How to reclaim unused SaaS licences
How to reclaim unused SaaS licences
Reclaiming unused SaaS licences is the fastest, lowest-risk lever in the SaaS cost playbook. Most enterprises carry 20–40% unused or underused subscriptions across their top SaaS titles, and most of that spend can be recovered without user disruption — provided you can see the usage, connect it to entitlement, and act on it before renewal.
This guide covers what reclaim actually means, why most SaaS Management approaches miss the majority of savings, a practical reclaim workflow, per-application patterns for the highest-spend SaaS apps, and a policy framework that keeps the savings compounding.
Quick answer
SaaS licence reclaim is the process of finding subscriptions that are assigned to users but not actually being used, then reclaiming or downgrading them before renewal. It requires three data signals working together — who has the licence (entitlement), who is using it (activity), and what role they play in the business (HR/identity). The most common failure pattern is using SSO login data alone — it tells you the user authenticated, not whether they used any features that justify the subscription tier.
Why reclaim is the biggest SaaS saving lever
Across a typical enterprise SaaS estate:
20–40% of assigned licences are inactive or underused in the top 10 SaaS titles. Common industry figure, validated repeatedly in customer assessments.
Leaver licences — subscriptions still attached to former employees who were offboarded from Active Directory / Entra but not from every SaaS tenant — typically account for 2–6% of total spend.
Overprovisioned tiers — users on a premium SKU who only use base-tier features — are often a bigger saving than full reclaim, because they are invisible in simple "active/inactive" counts.
Renewal cliff — most SaaS agreements bill in advance and true-up rarely. Once the renewal is signed, the saving is locked out for 12 months.
Getting to even half the reclaim opportunity on the top 10 SaaS titles typically recovers more than any other SaaS Management activity in Year 1.
Why SSO-only reclaim misses most of the saving
The default SaaS Management pattern — pull a list of SSO logins from Okta, Azure AD / Entra, Ping, or OneLogin and flag anyone who hasn't logged in for 30/60/90 days — captures the easy wins but misses the majority of the actual reclaim opportunity.
Reasons:
Gap | What SSO can't see |
|---|
Gap | What SSO can't see |
|---|---|
Feature-level usage | A user who logs into Salesforce daily but only uses Chatter is on the wrong SKU — SSO sees them as "active" |
Bypassed SSO | Many SaaS apps allow direct login with a password as well as SSO — those users don't appear in SSO logs |
Apps not in SSO | Shadow SaaS and departmentally-purchased apps often never get wired into SSO |
Embedded AI add-ons | Copilot for M365, Einstein for Salesforce, Notion AI — these are licence line items separate from the base app, invisible in SSO |
Service accounts / integrations | Look "active" to SSO because there's login activity, but shouldn't consume a user licence |
A proper reclaim programme needs feature-level activity from the application itself, not just identity-provider login data.
The 3-method discovery stack for reclaim
Effective reclaim requires three data sources reconciled together:
Identity provider (IdP) — Entra ID, Okta, Ping, OneLogin, ADFS, Google Workspace. Provides the authoritative user list, leaver/joiner events, and SSO-backed login signals. Needed for coverage of every user and as the baseline for "is this person still here".
Deep SaaS connector — API integration into the SaaS tenant itself, pulling feature-level usage, licence assignments, tier/SKU, last activity per feature, add-on consumption, and admin activity. This is the only source that can distinguish "logged in" from "used the features you're paying for".
Endpoint / browser signal — browser extension or endpoint agent that sees which SaaS URLs users actually visit, including apps that bypass SSO or aren't connected to any IdP. Critical for discovery of shadow SaaS and for apps where deep connectors don't exist.
All three feed a single authoritative reclaim view, reconciled against a curated catalogue of known SaaS applications so you're comparing like with like across tenants.
CerteroX SaaS Management reclaim stack
CerteroX SaaS Management combines all three methods against a 35,000-application catalogue and 200+ deep connectors to the most common SaaS titles — Microsoft 365, Salesforce, Adobe Creative Cloud, ServiceNow, Zoom, Slack, Atlassian, Workday, Box, Dropbox, GitHub, Asana, Monday, Miro, Figma, Notion, and many more. For each connected SaaS tenant, the platform pulls licence entitlement, feature-level usage, last activity, and SKU details — not just SSO logins — and reconciles against Entra ID / Okta / Ping / OneLogin / Google Workspace for authoritative user state.
