Why Counting Salesforce Licenses Is Harder Than It Looks
Most enterprise IT leaders assume Salesforce license management is straightforward: you buy a number of seats, you assign them, and the platform enforces the cap. That assumption is dangerously incomplete. Salesforce licensing operates across four distinct layers—user licenses, feature licenses, permission set licenses, and usage-based entitlements—each tracked separately, each with different cost implications, and each susceptible to different forms of waste.
The result is that organisations routinely discover they are paying for 20–30% more licenses than they actually need. At Enterprise Edition list pricing of $175 per user per month, a company with 1,000 seats and a 25% waste rate is burning through $525,000 per year on licenses that generate zero business value. That figure climbs further once you factor in Feature Licenses, Permission Set Licenses, and usage-based products like Marketing Cloud contacts or Data Cloud and Agentforce consumption credits.
This guide provides the practical, step-by-step methodology for conducting a comprehensive Salesforce license audit. Every technique can be executed using native Salesforce tools—no third-party software required—and is designed to produce the evidence base you need to rightsize your estate, eliminate shelfware, and negotiate your next renewal from a position of documented fact rather than guesswork.
Understanding the Four License Layers You Must Audit
Before you begin counting, you need to understand what you are counting. Salesforce’s licensing architecture is not a single list—it is four interlocking layers, each requiring a distinct audit approach.
Layer 1: User Licenses Foundation
What they control: The baseline product access for every user in your org. Each user record requires exactly one User License. Common types include Salesforce (full CRM), Salesforce Platform (custom apps only, no standard CRM objects), Identity Only (SSO passthrough), and Customer Community or Partner Community for external users.
Why they matter financially: User Licenses represent 70–85% of your total Salesforce contract value. Every seat you can eliminate or downgrade flows directly to savings.
Layer 2: Feature Licenses Add-On
What they control: Access to specific capabilities not included in the base User License. Examples include Marketing User, Service Cloud User, Knowledge User, Flow User, and CPQ User. These are toggled per-user as checkboxes on the User record or via separate assignment.
Why they matter financially: Feature Licenses are frequently over-assigned during initial rollouts and never revisited. Organisations commonly find 30–50% of assigned Feature Licenses are unused.
Layer 3: Permission Set Licenses Entitlement
What they control: Granular entitlements that extend functionality beyond what User and Feature Licenses provide. Examples include Sales Cloud Einstein, Salesforce CPQ, Pardot, and CRM Analytics. Permission Set Licenses are assigned through Permission Sets or Permission Set Groups.
Why they matter financially: These often represent high-value add-on products billed per-seat. A single unused CRM Analytics licence can cost $75–$150 per user per month.
Layer 4: Usage-Based Entitlements Consumption
What they control: Metered resources including data storage (GB), file storage (GB), API calls (daily cap), Marketing Cloud contacts, Experience Cloud logins, and Agentforce conversations. These are not per-seat—they are pooled at the org level.
Why they matter financially: Overage pricing is punitive. As of 2025, additional Salesforce data storage costs approximately $125 per month per 500 MB—equivalent to $3,000 per year for just 1 GB of additional capacity.
Method 1: The Setup → Company Information Baseline
The fastest way to establish your license inventory is through Salesforce’s native Company Information page. This is your starting point for every audit and takes less than five minutes to complete.
Step-by-Step: Pulling the Baseline Numbers
Navigate to Setup → Company Settings → Company Information (in Lightning Experience, click the gear icon, select Setup, and type “Company Information” in Quick Find). Scroll down to find three critical tables: User Licenses, Permission Set Licenses, and Feature Licenses. Each table displays three columns: Total Licenses (what you purchased), Used Licenses (what is currently assigned), and Remaining (the difference).
Click View All on the User Licenses section to see every license type in your org. For larger orgs, this list can span 15–30 rows, including license types you may not recognise—many are provisioned automatically by Salesforce when features are enabled or packages installed. Click Download to export the entire table as a CSV file. Repeat this for Permission Set Licenses and Feature Licenses.
