Most enterprises significantly overspend on Microsoft licensing. Internal audits routinely reveal 15–30% of licences are shelfware — paid for but unused. This guide provides a structured, repeatable six-step framework for systematically auditing your M365, Azure, and on-premises estate to uncover hidden savings before your next renewal or true-up.
See also our Microsoft Knowledge Hub, Microsoft Optimisation Services, and EA Optimisation Service.
Waste quietly drains budgets by hundreds of thousands over a single contract term, compounding through automatic true-ups and renewal baselines nobody questions. Microsoft will happily sell you the latest premium E5 bundles, but it is your responsibility to ensure you are not overbuying.
An internal audit puts you back in control. By systematically examining your M365, Azure, and on-premises usage, you uncover hidden waste and create the data foundation you need for negotiation. This proactive approach identifies licences not delivering value so you can trim excess before your next annual true-up or renewal — entering negotiations armed with facts, not guesswork.
Export licence assignment and usage reports from M365 Admin Centre, Azure Cost Management, and on-premises tools.
Pinpoint departed employees, test accounts, shared mailboxes, and over-licensed users consuming premium licences.
Examine per-service feature adoption. Find users on premium tiers who use only basic capabilities.
Build quarterly review cadences, automated inactivity flags, and IT governance integration.
A comprehensive internal audit should span your entire Microsoft estate. Limiting scope to M365 alone misses significant waste in Azure, on-premises deployments, and add-on products.
| Source | What It Provides | Access Path |
|---|---|---|
| M365 Admin Centre | Licence assignments, per-user service usage, 60–90 day activity reports, inactive accounts | Admin portal → Reports → Usage |
| Azure Cost Management | Resource consumption, idle VMs, orphaned storage, reserved instance utilisation | Azure Portal → Cost Management + Billing |
| Entra ID (Azure AD) | Sign-in activity, last login dates, guest and external accounts | Entra Admin Centre → Sign-in logs |
| SCCM / Intune | On-premises software deployments, device inventory, installed product versions | Configuration Manager reports / Intune portal |
| EA Agreement Summary | Contracted entitlements, SKU details, pricing tiers, true-up history | VLSC or Microsoft Business Centre |
The foundation of any effective audit is comprehensive, accurate data. Incomplete data leads to missed savings and false confidence. Budget two to five days for this step depending on organisation size and data accessibility.
Pull reports showing every user account and assigned SKU, plus 60–90 day usage summaries for Exchange, Teams, OneDrive, SharePoint, and premium workloads. This reveals the gap between what you are paying for and what people are actually consuming.
Identify idle VMs, orphaned disks, underutilised reserved instances, and dev-test resources deployed in production pricing tiers. Azure waste typically runs 20–30% without active FinOps governance.
Use SCCM, Intune, or a SAM tool to map installed software against your EA entitlements. This comparison identifies pure shelfware, over-deployment, and legacy versions consuming licences unnecessarily.
Overlay your EA schedule against usage data. Build a comparison of licences purchased vs assigned vs actively used. The gaps between these three numbers represent your savings opportunity.
Inactive accounts are the lowest-hanging fruit in any Microsoft audit. Every licence assigned to a departed employee, forgotten test account, or over-licensed user is money wasted with zero business value delivered.
Users who have left the organisation or have not logged in for 60+ days. Cross-reference Entra ID sign-in data against HR records. With annual turnover of 10–15%, this can account for hundreds of unused licences.
Service accounts, test users, training environments, and shared mailboxes assigned full licences. Convertible to free shared mailboxes or Exchange Online Kiosk at no cost.
Active users on premium tiers using only basic capabilities. E5 costs roughly 2.5× more than E3. Even 10% over-licensed in a 5,000-user org equals $200K+ annual savings.
| Scenario | Example | Savings |
|---|---|---|
| Departed employees | Still assigned M365 E5 three months after leaving | 100% licence cost |
| Test / training accounts | 20 test accounts with full E3 from a pilot project | 100% licence cost |
| Shared mailbox with full licence | Reception desk on E3 instead of free shared mailbox | 100% licence cost |
| Over-licensed E5 → E3 | Finance analyst using only Outlook and Excel on E5 | ~30–40% per user |
| Over-licensed E3 → F3 | Frontline worker with E3 using only Teams on mobile | ~75% per user |
Situation: A European logistics company with 8,000 employees engaged Redress Compliance for a pre-renewal audit. No internal usage review had been conducted over the previous two years.
Findings: 620 licences assigned to departed employees. 340 test and shared accounts with full E3 licences. 440 users on E5 using only email and Teams — E1-level functionality.
Result: Eliminating 960 unnecessary licences and downgrading 440 E5 → E3 reduced annual spend by $1.1M — a 22% reduction achieved entirely through internal clean-up before renewal negotiations even began.
