Eliminating Inactive or Duplicate Microsoft 365 Accounts
Inactive and duplicate user accounts in enterprise software (like Microsoft 365) often lead to wasted license costs and hidden security risks.
CIOs and CTOs should implement regular license audits to identify accounts that no longer require licenses and remove or remediate them accordingly.
This proactive account cleanup eliminates “shelfware” (unused licenses) and ensures your organization only pays for licenses that deliver value.
The Hidden Cost of Inactive and Duplicate Accounts
Illustration: Industry studies indicate that as much as 30–40% of enterprise software licenses remain unused or underutilized, represented by the dark segments above (a form of “shelfware” that adds no value). Inactive user accounts and duplicate accounts contribute heavily to this waste.
Many enterprises unknowingly pay for licenses assigned to inactive accounts or even duplicate user accounts.
These are users who have left the company, changed roles, or simply stopped using certain services – yet their accounts remain licensed.
In some cases, a single employee might even have two accounts consuming licenses (for example, after a merger or provisioning error).
Gartner famously calls this phenomenon “shelfware”, referring to purchased software that sits on the shelf unused.
Recent analyses of Microsoft 365 environments reveal that over half of enterprise licenses may not be fully utilized (inactive, unassigned, or underused).
This means IT budgets are bleeding money on subscriptions that aren’t helping the business. Worse, inactive accounts can linger as security liabilities if not deprovisioned. For CIOs and CTOs, these hidden costs and risks warrant urgent attention.
Read M365 Downshifting Strategy: Moving Users to Lower-Cost Plans.
Financial Impact: Wasted Licenses and Real Costs
Inactive licenses translate directly into wasted IT spend.
Enterprise SaaS licenses are not cheap – organizations often invest in premium plans for full functionality and compliance.
For example, consider common Microsoft 365 license prices:
| Microsoft 365 Plan | Cost per user/month (USD) | Cost per user/year (USD) |
|---|---|---|
| Business Basic | $6.00 | $72 |
| Business Standard | $12.50 | $150 |
| Enterprise E3 | $36.00 | $432 |
| Enterprise E5 | $57.00 | $684 |
An unused E5 license costs about $684 per year with nothing to show for it. Now imagine dozens or hundreds of such licenses.
For instance, 100 inactive E5 accounts would incur roughly $68,000 in annual waste.
Even mid-tier E3 licenses at $36 per month add up quickly if they’re assigned to dormant accounts. This budget can be reinvested in strategic projects or new solutions.
Real-world examples bear this out. In one mid-sized company, an audit revealed that 87 E5 licenses were assigned to users who no longer needed them.
By eliminating or reallocating those, the company saved over $50,000 per year in license fees.
In another case, a large enterprise (with over 30,000 employees) was found to be wasting around 14% of its Office 365 spend on inactive or unassigned licenses, representing millions of dollars that could be saved through better account hygiene.
The financial impact extends not only to direct fees but also to support and maintenance overhead for accounts that shouldn’t exist. The cost of doing nothing about inactive or duplicate accounts is too high to ignore.
Why Inactive and Duplicate Accounts Accumulate
Several common scenarios cause inactive or duplicate accounts to pile up in corporate IT environments:
- Employee Offboarding Gaps: When staff leave the company (or a contractor’s term ends), IT may not promptly deactivate their account, resulting in a license being left unused. Without a tight offboarding process, these accounts remain enabled with active licenses, even though the users have long since left.
- Role Changes or Transfers: An employee might change roles and get a new account or different access, but their old account isn’t shut down. Mergers and acquisitions also lead to duplicate accounts (one person with accounts in two systems post-merger).
- License Overallocation: Companies often purchase more licenses than needed “just in case” (e.g., anticipating growth or to meet a discount threshold). If those licenses stay unassigned or assigned to placeholder accounts, they become shelfware. Managers may err on the side of caution and over-provision access for users who ultimately do not utilize the software fully.