⚠ “Used” Does Not Mean “In Use”
The Company Information page shows assigned licenses, not active ones. A license assigned to a user who has not logged in for six months still appears as “Used.” This is the single most common misunderstanding in Salesforce license audits and why the Setup baseline is necessary but never sufficient on its own.
Record the following for every license type: the total count purchased, the count currently assigned, the remaining count available, and the list price per seat from your contract. This creates your Entitlement vs. Assignment matrix—the first of three comparison layers you will build.
Method 2: SOQL Queries for Precise License Intelligence
The Setup UI gives you a snapshot. SOQL queries give you actionable detail—specifically, the ability to cross-reference license assignments with actual login behaviour, user roles, and last activity dates. You can execute these queries in Developer Console (Setup → Developer Console → Query Editor tab), Workbench (workbench.developerforce.com), or any connected API client.
Query 1: Complete User License Inventory
The UserLicense object is the authoritative source for license counts. Run the following query to retrieve every license type, its total allocation, and current usage:
SELECT MasterLabel, Name, Status, TotalLicenses, UsedLicenses FROM UserLicense ORDER BY UsedLicenses DESC
This returns your complete User License inventory sorted by consumption. Pay particular attention to any row where UsedLicenses equals TotalLicenses—these are at-capacity license types where any new user request will trigger a purchase.
Query 2: Permission Set License Utilisation
Permission Set Licenses are where hidden costs accumulate. Query the PermissionSetLicense object to identify over-provisioned add-on entitlements:
SELECT MasterLabel, TotalLicenses, UsedLicenses, ExpirationDate FROM PermissionSetLicense WHERE TotalLicenses > 0 ORDER BY UsedLicenses DESC
Compare the UsedLicenses count against actual utilisation of the corresponding feature. For example, if you have 200 CRM Analytics Permission Set Licenses assigned but only 45 users have opened an Analytics dashboard in the past 90 days, you have identified 155 candidates for removal.
Query 3: Inactive User Identification (The Money Query)
This is the query that finds your savings. It identifies every active user who has not logged in within the past 90 days, grouped by license type:
SELECT Profile.UserLicense.Name, COUNT(Id) FROM User WHERE IsActive = true AND LastLoginDate < LAST_N_DAYS:90 GROUP BY Profile.UserLicense.Name
For a more granular view that gives you individual user names for action, remove the GROUP BY clause and add the Name and LastLoginDate fields:
SELECT Name, Username, Profile.Name, Profile.UserLicense.Name, LastLoginDate FROM User WHERE IsActive = true AND LastLoginDate < LAST_N_DAYS:90 ORDER BY LastLoginDate ASC
✓ Typical Savings Discovery
In our experience across hundreds of Salesforce advisory engagements, the 90-day inactivity query typically identifies 15–25% of assigned User Licenses as candidates for deactivation or downgrade. For a 1,000-seat Enterprise deployment, that represents $315,000–$525,000 in annual recoverable cost before any license-type optimisation is applied.
Query 4: Users Who Have Never Logged In
A surprisingly common finding—users provisioned during onboarding waves or migration projects who never actually accessed the system:
SELECT Name, Username, Profile.UserLicense.Name, CreatedDate FROM User WHERE IsActive = true AND LastLoginDate = null ORDER BY CreatedDate ASC
These represent the purest form of shelfware: licenses that have never delivered any business value whatsoever.
Method 3: Custom Reports for Ongoing Governance
SOQL queries are powerful for point-in-time audits but impractical for ongoing governance. For continuous monitoring, build a Custom Report Type that makes license data available to business stakeholders through standard Salesforce reports and dashboards.
Building the License Audit Report Type
Navigate to Setup → Report Types → New Custom Report Type. Select Users as the primary object. In the field layout editor, add lookup fields from the Profile object, specifically Profile: User License: Name and Profile: User License: Total Licenses. Deploy the report type to make it available across the org.
Create a new report using this custom report type. Set the format to Summary Report, grouped by User License. Add a filter for Active = True. Create two custom summary formulas: first, Active User Count using RowCount; second, Licenses Remaining using the formula User.Profile.UserLicense.TotalLicenses:SUM minus RowCount. This gives you a live, schedulable report showing utilisation by license type that can be emailed to procurement and IT asset management stakeholders weekly or monthly.