Takeaway: The most impactful savings come from the simplest actions — removing licences that should never have been there and right-sizing users to the tier they actually need.
Beyond inactive accounts, the next layer of savings comes from understanding what active users actually do with their licences. Many organisations assign E5 by default when E3 or even F3 would serve the same business need.
Examine E5 users for premium workload adoption: Teams Phone, Power BI Pro, Defender for Office 365, eDiscovery, and Information Protection. Build a matrix of user → current tier → services actually used → recommended tier.
Examine Visio, Project, Power Automate, Power Apps, Copilot, and Defender licences. These are frequently purchased in bulk, but actual adoption is often below 20%. If you purchased 100 Visio licences but only 12 are actively used, 88 are reclaimable.
Examine VM CPU and memory right-sizing, storage access patterns, reserved instance coverage versus on-demand, and dev-test workloads running on production pricing. Azure waste typically runs 20–30% without active FinOps.
Transform your audit findings into a structured action plan with clear financial impact. This document becomes your negotiation baseline — the foundation for every conversation with Microsoft at renewal.
Per-licence cost × reclaimed licences = annual saving. Departed, test, shared mailboxes — all recoverable at 100%.
Cost differential (E5 minus E3) × downgrades = annual saving. Focus on basic-feature-only users.
Reduce Visio, Project, Power Platform, Copilot to match usage. Excess × per-licence cost = annual saving.
Resize VMs, delete orphaned disks, convert on-demand to reserved. Monthly savings × 12 = annual saving.
| Category | Typical Finding | Est. Annual Savings |
|---|---|---|
| Departed employee licences | 5–10% of total users still licensed | $150–400K (5,000-user org) |
| Test / shared accounts | 50–200 accounts with unnecessary full licences | $30–120K |
| E5 → E3 downgrades | 10–25% of E5 users need only E3 | $100–500K |
| Add-on shelfware | 60–80% of Visio, Project, Power Platform unused | $50–200K |
| Azure waste | 20–30% of spend on idle or over-provisioned resources | $80–300K |
Never negotiate discounts before cleaning up your licence estate. Optimising your baseline first ensures that any percentage discount Microsoft offers is applied to the correct, lower number — not an inflated baseline that includes hundreds of licences nobody uses.
With your optimisation plan documented, execute the changes systematically. The goal is to reduce your licence baseline before the next true-up or renewal — every licence reclaimed or downgraded directly reduces what you pay.
Immediately unassign licences from departed employees, test accounts, and shared mailboxes. Process in batches with a documented change log. This directly reduces your renewal baseline and true-up count.
Move E5 users to E3, and E3 users to F3 where analysis supports it. Communicate changes to affected users and managers in advance, explaining which features are removed and confirming no business-critical functionality is lost. A well-communicated downgrade generates zero complaints.
Verify with the relevant manager or system owner before revoking any licence. Occasionally an inactive account is a service account or a user on extended leave. Spending 10 minutes verifying avoids the reputational cost of disrupting a critical workflow.
Situation: A US healthcare network with 12,000 employees was 90 days from their EA renewal. Microsoft’s renewal proposal offered 12,000 M365 E5 licences at a 10% discount — $5.4M annually. They engaged Redress for a rapid audit.
Findings: 800 licences assigned to departed staff. 1,600 clinical staff on E5 using only Teams and Outlook on shared workstations — F3 candidates. 200 Visio licences with only 25 active users.
Result: Removing 800 ghost licences, downgrading 1,600 to F3, and reducing Visio to 30 dropped the renewal baseline from $5.4M to $4.1M — $740K annual saving. Microsoft’s 10% discount on the inflated baseline would have saved only $540K. The internal audit delivered 37% more savings than Microsoft’s own discount offer.
Takeaway: Optimise your baseline first. Then negotiate the discount. The order matters — a percentage discount applied to a clean, right-sized baseline delivers far more value than the same discount applied to an inflated number.
A single audit captures a point-in-time snapshot. Without ongoing governance, shelfware accumulates again within months as employees join, leave, and change roles. The organisations that maintain 90%+ licence utilisation treat audit as a continuous process, not a one-off exercise.
Schedule internal usage reviews every quarter, assigned to IT asset management or FinOps. Each review takes two to three days using the methodology established in Steps 1–5. Track findings and savings cumulatively.
Define clear criteria: 60 days without sign-in triggers review; 90 days triggers automatic removal with a seven-day grace period. Use PowerShell scripts or SAM tools to automate flagging and notification.
Connect licence provisioning and deprovisioning to onboarding and offboarding workflows. Flag licence reclamation within 48 hours of an employee departure. Require new projects to submit licence requests with business justification.
Produce a quarterly optimisation report including current utilisation rates, licences reclaimed, cost avoidance, and projected savings. This creates accountability and ensures visibility at leadership level.