- Lack of Identity Governance: Without strong identity management, duplicate user entries can occur. For example, slight differences in naming (e.g., JPerez vs. Juan Perez) might result in two accounts for the same person across systems. Or an IT team might set up a second account for testing, or by mistake. Each account could be consuming a license unbeknownst to the others.
- Infrequent Audits: Simply put, if you’re not regularly checking, these unused accounts accumulate over time. Busy IT departments might focus on onboarding new users and projects, leaving little time to clean up old accounts. Over the years, this has resulted in a substantial backlog of inactive accounts with active subscriptions.
Understanding why these accounts accumulate is half the battle. It usually comes down to process and visibility – gaps between HR and IT processes, or missing oversight tools. Fortunately, each of these causes can be addressed with a combination of process discipline and tools, as we’ll outline next.
Regular License Audits and Account Hygiene
The most effective way to eliminate inactive or duplicate accounts is to institute regular license audits as part of IT operations.
Think of this as performing routine “spring cleaning” on your user directories and license assignments.
Key steps in this audit process include:
- Review Activity Logs: Use your software’s admin portal or reports to identify user accounts with no recent activity. For instance, in Microsoft 365, you can check last login dates or activity per app. Flag accounts that haven’t been used in, say, 30, 60, or 90 days.
- Cross-Check HR Records: For each inactive account found, verify if the user is still with the company or has changed roles. Often, you’ll find many correspondents to former employees whose accounts were never removed. Aligning with HR’s termination list ensures no former staff remain active in systems.
- Identify Duplicates: Conduct an audit to detect duplicate accounts by searching for matching names, emails, or employee IDs. Ensure each person has a single primary account. If duplicates exist, decide which account to retain, and migrate any necessary data to the primary account. The redundant account’s license can then be revoked, and the account deleted or disabled.
- Reclaim or Reallocate Licenses: Once you’ve identified an inactive or duplicate account, remove its license assignment. This immediately stops the monthly subscription costs for that account. In Microsoft 365, for example, you can unassign the license, which frees it up for others to use. For truly unneeded licenses, reduce the license count in your portal to lower the bill (especially important before renewal dates).
- Document and Repeat: Document the accounts that have been cleaned up and the licenses that have been freed (this provides helpful evidence of cost savings). Schedule the next audit – whether quarterly or monthly, depending on the size and rate of change in your environment. Consistency is key; regular audits prevent a large buildup of shelfware.
By performing these audits routinely, you enforce good account hygiene. Some organizations create an “inactive account policy” where any user who has been idle for over 90 days is reviewed. Others integrate license checks into the offboarding checklist: when IT disables a user, they immediately reclaim that license.
The audit process not only saves money, but also improves security by ensuring ex-employees or phantom accounts don’t linger with access.
It also gives IT leaders clear visibility into license utilization, which is invaluable for capacity planning and vendor negotiations.
Tools and Best Practices for Automated Cleanup
Manually combing through accounts can be time-consuming, but there are tools and best practices to streamline the discovery and removal of inactive or duplicate accounts:
- Admin Console Reports: Leverage built-in admin center tools (e.g., Microsoft 365 Admin Center’s usage reports) to get lists of dormant accounts. Microsoft provides graphical reports and the ability to export data on the latest activity for Exchange, Teams, OneDrive, and other services. This quickly highlights users who haven’t logged in or used services in months.
- PowerShell/Scripting: For greater control, IT administrators often utilize scripts to identify inactive accounts. For example, a PowerShell script can list all users who haven’t logged in for 90 days and then automatically remove licenses or disable accounts in bulk. This is especially useful in a Microsoft Active Directory or hybrid environment.
- Identity and Access Management (IAM) Systems: Investing in an IAM or Identity Governance solution (like Azure AD Premium, Okta, or SailPoint) can enforce lifecycle policies. These systems can automatically disable or flag accounts when a user’s HR record is terminated, and they help prevent duplicate identities by using a single source of truth for user data.