The reclaim workflow
A reclaim cycle has six steps, run continuously on high-volume titles and quarterly on the long tail:
1. Establish the entitlement baseline
For each SaaS app in scope, pull the current subscription commitment (count by SKU, committed term, renewal date) from the contract or procurement record. This is the denominator — you can't calculate reclaim without knowing what you're paying for.
2. Pull activity and assignment data
For each app, pull from the deep connector:
Licence assignment list (which users hold a licence, at which SKU)
Last-activity timestamp per user, ideally broken down by feature area
Add-on consumption (Copilot, Einstein, premium modules)
Admin / service / system accounts flagged separately
3. Reconcile against IdP
For every assigned licence, check against Entra ID / Okta / Ping / Google Workspace:
Is the user still in the directory? (Leaver reclaim)
Is the user still in a role that justifies this app / SKU? (Role drift reclaim)
Did the user log in via SSO in the last N days? (Coarse activity signal — supplements but does not replace feature usage)
4. Classify each licence
Classify every assigned licence into one of five states:
State | Action |
|---|
State | Action |
|---|---|
Active and correctly tiered | No action |
Active but overprovisioned | Downgrade SKU at next renewal or mid-term if contract permits |
Inactive in feature usage, active in SSO | Investigate — may be service account or underused edge case |
Inactive entirely (no SSO, no feature usage) | Reclaim |
Leaver (not in IdP) | Immediate reclaim |
5. Execute
For reclaim candidates:
Notify the user's line manager with a hold period (typically 14 days) — gives time to object
After hold period, revoke the licence via the connector or admin API
For leavers, revoke immediately — the delay creates both cost and security exposure
For overprovisioned users:
Flag for the next renewal cycle — mid-term downgrade is often uneconomic
Build into SKU mix negotiation with the vendor
6. Measure and report
Track reclaim impact monthly:
Licences reclaimed (by app, by SKU)
Dollar / £ saving (against contracted rate)
Leaver-licence close time (target: <24 hours from HR termination event)
Renewal-readiness — % of top 10 titles with fresh reclaim data in the last 30 days
Per-application reclaim patterns
Different SaaS titles need different approaches. The highest-spend titles in most enterprises:
Microsoft 365
SKU reclaim is bigger than seat reclaim. E3 vs E5 vs F3 vs Business Premium vs Apps for Enterprise — users routinely sit on a higher SKU than they need.
Copilot for M365 is sold per-user at a premium. Reclaim inactive Copilot assignments aggressively — a disproportionate share of Copilot seats are unused beyond the first month.
Exchange-only / Teams-only users often don't need the full productivity stack. Feature-level usage reveals the segment.
Leavers and contractors — offboarding-process breakdowns often leave M365 licences attached for months.
F-SKUs for frontline workers — if your frontline users have been upgraded to E-SKUs historically, there's usually significant opportunity.
Salesforce
Edition and add-on reclaim — Unlimited vs Enterprise vs Professional, plus sales / service / marketing cloud add-ons.
Platform vs full Sales Cloud licences — many users on full licences could run on Platform licences.
Einstein and Data Cloud — premium add-ons often assigned broadly at purchase and never reviewed.
Community and partner licences — high-volume long-tail where inactive accounts accumulate.
Adobe Creative Cloud
Named-user licensing with activity check — Adobe publishes per-application usage (Photoshop, Premiere, InDesign etc.); someone who only uses Acrobat is on the wrong plan.
Teams vs Enterprise plans — tier optimisation often outweighs seat reclaim.
Shared device licences on long-since-retired machines.
Zoom / Webex / Teams Phone
Licensed vs basic seats — many Licensed Zoom users never host a meeting longer than the Basic 40-minute cap.
Phone add-ons provisioned at rollout and never reviewed.
Webinar and Large Meeting licences are the highest unit-cost reclaim targets.
Slack
Guest vs full members — heavy opportunity in under-managed guest accounts.
Standard vs Plus vs Enterprise Grid tier optimisation.
Atlassian (Jira, Confluence)
Jira agent vs Jira customer — agents consume paid seats; moving users to customer or service-desk-only seats is often a fit.
Confluence licences assigned during org-wide rollouts and never reviewed.
