Automation Recipes: How to Detect Underused Apps and Auto-Cancel Licenses

Hook: Stop paying for tools your teams don't use — automatically

Tool bloat is one of the quietest drains on engineering and IT budgets in 2026. Teams subscribe to niche SaaS, forget to offboard trial users, and carry overlapping licenses for years. If your organization struggles with fragmented inventories, unpredictable SaaS spend, and manual deprovisioning, this article gives you concrete automation recipes to detect underused apps and either notify owners or automatically reclaim/cancel licenses — safely and auditable by design.

Why automating license reclamation matters in 2026

Two trends that accelerated in late 2024–2025 set the stage for automated reclaim strategies in 2026: first, enterprises consolidated identity and sign-on through centralized IdPs (Azure AD, Google Cloud Identity, Okta), and second, SaaS vendors expanded APIs for admin and billing operations to support programmatic governance. That makes it both feasible and responsible to build automations that reduce cost and comply with audit trails. Automation removes human friction, enforces least-privilege, and scales across hundreds of apps.

Principles for safe, effective license reclamation

• Centralize signals: Use IdP sign-ins, vendor activity logs, and in-product events to calculate real activity.
• Graceful owner notification: Notify the app owner/team before any destructive action.
• Approval windows and escalation: Implement approver flows with timeouts before automatic reclaim.
• Dry-run and audit trail: Always provide a simulation mode and persist every decision to a secure audit store.
• Least privilege: Deprovision user licenses first, then team-level subscriptions when confirmed unused.
• Compliance hooks: Add checks for regulatory exceptions (e.g., legal holds, HIPAA, SOC2) before cancelling.

What to measure (KPIs and thresholds)

• License utilization rate: active users / allocated licenses. Flag under 10–20%.
• Active user churn: monthly active users (MAU) change over 90 days.
• Cost per active user: monthly spend divided by MAU.
• Time-to-reclaim: average time from inactivity detection to license reclamation.

Recipe 1 — Identity Provider driven reclaim (Azure AD / Microsoft Graph)

Use Azure AD sign-in logs and license assignments via Microsoft Graph to detect per-app inactivity and remove licenses. This is high-confidence because sign-ins are authoritative and centrally logged.

Overview

1. Weekly job queries Microsoft Graph for lastSignInDateTime per user and per app.
2. Aggregate by app to compute utilization percentage.
3. If utilization < 15% for 90 days, notify app owner via Teams/Slack.
4. If owner doesn't respond in 7 days, run the remove-license API call in dry-run first, then commit.

Sample Python detection script (outline)

#!/usr/bin/env python3
import requests
from msal import ConfidentialClientApplication

TENANT_ID = ""
CLIENT_ID = ""
CLIENT_SECRET = ""
SCOPE = ["https://graph.microsoft.com/.default"]

app = ConfidentialClientApplication(CLIENT_ID, authority=f"https://login.microsoftonline.com/{TENANT_ID}", client_credential=CLIENT_SECRET)
token = app.acquire_token_for_client(SCOPE)["access_token"]
headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}

# 1) Get list of managed apps (servicePrincipal or appRoleAssignments depending on your model)
apps = requests.get("https://graph.microsoft.com/v1.0/servicePrincipals", headers=headers).json()

# 2) For each app, query signIn logs for last 90 days
# Example Graph query: /auditLogs/signIns?$filter=appId eq '{appId}' and createdDateTime ge 2025-10-01

# 3) Compute active user count vs assigned licenses (pull license info via /users//licenseDetails)
# 4) If under threshold, post to Teams via webhook or record in audit table

print("Run detection job completed — build on top of this skeleton")

Removing a Microsoft license (example)

To remove a Microsoft 365 license from a user, call assignLicense with removeLicenses set to the SKU ID. Always run in dry-run: collect affected users, send notifications, then proceed.

curl -X POST "https://graph.microsoft.com/v1.0/users/{user-id}/assignLicense" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{"addLicenses": [], "removeLicenses": ["{sku-id}"]}'

Recipe 2 — Google Workspace + Zapier: owner notification and staged reclaim

If your organization uses Google Workspace for identity, you can combine the Admin Reports API with Zapier (or Make) to build a low-code reclaim flow that non-engineers can run and approve.