- SaaS Management Platforms: There’s a growing class of tools specifically for SaaS license management. These platforms can track license assignments across software, identify under-utilized or duplicate licenses, and even automate workflows to deprovision accounts. For example, some tools send alerts or automatically revoke a license if an account remains inactive for a specified period. They often provide a dashboard that quantifies the cost of inactive licenses in real-time, which is useful for showing leadership the potential savings of cleanup.
- Offboarding Checklists and Automation: Make sure your IT offboarding process includes license removal. Many organizations integrate HR systems with IT (through workflow tools or scripts) so that when HR marks someone as leaving, IT gets an automatic task to disable the account and free the license. You can also utilize features like Microsoft’s access reviews (in Azure AD) to regularly recertify which accounts should retain access, identifying contractors or others who no longer require licenses.
Following these best practices significantly reduces the manual effort required to maintain a clean environment. A combination of automation and policy ensures that inactive accounts don’t slip through the cracks.
For example, one best practice is converting a departing employee’s mailbox to a “shared mailbox” (which doesn’t require a license) during offboarding – this preserves their email records for reference, but immediately releases the paid license.
Similarly, data from a leaver’s OneDrive can be transferred to a manager before the account is deleted, avoiding any loss of information while still retiring the account.
By using the right tools and processes, you create an ongoing system that prevents license waste rather than just reacting to it periodically.
Aligning License Usage with Contracts and Budget
Eliminating inactive and duplicate accounts isn’t just an IT housekeeping task – it directly supports contract optimization and budget management:
- True-Ups and Renewals: Enterprise Agreements and volume licensing contracts (common in North America) often lock in several licenses for a year or more. Regular audits before your true-up or renewal dates allow you to adjust the license counts down to what’s needed. This prevents over-commitment. For instance, if you discovered 100 unused licenses and removed them, you can renew for 100 fewer seats – a major cost reduction over the contract term.
- Negotiation Leverage: Vendors like Microsoft negotiate pricing based on volume and perceived need. Walking into a renewal discussion with hard data on active vs. inactive users gives you leverage. You can confidently push back on proposed quantities or upgrades by showing that you only need X licenses of a given type. In short, you negotiate with data, not assumptions. Additionally, demonstrating strong license governance might make the vendor more amenable to flexible terms, since they know you’re closely monitoring usage.
- Budget Reallocation: The savings from cleaning up licenses can be substantial, and CIOs can repurpose those dollars. Rather than spending on shelfware, that budget can fund new initiatives (perhaps modernizing a system, investing in employee training, or piloting a new technology). This aligns IT spend more directly with business value. Some organizations set a KPI for license utilization (e.g., target 90-95% active usage of all purchased licenses) and tie it to cost optimization goals.
- Compliance and Audit Readiness: Keeping tight control on accounts also means you’re better prepared for any vendor compliance audits. While the issue with inactive accounts is usually over-paying, not under-paying, having an accurate inventory ensures you aren’t accidentally violating license terms (for example, re-using one account for multiple users, which could happen if people “account-share” to avoid buying new licenses – a bad practice). Showing auditors that every paid license is assigned to an active, unique user is a good position to be in.
- Security & Data Governance: Finally, aligning licenses to actual need supports broader governance. It ensures that when someone leaves, their access is truly removed (reducing insider threat and unauthorized access risks). It also helps enforce data retention policies properly – you’re not indefinitely hanging on to old accounts “just in case.” Instead, you have a procedure to retain data as needed and eliminate the live account, which is a cleaner and safer state.
By tying account cleanup to contract cycles and budgeting, CIOs and CTOs elevate this task from a one-time IT fix to a strategic practice.
It’s not only about saving money (though that is a big benefit); it’s about running a tighter ship overall, where your software investments are fully in line with actual usage and business needs.
In the end, the goal is to pay for what you use – and not pay for what you don’t. Regularly eliminating inactive or duplicate accounts is one of the most straightforward ways to reach that goal.
