Dex

๐Ÿ’ณ Recipe ยท Licensing & Cost Optimization

Find Disabled Users Who Still Have Licenses Assigned

Identify deactivated Microsoft 365 accounts that are still consuming paid licenses so you can reclaim them and cut costs

Complexity

Beginner

Impact

cost-savings + license-optimization + offboarding-hygiene + tenant-audit

Context

Why This Matters

When employees leave the organization or accounts are retired, admins frequently disable the account (set accountEnabled = false) but forget to remove the assigned Microsoft 365 licenses. Those licenses continue to be billed every month even though no one can sign in to use them.

This recipe enumerates every disabled user in your tenant and reports which ones still hold paid license SKUs. It is a fast, low-risk audit that almost always surfaces recoverable spend โ€” particularly after offboarding waves, M&A events, or periodic license true-ups.

When to run this

  • Monthly or quarterly license reconciliation
  • After a batch offboarding or reorganization
  • Before renewing an enterprise agreement or buying additional seats
  • As part of a tenant health / cost-optimization review

Expected Outcomes

After completing this recipe you will have:

  • A complete list of every disabled user account in the tenant that still has one or more licenses assigned
  • Each user's display name, UPN, and the human-readable SKU part numbers (e.g. SPE_E5, EXCHANGESTANDARD)
  • A defensible cost-recovery target โ€” each reclaimed license can be unassigned or the subscription reduced at renewal
  • Identification of shared/service accounts (auto attendants, shared mailboxes, resource accounts) that may legitimately hold licenses while disabled

Risks & Considerations

Important considerations

  • Don't bulk-remove licenses blindly. Some disabled accounts are intentional โ€” for example, PHONESYSTEM_VIRTUALUSER licenses on Teams auto attendants / call queues, or shared mailboxes that require an Exchange license for over-50 GB storage or litigation hold.
  • Data retention risk. Removing an Exchange Online license from a disabled user starts a 30-day countdown before the mailbox is permanently deleted. Place the mailbox on Litigation Hold or convert to a shared mailbox first if you need to preserve data.
  • OneDrive content. Removing a license can trigger OneDrive retention (default 30 days). Reassign ownership or export content first if needed.
  • Group-based licensing. If licenses are assigned via group membership, you must remove the user from the licensing group โ€” unassigning directly will fail or re-apply.
  • Compliance. Check whether the account is subject to legal hold, eDiscovery case, or regulatory retention before making changes.

Required Permissions

PermissionWhy It's Needed
User.Read.AllRead user account properties including accountEnabled and assignedLicenses
Organization.Read.AllRead subscribedSkus to map SKU IDs to human-readable SKU part numbers
Directory.Read.AllAlternative / broader read permission if tenant policy requires it

The fastest way to get this done โ€” just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Find all disabled users in our Microsoft 365 tenant who still have licenses assigned. For each, show display name, UPN, and the license SKUs (friendly names). Flag any that look like service or resource accounts (auto attendants, shared mailboxes) so I don't remove them by mistake.
Try in Dex CoAdmin