The Login Frequency Dashboard
Extend your custom report with a Last Login Date bucketing approach. Create four report columns that categorise users into login frequency bands: Active (last 30 days), Low activity (31–90 days), Dormant (91–180 days), and Inactive (180+ days or never logged in). The dormant and inactive bands are your immediate optimisation targets.
The Lightning Usage App, available under Setup → Lightning Usage, provides additional adoption metrics including daily active users, most-visited pages, and browser statistics. While not a licensing tool per se, it provides complementary data that helps determine whether users with active licenses are genuinely engaging with the platform or merely logging in periodically without meaningful usage.
Auditing Usage-Based Entitlements: Storage, APIs, and Consumption
User licenses get the most attention, but usage-based entitlements are where surprise costs originate. These require a different audit methodology because they are pooled at the org level rather than assigned per-user.
Data and File Storage Audit
Navigate to Setup → Data Management → Storage Usage to view your org’s storage breakdown. Salesforce splits storage into two pools: data storage (CRM records) and file storage (attachments, documents, Chatter files). The page itemises consumption by object, revealing which objects are the largest consumers.
Storage allocations vary by edition. Enterprise Edition provides a base of 10 GB of data storage plus 20 MB per user licence. Unlimited Edition provides 10 GB base plus 120 MB per user. For a 500-user Enterprise deployment, your total data storage entitlement is approximately 10 GB + (500 × 20 MB) = 20 GB. If you are consuming 18 GB, you are at 90% capacity and approaching the threshold where Salesforce will require you to purchase additional storage or face restrictions on new record creation.
Configure storage alert notifications at 80% and 90% thresholds (Setup → Data Management → Storage Usage) to receive early warnings before capacity constraints disrupt operations.
API Call Usage Audit
API limits are enforced on a rolling 24-hour window, and exceeding them causes Salesforce to reject all API requests until the window resets—potentially halting integrations, mobile app access, and third-party tools mid-workflow. Check your current position via Setup → Company Settings → Company Information, which displays “API Requests, Last 24 Hours” with your current usage and maximum.
For deeper analysis, the Salesforce REST Limits endpoint (/services/data/v60.0/limits) returns a JSON payload with current and maximum values for all metered resources—API calls, storage, email sends, and more. In Salesforce Classic, the API Usage Last 7 Days report (found under Administrative Reports) provides a historical view of which connected apps and integration users are consuming the most API calls. This is essential for identifying runaway integrations or inefficient third-party applications that could be optimised to reduce call volume.
Experience Cloud and Community Login Audits
If your contract includes Experience Cloud (formerly Community Cloud) login-based licences, you need to track monthly unique logins against your contractual entitlement. Salesforce does not provide a simple dashboard for this—you must query the LoginHistory object filtered by user type and aggregate by calendar month to establish your actual consumption pattern. Exceeding your contracted login count triggers true-up charges at your next billing period.
Building Your Entitlement vs. Assignment vs. Usage Matrix
The single most valuable output of a Salesforce license audit is a three-column matrix that compares what you bought, what you assigned, and what is actually being used. This document becomes your negotiation evidence, your optimisation roadmap, and your ongoing governance tool.
| License Type | Purchased (Contract) | Assigned (Setup) | Active Last 90 Days | Waste Rate |
|---|---|---|---|---|
| Salesforce (Enterprise) | 800 | 782 | 614 | 21.5% |
| Salesforce Platform | 200 | 143 | 98 | 51.0% |
| Service Cloud User (Feature) | 400 | 389 | 271 | 32.3% |
| CRM Analytics (PSL) | 150 | 148 | 47 | 68.7% |
| Total Waste Identified | — | — | — | $1.2M/yr |
The example above is representative of what we typically find in enterprise environments with 500–2,000 users. Note that the waste rate is calculated against purchased count, not assigned count—because you are paying for every purchased licence regardless of whether it is assigned. The difference between purchased and assigned represents shelfware that was never even deployed. The difference between assigned and active represents shelfware that was deployed but is not being used.