Automated reclaim — where and where not
Automation pays off where the decision is unambiguous and reversible:
Automated leaver reclaim — triggered by HR termination / IdP disabled event, revoke licences across all connected SaaS tenants within hours. High savings, low risk, high audit value.
Automated dormant-account reclaim on no-activity thresholds (e.g., 90 days no feature usage + 90 days no SSO login) with line-manager notification and hold period.
Automated SKU downgrade recommendations at renewal time — surfaces the opportunity but humans sign off.
Don't automate away:
Named-user licence reclaim on legal or regulated workflows without a human check.
Any reclaim where the user has an active business case pending (e.g., role change, project ramp).
Policy framework
A reclaim programme that sticks needs a policy skeleton:
Definition of "inactive" — per app, often 30/60/90 days on feature usage, not SSO
Hold period before reclaim — typically 14 days with manager notification
Exception process — how a user / manager requests to keep a licence
Renewal gate — no renewal goes to procurement without a fresh reclaim pass (within the last 30–45 days)
Leaver SLA — target for licence revocation post-IdP-disable (best practice: under 24 hours for SaaS; under 1 hour for high-sensitivity apps)
Ownership — who runs the monthly reclaim cycle, who signs off renewals
Metrics that matter
Reclaim rate — licences reclaimed / licences reviewed, per app, per quarter
Annualised recovered spend — the renewal-rate saving, not the one-off
Leaver-to-reclaim time — P50 / P95 hours from IdP-disabled to all-licences-revoked
Renewal optimisation rate — % of renewals that adjusted commitment down from the prior term
Top-10 coverage — % of top-10 SaaS spend covered by feature-level usage data (target: 100%)
Common pitfalls
Pitfall | Why it bites |
|---|
Pitfall | Why it bites |
|---|---|
Counting SSO logins as usage | Misses 50–80% of the reclaim opportunity on rich SaaS apps |
No feature-level data | Can't spot SKU over-provisioning, which is usually bigger than seat reclaim |
Leavers left on SaaS after IdP disable | Compounding cost, compliance risk, data exposure |
No catalogue reconciliation | Duplicate spend across business units buying the same tool under different names |
Missing embedded AI | Copilot, Einstein, Notion AI etc. sold per-user, rarely reviewed |
Reclaim disconnected from renewal cycle | Found the waste but didn't catch it before auto-renewal |
Over-automated reclaim | User backlash, line-of-business pushback, eventual programme collapse |
About Certero
Certero delivers an enterprise-grade product family covering IT asset, software, SaaS, cloud, datacenter and AI management through CerteroX ITAM, CerteroX SAM, CerteroX SaaS Management, CerteroX Cloud Management, CerteroX Datacenter Management and CerteroX AI Management.
For SaaS reclaim specifically, CerteroX SaaS Management combines three discovery methods against a 35,000-application catalogue and 200+ deep connectors to the most common SaaS tenants — surfacing feature-level usage, licence assignment, SKU detail and leaver state across Microsoft 365, Salesforce, Adobe Creative Cloud and hundreds of others. Embedded-AI add-ons (Copilot, Einstein and equivalents) are tracked as distinct reclaim targets alongside their base applications.
Certero is a FinOps Certified Platform and an Oracle Certified Partner, holds a 97% "would recommend" rating and has been recognised 4 times as Gartner Customers' Choice.
Related reading:
What is SaaS Management? (pageId 181698617)
What is SaaS Sprawl? (pageId 184909875)
What is Shadow IT? (pageId 181436495)
SaaS Management FAQ (pageId 185041582)
What is an Effective License Position (ELP)? (pageId 185041482)
FAQs
What does it mean to reclaim a SaaS licence?
Reclaiming a SaaS licence means removing an assigned subscription from a user who is not using it (or not using the tier they're on) so that the licence can be redeployed to someone else or dropped from the next renewal. The goal is to match the number and tier of paid subscriptions to the number and tier of users who actually need them.
How do I know which SaaS licences to reclaim?
Compare three signals for every assigned licence: who has it (entitlement data from the SaaS tenant), who's using it (feature-level activity, not just SSO login), and who should still have it (IdP state and role). Anyone assigned but inactive in features is a reclaim candidate; anyone not in the IdP at all is an immediate reclaim.
Why can't I just use SSO logins to identify unused SaaS?
