๐ณ Recipe ยท Licensing & Cost Optimization
Identify Departed Employees and Reclaim Microsoft 365 Licenses
Find disabled accounts still consuming licenses and free them up to reduce billing
Complexity
Intermediate
Impact
cost-savings + license-hygiene + offboarding + compliance
Context
Why This Matters
Departed employees often leave behind active Microsoft 365 licenses even after their accounts are disabled. Every unclaimed license continues to bill against your tenant until it is explicitly unassigned. For tenants with dozens to thousands of users, these orphaned assignments can quickly add up to hundreds or thousands of dollars per month in wasted spend.
This recipe walks you through systematically identifying departed employees โ using a combination of disabled-account state, recent audit log activity, and HR-provided lists โ and reclaiming their licenses so they can be reassigned or dropped from your subscription at renewal.
Run this monthly as part of your license hygiene cadence, or on demand when HR notifies IT of terminations.
Expected Outcomes
- A list of all disabled user accounts that still hold Microsoft 365 license assignments
- Cross-referenced audit log data showing when each account was disabled and by whom
- Licenses removed from departed employees and returned to the available pool
- A documented report suitable for finance or audit review
- Lower ongoing license costs at the next billing cycle
Risks & Considerations
Before you reclaim
- Preserve mailbox and OneDrive data first. Removing a license can delete the mailbox after 30 days and the OneDrive after retention expires. Convert the mailbox to shared, set a retention hold, or export data before unassigning.
- Disabled โ departed. Some disabled accounts are on leave, maternity, or awaiting rehire. Confirm departure status with HR before reclaiming.
- Group-based licenses. If the license is assigned via a group, you must remove the user from the group โ unassigning directly will fail or be re-applied automatically.
- Litigation hold. Accounts under e-discovery or legal hold must retain their license (or be converted to inactive mailboxes) until the hold is released.
Compliance
Document every reclamation action with timestamps and the approving manager/HR contact. This is often required for SOX, ISO 27001, or SOC 2 access-review controls.
Required Permissions
| Permission | Why It's Needed |
|---|---|
| User.Read.All | Enumerate all users and read their accountEnabled state and assigned licenses |
| Directory.ReadWrite.All | Call assignLicense to remove SKUs from departed users |
| AuditLog.Read.All | Query directoryAudits for recent 'Disable account' events to confirm departure timing |
| Organization.Read.All | Resolve SKU IDs to friendly product names via subscribedSkus |
| Group.Read.All | Detect group-based license assignments that must be resolved at the group level |
The fastest way to get this done โ just ask Dex. Copy the prompt below and paste it into your Dex conversation.
For IT Admins
Paste into Dex CoAdmin