Best practices for controlling cost, reducing waste, and building a governance framework that scales
For most organisations, Microsoft 365 is the single largest line item in the IT budget. It underpins email, collaboration, security, device management, and increasingly AI through Copilot. Yet a consistent pattern emerges across enterprises of every size: a significant portion of what is paid for is not being used.
Gartner estimates that approximately 25% of all enterprise software licences go unused at any given time, and that organisations can reduce software spending by up to 30% by implementing structured licence optimisation practices. For a 1,000-seat organisation on Microsoft 365 E3, that represents somewhere between £60,000 and £100,000 in recoverable annual spend at current prices, before the July 2026 price increases take effect.
The financial case for active licence governance has never been stronger. But Microsoft 365 license management is no longer purely a cost discipline. Gartner’s 2025 Magic Quadrant for SaaS Management Platforms warns that organisations that fail to centrally manage SaaS lifecycles will remain five times more susceptible to a cyber incident or data loss and will overspend on SaaS by at least 25% due to unused entitlements and overlapping tools. IBM’s 2025 Cost of a Data Breach Report puts the average cost of a breach at $4.44 million, with compromised credentials the single most common initial attack vector. The connection between poor identity and license hygiene and security risk is direct.
This guide is written for IT leaders who want to move from reactive licence management to a proactive governance model. It covers the most common sources of waste, the technical and operational controls that address them, and a practical framework for building licence governance that holds up as the organisation grows and Microsoft’s pricing continues to evolve.
1. Why Licence Management Has Become a Strategic Priority
The cost base is growing, not stabilising
Microsoft’s July 2026 pricing update raises list prices across most M365 plans by between 9% and 33%. For organisations managing large estates, the financial impact is material. But this increase arrives on top of a structural shift that was already under way: the elimination of volume discounts under Enterprise Agreements. Organisations that previously benefited from tiered Level B, C, or D pricing are now moving to Level A list prices, which for some customers represents a compounding increase well above the published SKU changes alone.
The Copilot add-on adds further complexity to the equation. At $30 per user per month, enabling Copilot for even 10% to 20% of a 10,000-seat estate adds $3.6 million to $7.2 million in annual spend. That is not a conversation IT can have without precise visibility into current licence utilisation and a clear model for which user populations will generate measurable value from AI capability.
Unmanaged licences are a security exposure, not just a budget problem
IBM’s 2025 Cost of a Data Breach Report identified compromised or stolen credentials as the single most common initial attack vector, present in 16% of all breaches studied, and the vector that takes the longest to detect and contain at an average of 292 days. Accounts that remain active after an employee has left, licences assigned to shared accounts without proper controls, and over-privileged users with E5 security capabilities they do not use all represent risks that extend well beyond the balance sheet.
Gartner’s 2025 SaaS Management Platforms research makes the risk quantification explicit: organisations that fail to centrally manage SaaS lifecycles are five times more susceptible to a cyber incident or data loss due to incomplete visibility into SaaS usage and configuration. Microsoft 365 is not exempt from this dynamic. An unrevoked account is an open door, and licence governance is the operational process that closes it.
The July 2026 renewal window is a forcing function
Organisations approaching renewal in 2026 face a compressing timeline. The combination of higher list prices, reduced volume discounts, and Copilot pricing decisions means that going into renewal without a clear licence strategy is going to be significantly more expensive than going in with one. Microsoft itself acknowledged the intent to give customers ample time to plan. Use that time deliberately
Microsoft 365 Licence management is no longer a routine admin function. At current and projected price levels, it is a financial and risk governance discipline that belongs at the same table as procurement strategy and security posture
2. The Five Most Common Sources of Licence Waste
Understanding where waste accumulates is the precondition for addressing it. In enterprise M365 environments, the same patterns appear consistently.
1. Orphaned licences from departed employees
When an employee leaves and their account is not promptly deprovisioned, the licence continues to be consumed and billed. In organisations without automated offboarding, this can persist for months. The financial impact compounds quickly: at M365 E3 pricing, 200 licences left active for six months after offboarding represents approximately $86,000 in spend that delivers zero value and creates active security exposure.