SSO login data tells you someone authenticated — not whether they used the features you're paying for. A user might log into Salesforce daily but only use Chatter, or log into Microsoft 365 for Outlook only while sitting on an E5 licence. You need feature-level usage from the SaaS tenant itself, which requires a deep API connector, not just SSO logs.
How much can I typically save through SaaS reclaim?
Most enterprises find 20–40% unused or underused licences across the top 10 SaaS titles. Translating that into realised saving depends on how quickly you can act (before renewal) and whether contract terms allow mid-term reductions, but a well-run reclaim programme typically delivers high-single-digit to low-double-digit percentage savings against the total SaaS budget in Year 1.
What is a leaver licence and why does it matter?
A leaver licence is a SaaS subscription still attached to someone who's left the business. Even when HR processes disable the Active Directory / Entra account, the SaaS tenant often keeps the licence assigned — and keeps billing for it. Leaver licences combine direct cost waste with compliance risk (ex-employees retaining data access) and are the single highest-ROI reclaim target, which is why automated, IdP-triggered reclaim across connected SaaS tenants is now a standard control.
Should I automate SaaS reclaim?
Automate the unambiguous, reversible cases — leaver revocation driven by an IdP event is the strongest example. For dormant-account reclaim, automate detection and line-manager notification with a hold period (typically 14 days), but keep a human check in the loop before revocation. Don't automate SKU downgrades or anything with a plausible business case attached — those need judgment.
How does reclaim interact with SaaS renewals?
Every renewal should have a fresh reclaim pass attached — ideally within 30–45 days of the renewal date. The renewal is where savings are locked in (or lost): a licence count agreed at renewal is your floor for the next 12 months. Reclaim done after the renewal is signed usually stays theoretical until the following cycle.
Can I reclaim licences mid-term?
Depends entirely on the contract. Some SaaS agreements allow seat reductions at renewal only; others permit mid-term true-downs; a minority allow on-demand adjustment. Negotiate flex terms at contract signature — especially for high-volume titles — and in the meantime, use mid-term reclaim for redeployment (repurposing seats internally instead of buying new ones).
What's the difference between reclaim and downgrade?
Reclaim removes a licence from a user who doesn't need it at all. Downgrade keeps the licence but moves it to a lower tier (e.g., E5 → E3, Sales Cloud Unlimited → Enterprise, Adobe Creative Cloud All Apps → Single App). In rich SaaS estates the downgrade opportunity is often larger than the pure reclaim opportunity because of historical over-provisioning, but it's harder to see — it needs feature-level usage, not just presence/absence.
How do embedded AI add-ons like Copilot fit into reclaim?
Embedded AI add-ons — Copilot for Microsoft 365, Einstein for Salesforce, Notion AI, Atlassian Intelligence, Now Assist, Adobe Firefly — are sold as per-user premium add-ons on top of the base licence, and they're prime reclaim targets. Early-adopter assignments often show high first-month usage and a steep drop-off. Track AI add-on usage as a distinct reclaim stream separate from the base-app reclaim; the per-user price is high enough that even a handful of reclaimed seats per app matters. Discovering all embedded AI in use also feeds AI governance policy — the licence angle and the governance angle reinforce each other.
How often should I run a reclaim cycle?
Run continuous reclaim on the top 10 titles (weekly or continuous feed, monthly action cadence). Run quarterly reclaim on the next tier of apps. Run annually on the long tail. Leaver reclaim should be event-driven, not on a cadence — triggered the moment an IdP-disabled event fires.
What's the relationship between SaaS reclaim and SAM reclaim?
They're structurally similar (match entitlement to usage, reclaim the delta) but the data sources and cadences differ. SAM reclaim focuses on perpetual / subscription on-prem software metered via agents or inventory, often with far fewer discovery touchpoints; cadences are weekly or monthly. SaaS reclaim runs on API-driven feature-level data pulled daily or continuously from the SaaS tenant. Enterprises running both disciplines on the same platform gain cross-licence visibility (e.g., spotting a user who has both on-prem Office and Microsoft 365 entitlement and only uses one).
v1 — 2026-04-21 — Initial page. Targets unmapped Q26 'SaaS license reclaim'. CerteroX SaaS Management 3-method discovery + 200+ deep connectors + 35K catalogue positioning. Cross-linked to SaaS Management, Sprawl, Shadow IT, SaaS FAQ, ELP.