eADM
eADM
Breadcrumbs

Manage Licenses Based on User Activity

Software licenses represent a significant and growing expense. Unused licenses assigned to inactive users can lead to unnecessary costs. To optimize spending, you can configure rules to automatically manage licenses based on user activity.

This guide explains how to use last logon data from Active Directory to automatically revoke or downgrade licenses for inactive users in systems such as Microsoft 365 and Citrix.


How it works: Using last logon attributes

The system can retrieve the last logon timestamp for a user from both on-premises Active Directory (AD) and Azure Active Directory (Azure AD). This information is then stored as an attribute in the user's profile.

  • LastLogonTimestamp: Stores the last logon time from on-premises Active Directory.

  • AzureAdLastLogon: Stores the last logon time from Azure AD.

You can use these attributes in the rules engine to create automated workflows for license management.


Example 1: Automatically manage Microsoft 365 licenses

You can create a rule that automatically downgrades an expensive license (e.g., M365 E3) to a more affordable one (e.g., Exchange Online) if a user has been inactive for a specific period.

The rule shown in the image below applies to active users with a specific system role. It checks whether the user has not logged into Azure AD in the last 60 days or has never logged in at all. If these conditions are met, the rule can trigger an action, such as changing the user's license group.

Rule logic breakdown:

  • AND AzureAdLastLogon ice Earlier than Now – 60 days

  • OR AzureAdLastLogon Has no value

This logic identifies users who have been inactive for more than 60 days.


Example 2: Automatically manage Citrix licenses

You can apply the same logic to manage other licenses, such as access to Citrix. The goal is to revoke licenses from inactive users while allowing a grace period for new employees who may not have logged in yet.

The following workflow describes how to automate this process:

  1. The LastLogonTimestamp The attribute is continuously updated from on-premises Active Directory.

  2. The system first checks whether the user has ever logged in (LastLogonTimestamp has a value).

    • If so, it then checks whether the last logon was more than 90 days ago.

      • If that were the case, the Citrix license would be revoked.

      • If that is not the case, the user retains access.

    • If not (the user has never logged in), the system checks whether the account was created less than 90 days ago.

      • If yes, the user retains access (this is the grace period).

      • If not, the Citrix license is removed.


Best practices and support

As a best practice, licenses should be assigned based on specific needs rather than by default. If a license is not being used, it should be revoked to control costs and enhance security.


Note: Contact support if you need assistance or guidance on configuring rules to optimize your organization's license usage.