Identifying Downgrade Candidates: Full CRM vs. Platform Licenses
One of the highest-impact optimisation levers in any Salesforce estate is identifying users who hold full CRM licences (Salesforce Enterprise at $175/user/month) but whose actual usage patterns indicate they only need a Salesforce Platform licence. Platform Starter licenses provide access to custom apps, 10 custom objects, and standard automation tools at a fraction of the CRM price.
The Downgrade Qualification Criteria
A user is a strong candidate for downgrade from a full CRM licence to a Platform licence if they meet all three of the following criteria: first, they do not create or update Opportunity, Lead, or Campaign records (the core CRM objects excluded from Platform licences); second, their usage is primarily limited to viewing dashboards, working with custom objects, or running reports on non-CRM data; third, they do not use Forecasting, Territory Management, or Sales Console features.
To identify these users programmatically, query the audit trail or use the Event Monitoring dataset (available in Shield or with an Event Monitoring add-on) to determine which objects each user accesses. A simpler approach is to run a report showing users who have zero Opportunity, Lead, and Campaign record ownership and zero create/edit actions on those objects in the past 180 days.
✓ Platform Licence Downgrade Example
A professional services firm with 1,200 Salesforce Enterprise licences identified 280 users whose sole Salesforce activity was viewing project dashboards and updating custom time-tracking objects. Migrating these users to Platform Starter saved $588,000 annually with zero impact on productivity, as none of the affected users required access to Opportunities, Leads, or Campaigns.
Auditing Feature and Permission Set License Assignments
Feature Licenses and Permission Set Licenses are where “set it and forget it” provisioning creates the most insidious waste. These are typically assigned during initial user setup based on role templates, then never revisited even when users change roles or stop using the associated functionality.
Feature License Audit Methodology
Navigate to Setup → Company Information and note every Feature License where the Used count is close to the Total. Then cross-reference with actual usage. For Marketing User licences, query how many assigned users have created or modified Campaigns in the past 90 days. For Knowledge User licences, query how many have authored or edited Knowledge Articles. For CPQ User licences, query how many have generated quotes.
The pattern is consistent: typically 30–50% of Feature Licence assignments are not justified by actual usage. Revoking an unused Feature Licence does not reduce your contract count (you still pay for the total you purchased), but it does two important things: it creates documented evidence for reducing the count at renewal, and it improves your security posture by revoking unnecessary capabilities from users who do not need them.
Permission Set License Audit
Permission Set Licenses are audited through a two-step process. First, query the PermissionSetLicense object to identify all assigned PSLs and their utilisation rates. Second, for each high-value PSL (CRM Analytics, Sales Cloud Einstein, Marketing Cloud connectors), build a usage report specific to the feature it enables. The gap between assignment and active usage is typically the widest in this category—it is not uncommon to find Permission Set License utilisation rates below 35%.
Understanding True-Up and True-Forward Compliance Risks
Salesforce contracts—particularly SELAs (Salesforce Enterprise License Agreements) and larger enterprise agreements—often include True-Up or True-Forward provisions. These clauses mean that if your usage exceeds contracted quantities at any point during the term, Salesforce will adjust your subscription costs upward at the next billing period or renewal.
True-Up applies to user counts (adding more active users than you purchased), storage overages, API call exceedances, and usage-based product consumption. Unlike traditional software audits where a vendor sends in a third-party auditor, Salesforce compliance enforcement is largely automated through platform telemetry. The system knows exactly how many users are active, how much storage you are consuming, and how many API calls you are making.
⚠ The Renewal True-Up Trap
Salesforce account executives commonly use True-Up data as a negotiation lever during renewals. If your usage has at any point exceeded contracted levels—even temporarily during a migration or seasonal spike—expect Salesforce to cite this as justification for maintaining or increasing licence counts. Your defence is a comprehensive, current-state audit that demonstrates your normalised usage, not peak usage.
