROI dashboards: You can create a report that contains data on reclaimed licenses, downgraded SKUs, and estimated monthly savings by tenant.

Quick-Start Guide

NinjaOne helps manage Microsoft 365 licenses through several methods:

  1. License Usage Monitoring: NinjaOne can track license assignments and usage patterns across your organization.
  2. Inactive User Detection: It can identify users who haven’t logged into their Microsoft 365 accounts for extended periods.
  3. License Reclamation: Through automation and reporting, NinjaOne helps organizations identify and reclaim unused licenses.
  4. Integration with Microsoft Graph: NinjaOne leverages Microsoft Graph API to access license information and user activity data.

Prove your MSP efficiency with a Microsoft 365 (Office 365) unused licenses report

License reclamation works, and it’s an important part of improving efficiency and cost savings for MSPs. However, detecting and reclaiming Microsoft 365 licenses must be data-driven, automated, and tied to everyday processes.

Define inactivity rules, detect waste from usage, automate safe removals and downgrades, make group-based licensing the default, and prove savings with a simple register. Do this monthly, and license sprawl stops being a surprise.

Related Links:

Start your Free Trial
Embracing Automation at Every Level

FAQs

Start with a 30-day inactivity threshold for most standard users to flag idle Microsoft 365 licenses. For contractors or temporary staff, tighten that window to 7–14 days, and extend it to 60–90 days for seasonal or executive roles. Adjust thresholds after reviewing your first month of sign-in and workload usage reports to find the optimal balance between cost savings and user retention.

Start by downgrading inactive users or moving them to a temporary holding group instead of immediately deleting their licenses. Make sure to check for legal holds, shared mailboxes, or retention policies that require ongoing access. Finally, you must document exceptions and maintain audit logs before changing or removing any licenses to respect compliance frameworks like the GDPR and HIPAA.

You can use either Microsoft Graph API or PowerShell for license reclamation. Graph API is ideal for automation, scale, and service accounts across multiple tenants, while PowerShell remains effective for targeted cleanups, testing, and controlled execution during change management. Many MSPs combine both methods for flexibility and reliability.

Maintain a short grace period for rollback and log before-and-after license states in your License Cleanup Register. Use your predefined PowerShell or Graph runbook to quickly reassign SKUs, restore access, and re-enable mailbox or OneDrive data.

If group-based licensing in Azure AD (Microsoft Entra ID) conflicts with temporary license needs, create exception groups with expiration dates for special use cases like projects or testing. Automate membership expiration and revert users to their standard groups once exceptions expire.

You might also like

How to Implement Continuous, Real-Time Monitoring for DevOps Pipelines blog banner image

How to Implement Continuous, Real-Time Monitoring for DevOps Pipelines

How to Trace, Fix, and Prevent Active Directory Account Lockouts blog banner image

How to Trace, Fix, and Prevent Active Directory Account Lockouts

How to Block Unapproved Software on Windows Endpoints Without Vendor Lock-In blog banner image

How to Block Unapproved Software on Windows Endpoints Without Vendor Lock-In

How to Set Up Dynamic DNS Securely for Home, Branch, and Enterprise Networks blog banner image

How to Set Up Dynamic DNS Securely for Home, Branch, and Enterprise Networks

How to Migrate From Apple DEP and VPP To Apple Business Manager Without Disruption blog banner image

How to Migrate From Apple DEP and VPP To Apple Business Manager Without Disruption

How to Implement Application Performance Monitoring Best Practices with Operator Proof blog banner image

How to Implement Application Performance Monitoring Best Practices with Operator Proof

Back to Blog Home
Ready to simplify the hardest parts of IT?
Start a Free Trial
Get a demo