Recommendations
- Audit License Usage Quarterly: Conduct regular audits (at least every quarter) to identify inactive user accounts across all major software platforms. Pay special attention to high-cost licenses (e.g., enterprise-tier subscriptions) that might be sitting idle.
- Integrate offboarding with IT: Implement an automated offboarding workflow that promptly disables an employee’s accounts and reclaims their licenses whenever they leave. Don’t wait weeks or months – reclaim those licenses immediately to stop the billing.
- Enforce “One Person, One Account”: Use identity management best practices to prevent duplicate accounts. Maintain a single unique user identity for each employee in your directory. Regularly reconcile accounts with HR records to identify and eliminate any duplicates or orphan accounts.
- Set Inactivity Thresholds: Define a clear policy for inactive accounts (e.g., “Disable or review any account after 60 days of no login”). Use tools or scripts to automatically flag these accounts, then decide whether to remove the license or the account based on the situation.
- Leverage License Management Tools: Utilize SaaS management or software asset management tools to continuously monitor license utilization. Configure alerts for unused licenses, and let the system perform routine cleanup (such as removing licenses from accounts with no activity).
- Preserve Data, Not Accounts: When deprovisioning an inactive account, ensure you retain any critical data (emails, files) through backups or transfers. Utilize features such as converting mailboxes to a shared (free) status for archival purposes. This allows you to safely delete or block the account without losing important information or incurring charges for an inactive user.
- Optimize Before Renegotiating: Before any contract renewal or true-up with a vendor, conduct a comprehensive review of license usage. Remove or reassign all unused licenses before you negotiate. Enter discussions with an accurate count of needed licenses and evidence of usage – this avoids over-buying and strengthens your case for a better volume discount on the licenses you truly need.
- Educate Stakeholders: Make department heads and application owners aware of license costs. Sometimes managers keep licenses active “just in case.” By sharing reports on unused licenses and the associated dollar value, you can encourage better stewardship at the business unit level. Tie these insights into governance meetings or IT budget reviews for accountability.
FAQ
Q1: How often should we audit for inactive or duplicate accounts?
A1: Aim to audit on a regular schedule – at minimum every quarter, though monthly audits are ideal for fast-changing organizations. Frequent audits mean fewer idle accounts piling up. It’s also wise to do an extra audit before major license renewal dates. Regularity ensures license optimization becomes a routine part of IT operations rather than a one-off project.
Q2: What’s the best way to identify inactive user accounts in Microsoft 365 (or other platforms)?
A2: Use the admin analytics and reports available: for Microsoft 365, the Admin Center provides reports on user activity (last login dates, email usage, etc.). You can also run PowerShell scripts or use Azure AD reports to list accounts that have been inactive for X days. Many SaaS management tools can also aggregate this information. Essentially, look for accounts with no sign-ins or usage over your chosen threshold (e.g., 60 or 90 days). Those are prime candidates to flag as inactive.
Q3: How do duplicate user accounts occur, and how can we prevent them?
A3: Duplicates often happen due to mistakes like creating a new account for someone who already exists (perhaps under a different spelling), or when merging systems (e.g., after an acquisition). They can also arise if separate IT teams provision accounts in unconnected systems for the same person. To prevent duplicates, maintain a single identity directory linked to HR records, ensuring that each new hire or change is processed through a single system. Utilize identity governance tools that alert you if a similar name or email address already exists. Regularly compare user lists across systems and eliminate any duplicate entries to ensure that each employee has a unique account with the necessary licenses.
Q4: What should we do with an inactive account’s data (emails, files) when removing the license?
A4: It’s important to retain necessary data without keeping the paid account active. Best practice is to transfer ownership of the data or use built-in archival tools. For example, before deleting an Office 365 account, you can convert the user’s mailbox to a shared mailbox – this preserves all their emails and is free to keep, but you can release the license. Likewise, download or transfer files from their OneDrive to a secure location or to their manager. This way, you comply with any data retention policies and still eliminate the unused account and its license.