To protect against True-Up exposure, run your license audit quarterly and maintain a rolling 12-month record of your actual usage by license type. If your contract includes True-Forward provisions, negotiate a grace period or materiality threshold (typically 5–10%) below which no adjustment is triggered.
Establishing a Quarterly License Governance Cadence
A one-time audit delivers savings. A governance programme sustains them. Without ongoing discipline, license creep will restore waste to pre-audit levels within 12–18 months as departments add users, roles change, and employees leave without licence cleanup.
The Quarterly Audit Checklist
Every 90 days, your Salesforce administration or IT asset management team should execute the following sequence. First, re-run the 90-day inactivity SOQL query and compare results against the previous quarter. Second, review the Entitlement vs. Assignment vs. Usage matrix and update all three columns. Third, identify any new Permission Set Licenses or Feature Licenses that have been provisioned since the last audit. Fourth, check storage and API consumption trends against contracted entitlements. Fifth, produce a one-page summary for procurement and IT leadership documenting current utilisation rates, waste identified, and recommended actions.
Offboarding Integration
The single most effective governance control is integrating Salesforce licence deactivation into your HR offboarding workflow. When an employee leaves, their Salesforce user should be deactivated within 24 hours. Critically, deactivation alone does not free the licence for reuse—you must also check whether any Feature Licenses or Permission Set Licenses should be unassigned. Many organisations deactivate users but leave expensive add-on licences attached to inactive accounts, which still count as “Used” in your licence totals.
Tie licence provisioning to your identity provider. If you are using SSO via Okta, Azure AD, or similar, configure deprovisioning rules that automatically set Salesforce users to Inactive when their corporate identity is disabled. This eliminates the most common source of licence waste: the months-long gap between an employee’s departure and manual Salesforce cleanup.
Using Audit Results to Negotiate Your Next Renewal
The commercial value of a Salesforce license audit crystallises at renewal. Armed with documented utilisation data, you transform the renewal conversation from a Salesforce-controlled price increase discussion into a fact-based negotiation about right-sizing.
Building the Business Case
Present your Entitlement vs. Assignment vs. Usage matrix to your Salesforce account executive alongside a specific reduction proposal. If your audit shows 800 purchased Enterprise licences with only 614 active in the past 90 days, propose reducing to 650 (adding a modest buffer for growth). If 280 of those active users qualify for Platform licence downgrades, propose a split: 370 Enterprise plus 280 Platform. Calculate the dollar savings of each scenario and present them alongside your contract negotiation objectives.
Salesforce account executives will push back with arguments about growth projections and the risk of needing to add licences at list price. Counter this by negotiating downgrade rights (the ability to reduce licence counts by 10–15% annually without penalty) and swap rights (the ability to exchange one licence type for another of equal or lesser value). These contractual provisions, combined with your audit data, ensure you are never locked into paying for unused capacity.
Timing matters. Initiate your audit at least 4–6 months before your renewal date to allow time for data collection, analysis, internal approval of reduction proposals, and negotiation. Salesforce’s fiscal year ends on 31 January, and its sales teams are most receptive to deal flexibility in Q4 (November–January). Align your renewal accordingly if your contract dates allow. For detailed renewal preparation strategies, consult our Salesforce Renewal War Room Checklist.
Special Considerations for Multi-Org Environments
Organisations with multiple Salesforce orgs—whether through M&A activity, regional deployments, or deliberate architectural choices—face compounded audit complexity. Each org has its own licence allocation, its own storage entitlement, and its own API limits. There is no native cross-org visibility in Salesforce.
For multi-org audits, you must execute the same methodology described above in every org separately, then consolidate results into a single enterprise-wide view. This is where org consolidation analysis becomes relevant: if two orgs each have 500 licences but utilisation is 60% in both, consolidating into a single org of 600 licences could eliminate 400 seats—a substantial cost reduction that also simplifies administration and reduces your total Salesforce footprint.
Multi-org environments also create hidden duplication: users who hold licences in two or more orgs, AppExchange applications licenced separately in each org, and sandboxes consuming separate storage allocations. A comprehensive multi-org audit should identify all cross-org duplication and quantify the consolidation opportunity.