Flow outline (Zapier)

1. Schedule trigger: weekly.
2. Action: Webhooks - GET Google Reports API: /admin/reports/v1/activity/users/all/applications/login to fetch sign-ins by app.
3. Action: Code by Zapier — summarize sign-ins per app; compute utilization % against spreadsheet of licenses (Google Sheets).
4. Filter: utilization < 15% and app has monthly cost > $X.
5. Action: Send Slack message to app owner with two interactive buttons: "Keep" or "Reclaim" (button triggers a webhook endpoint).
6. If no response in 7 days: call supplier API to revoke license(s) or set subscription to paused state; then create a ticket in Jira and log action to a secure audit Google Sheet.

Zapier implementation tips

• Use a canonical Google Sheet that maps app names to owner emails, subscription IDs, and API endpoints.
• Keep a "pending reclamation" column with timestamp and state to avoid duplicate runs.
• Use the Zapier Storage or Airtable to maintain state if you need transactional guarantees.

Recipe 3 — Vendor API direct reclaim (Atlassian, Zendesk, etc.)

Some SaaS vendors provide admin APIs to manage seats and subscriptions. This recipe demonstrates a responsible pattern to directly reclaim seats at the vendor level after owner approval or escalation timeout.

Pattern

1. Pull active user list and last activity timestamp via the vendor's admin API.
2. Compare against license assignments to find idle seats.
3. Initiate owner notification with a 7–14 day response requirement. Include a one-click approval or appeal link that calls your webhook to keep the license.
4. After timeout, call the vendor API to unassign the license or cancel the seat. Log the change event to your audit store and finance system.

Generic cancellation cURL (example)

curl -X POST "https://api.vendor.com/v1/subscriptions/{subscription_id}/cancel" \
  -H "Authorization: Bearer $VENDOR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"reason": "auto_reclaim_inactivity", "requested_by": "sre-automation@company.com"}'

If the vendor does not support cancellation via API, automate a support request creation (e.g., create a support ticket or prefill an email to vendor billing with a template and keep it in a ticketing queue for manual follow-up).

Recipe 4 — Make (Integromat) full automation scenario with Slack approval

Make gives more advanced branching and error handling than Zapier for multi-step scenarios. This example shows a production-ready flow:

Scenario steps

1. Scheduler module runs weekly.
2. HTTP modules call multiple APIs (IdP sign-ins, vendor activity, billing API) and write responses to a central Google Sheet or Airtable table.
3. Iterator computes utilization and filters underused apps.
4. Send message to Slack channel or directly to app owner with an interactive message containing "Keep" and "Reclaim" buttons.
5. On "Keep" click: update Airtable and mark not to auto-reclaim for 90 days.
6. On "Reclaim" or no response after timeout: HTTP module calls the vendor's seat removal endpoint; update audit; create Jira ticket for finance reconciliation.

Make implementation tips

• Use scenario variables for thresholds and dry-run mode toggles.
• Leverage error handlers to retry vendor API calls and to raise alerts on partial failures.
• Persist raw API responses for future audits (encrypted at rest).

Auditability, security and compliance checklist

• Role-based credentials: Use service principals or dedicated API tokens with minimum scopes.
• Immutable logs: Write each action (detect, notify, reclaim) to an append-only audit table (SIEM or cloud storage) with actor, timestamp, and proof (API response).
• Approval trails: Use signed webhook acknowledgements or digital signatures to prove owner intent or lack thereof.
• Legal/finance hold detection: Integrate legal/finance blacklists to exempt contracts or active procurement negotiations from auto-cancellation.
• Dry-run and staged rollouts: Start with sandbox tenants and progressively enable production with monitoring.