Q5: Can we reassign a freed-up license to another user instead of buying a new license?
A5: Yes. Most subscription licenses (including Microsoft 365) are fungible seats – if one user leaves, you can assign that same license seat to another user. For instance, if you remove a license from an inactive account, that license becomes available in your pool to allocate to someone else. This is exactly how license optimization saves money: rather than purchasing a fresh license for a new hire, you reuse an existing one from a departed or duplicate account. Be mindful of any timing differences (some systems will immediately make it free, while others may have a short lag or require confirmation).
Q6: What are the security risks of keeping inactive accounts around?
A6: Inactive accounts can become a serious security vulnerability. If the account’s credentials were never disabled or the password never reset, a former employee (or a malicious actor who compromises the account) could still access corporate data. Stale accounts are a common target for attackers because they are often not monitored. By eliminating these accounts, you reduce your attack surface. Additionally, duplicate accounts might have excess privileges that go unnoticed, which can also be exploited. Regular cleanup ensures that only authorized users with active access have access to systems.
Q7: Our company keeps a few extra licenses as a buffer for new hires – is that a bad thing?
A7: Maintaining a small buffer can be practical for handling immediate needs, but it should be intentional and limited. The key is to monitor those spare licenses. If you consistently have, say, 20 licenses unassigned for six months, that’s oversupply and wasted spend – you might be able to drop those until they’re truly needed. A good approach is to review unassigned licenses at each audit. If they remain unused for an extended period or beyond your hiring forecasts, consider including them in your cost-saving removals. In modern cloud licensing (especially via monthly subscriptions), you can usually add licenses on short notice, so paying far in advance for a large buffer is not necessary.
Q8: How do license audits help during contract negotiations with Microsoft (or other vendors)?
A8: License audits arm you with accurate usage data. When negotiating with Microsoft or another vendor, knowing exactly how many licenses you need (and of what type) prevents the common scenario of overbuying. You can confidently negotiate a reduction in quantity, for example, by saying, “We only need 500 E5 licenses instead of 600, because 100 were not used.” It also allows you to consider downgrades (perhaps some users only need less expensive licenses). Vendors may offer better pricing if you can commit to a certain number, but you don’t want to commit to licenses that will sit unused. By demonstrating that you’ve done your homework (through audits), you can negotiate a contract that aligns with your actual usage, potentially saving a significant percentage of your spend. Plus, if the vendor knows you actively manage licenses, they’re less likely to push excess bundles you don’t need.
Q9: Are there tools to automatically remove or deactivate inactive accounts?
A9: Yes, a few approaches exist. Native tools: Microsoft 365 offers retention policies and the option to set accounts as inactive (especially for preserving mailbox content), as well as the ability to automate license removal via PowerShell scripts. Third-party SaaS management tools can be configured to detect inactivity and execute actions such as sending an alert or automatically removing the license. Identity management suites, such as Okta or Azure AD, can be integrated into an automation workflow. For example, if an account is disabled in Active Directory, a script can be used to remove the user’s SaaS licenses as a follow-up. The best practice is a combination of detection (identifying inactive accounts) and action (removing or deactivating them), which can be as automated as possible. Human oversight is still recommended for review, but the heavy lifting can be automated through scripting.
Q10: What’s one thing CIOs and CTOs often overlook in license cleanup?
A10: Many IT leaders focus on the technical removal of accounts but overlook the communication and policy aspect. One commonly overlooked element is simply communicating to managers and employees that licenses are a costly resource. For example, establishing a policy that departmental leaders will be informed of licenses assigned to users in their team who haven’t used them in 60 days or more can create accountability. Another overlooked aspect is tying license management into the IT governance framework – e.g., making it a KPI for the IT department to keep license utilization above a certain threshold. In short, beyond the technical fixes, ensure there’s organizational awareness and policy in place so that everyone understands the importance of eliminating unused licenses. This top-down emphasis can significantly improve compliance with cleanup processes.
Read about our Microsoft Advisory Services.
