How to use IAM automation to reclaim unused licenses and cut SaaS costs.
Where license waste hides: offboarding gaps and zombie accounts
Software license waste rarely comes from a single dramatic failure; it’s the accumulation of small process gaps. The number one culprit is imperfect offboarding. When an employee leaves, accounts are often disabled in core directories but remain licensed in downstream SaaS or line-of-business systems.
Another culprit is role drift: people change jobs, carry legacy entitlements, and keep licenses for tools they no longer use. Finally, there are orphaned and duplicate accounts, especially for external contributors like consultants. The financial impact is real, analyses regularly show double-digit percentages of spend lost to unused Microsoft 365 or Google Workspace seats.
Microsoft’s own guidance stresses removing licenses during offboarding to avoid continuing charges, but responsibility is often placed on the organisation to execute and automate. Usage analytics and periodic audits help surface underutilised allocations and over-licensed users. In practice, the problem isn’t knowing waste exists; it’s executing a consistent, cross-system process every time without leaning on manual checklists or heroics from IT.
That’s where identity and access management (IAM) automation becomes the difference between sporadic cleanups and continuous optimisation.
Build an automated license reclamation loop with IAM
An automated reclamation loop has four parts.
1) Source of truth
Start with HR as the master for employment status and job changes. A termination in HR must trigger deactivation and license reclamation workflows across all connected systems.
2) Connector coverage
Integrate the systems where licenses live: Microsoft 365, Google Workspace and your sector applications. Use group-based assignments so that removing a business role automatically retracts entitlements and seats.
3) Usage-driven right-sizing
Feed last-login and activity signals into your IAM platform to recommend downgrades or removals for inactive users. Pre-build policies such as “no activity for 60 days → downgrade E3 to F3” and route to system owners for approval.
4) Closed-loop evidence
Log every reclaimed seat and cost delta so finance can verify savings. Identum helps operationalise this loop by connecting HR to Azure Entra ID/AD, Google Workspace and sector systems, automating provisioning/deprovisioning and presenting system owners with clear, auditable decisions: eADM overview.
Savings you can prove: metrics, audits and executive reporting
To make savings credible, measure and report them like any other optimisation program.
Define a baseline
Total licenses by SKU, assigned vs. unassigned, active vs. inactive users, and average cost per seat. Then track leading indicators: time-to-reclaim after termination, percentage of users inactive 60+ days, and rate of downgrades. Present trailing outcomes monthly or quarterly: seats reclaimed, net spend reduction, and projected annualised savings. Where possible, segment by system owner so business leaders see their share of wins.
Close the loop with finance by producing an audit trail for each reclaimed license:
-
Who approved it.
-
When it was removed, and;
-
Which cost center realised the benefit.
Pair quantitative reporting with policy improvements
Mandate group-based licensing tied to roles, enforce deprovisioning SLAs, and run quarterly reviews for high-spend SKUs. Use IAM automation to move from one-off savings to a durable, self-healing license posture.