Estimating savings and reporting

Build a simple dashboard (Looker/Grafana/Sheets) that shows current SaaS spend, estimated reclaimable cost, and realized savings. Example metrics:

• Projected annual savings = sum(reclaimable_monthly_cost) * 12
• Recovered seats = count(seats_reclaimed_month_to_date)
• Percent reduction in tool sprawl = unique_apps_removed / baseline_apps

Run a quarterly review to validate business impact and adjust thresholds — many teams find an initial 15% utilization threshold captures the low-hanging fruit, then refine per-business unit.

Real-world example (composite case study)

A mid-sized engineering org (approx 600 employees) layered an Azure AD-driven reclaim job over their existing asset inventory in late 2025. Within the first 90 days it identified 24 underused SaaS tools with an average utilization of 8%. After owner notifications and a 7-day approval window, the automation reclaimed 420 licenses and removed three duplicate subscriptions. The org realized predictable annual savings and reduced integration points, helping speed CI/CD pipeline debugging. Key to success: strong IdP signals, conservative thresholds, and an enforced audit trail for every action.

Common pitfalls and how to avoid them

• False positives from infrequent users: Consider function and role — some tools are used monthly; tune thresholds per app class.
• Missing ownership data: Maintain a canonical app register with owners and SLAs to ensure notifications reach the right person.
• Vendor cancellation limits: Some vendors restrict cancellations or require minimum terms — add vendor policy metadata to your asset catalog.
• Insufficient API permissions: Ensure automation tokens have the exact admin scopes needed and rotate credentials regularly.

Advanced strategies and future-proofing (2026+)

Advanced teams in 2026 combine AI summarization with reclaim automations: run LLM-based analysis on product usage notes, tickets, and commit history to surface latent usage patterns. SaaS Management Platforms (SMPs) have matured to offer programmatic reclaim flows — consider integrating SMP APIs for enterprise-scale governance. Finally, include policy-as-code so reclaim rules are versioned and auditable alongside your infrastructure IaC.

Actionable checklist to get started (first 30 days)

1. Inventory all SaaS (start with IdP app catalogue + finance subscriptions).
2. Implement a weekly data pull from your IdP for lastSignIn events.
3. Create a canonical owner mapping (Google Sheet / Airtable).
4. Build a notification template and approval webhook (Slack/Teams).
5. Run a dry-run reclaim job and review results with app owners and finance.
6. Enable staged auto-reclaim with a conservative threshold and full audit logging.

Checklist: Example configuration values

• Initial inactivity threshold: 90 days
• Utilization threshold: 15%
• Owner response window: 7 days
• Dry-run period: 30 days
• Audit retention: 5 years (or per compliance)

Wrap-up and final warnings

Automated license reclamation is a low-friction way to reduce SaaS spend and complexity, but it must be implemented with strong governance. Start small, validate results, add compliance checks, and keep owners in the loop. In 2026, centralized identity, richer vendor APIs, and smarter SMPs make these automations practical and safe for production use — when built with auditability and human-in-the-loop safeguards.

Best practice: Always run a dry-run for at least one complete business cycle and keep a human-approver path until confidence is established.

Next steps: automation templates and starter repo

Ready-to-run recipes and templates are available to speed your implementation: a Microsoft Graph starter script, Zapier blueprint for Google Workspace, and a Make scenario with Slack approval. Use them as a scaffold — adapt thresholds and owner workflows to your org's needs.

Call to action

Want the starter repo and prebuilt Zapier/Make scenarios? Download the automation templates and a one-page audit checklist from filesdrive.cloud (no-sales preview). If you'd like a technical review, schedule a 30-minute consultation — we'll help map your IdP, vendor APIs, and finance systems into a safe reclaim workflow that saves money and reduces tool sprawl.

Related Reading

• Designing Quantum-Recruitment Billboards and Puzzles That Scale
• Legal and Licensing Checklist for Riding High-Speed E-Scooters in the US and Europe
• How Regional Brand Pullouts Change Cleanser Formulas: The K-Beauty Example
• Bose vs Amazon: Best Bluetooth Micro Speakers Compared at New Record Lows
• Training Tutors in Conflict-Avoidant Feedback: Two Calm Phrases That Improve Learning Outcomes