👉 Why this happens
HR systems and IT provisioning are often disconnected. Without an automated trigger from the HR system to Entra ID lifecycle workflows, licence deprovisioning depends on manual processes that are inconsistently followed, especially when departures are unplanned or during periods of high organisational change
2. Over-and uniform SKU assignment licensing
The default approach in many organisations is to assign all users the same licence tier, typically E3 or E5, to avoid the complexity of managing a mixed estate. The result is paying for advanced security, compliance, and analytics capabilities that a significant proportion of the workforce does not need or use.
A task worker whose daily work is email, calendar, and Teams does not require the full Microsoft 365 E5 feature set. Assigning F3 or E1 to frontline and light users, and reserving E3 and E5 for knowledge workers and regulated roles, can meaningfully reduce the per-seat cost for a substantial portion of the estate without impacting productivity.
👉 The right mix
The most cost-effective licence strategy is rarely E5 for everyone. A common approach for mid-to-large enterprises is a base of E3 or Business Premium for most users, E5 (or targeted E5 add-on bundles) for high-risk cohorts in legal, IT security, and regulated functions, and F1 or F3 for frontline workers with primarily task-based needs.
3. Unassigned shelfware
Gartner estimates that approximately 25% of all enterprise software licences go unused. In the M365 context, this typically manifests as licences purchased in advance for projected growth, to secure volume pricing, or to cover anticipated hires, which then sit unassigned when growth is slower than planned or headcount changes. At scale, unassigned licences represent a straightforward and addressable form of waste.
4. Duplicate and overlapping capabilities
Organisations that have grown through acquisition, or that have procured third-party tools without cross-referencing their M365 entitlements, frequently pay for the same capability twice. Microsoft’s July 2026 pricing update explicitly bundles capabilities previously sold separately, including Defender for Office 365 Plan 1 into E3 and E5, and expanded Intune management features into the enterprise plans. Organisations that have not reviewed their third-party security and endpoint management spend against these new entitlements risk continuing to pay for both.
A structured audit of existing third-party spend against M365 entitlements is often the fastest route to net savings from a licence optimisation programme.
5. Licences assigned to non-human accounts
Service accounts, shared mailboxes, conference room accounts, test accounts, and former contractor accounts are common sources of licence consumption that go unnoticed in routine management. Many of these accounts hold full user licences when shared mailboxes (which require no licence unless accessed via an active client), resource accounts, or application licences would suffice. In large organisations, non-human account licence waste can represent a meaningful percentage of total M365 spend.
3. Building a Governance Framework: Eight Best Practices
Effective licence governance is not a one-time audit. It is an operational model that runs continuously and integrates with identity management, financial planning, and procurement. The following eight practices form the foundation of a mature M365 licence governance framework
Best Practice 1: Establish a Single Source of Truth for Licence Inventory
The starting point for any governance programme is knowing exactly what you have. This means maintaining a consolidated inventory that maps every licence purchased, every licence assigned, and every licence actively consumed, across all SKUs, add-ons, and supplementary products.
Microsoft’s Admin Center provides basic licence reporting under Billing > Licences, and the M365 Admin Center Usage Reports give per-product activity data. For organisations with complex estates, these native tools are a starting point, not a complete picture. They spread data across multiple portals, do not surface financial impact directly, and do not flag overlap or misalignment automatically.
- Maintain a live licence register that maps SKU, quantity purchased, quantity assigned, and quantity actively used
- Include financial data: cost per SKU, total monthly spend, and projected annual cost at renewal pricing
- Assign clear ownership: a named individual accountable for the accuracy of the register
- Review the register at minimum monthly, and trigger an immediate review on any headcount event over 50 users
Best Practice 2: Use Group-Based Licensing via Entra ID
Direct licence assignment, where administrators manually assign licences to individual users, is the most common source of licence drift in enterprise M365 environments. It does not scale, it is prone to error, and it creates no automatic mechanism for removing licences when a user’s role or employment status changes.
Group-based licensing through Microsoft Entra ID is the recommended replacement. When licences are assigned to security groups rather than individual users, membership changes triggered by HR system updates, role changes, or offboarding events automatically provision or deprovision the corresponding licence.
- Create security groups aligned to licence personas (for example: KnowledgeWorker-E3, FrontlineWorker-F3, LegalCompliance-E5-Addon)
- Use dynamic group membership rules based on HR attributes such as department, job title, and location to automate group membership
- Avoid mixing group-based and direct assignment for the same SKU, as this creates audit conflicts
- Note: group-based licensing requires a minimum Microsoft Entra ID P1, included in M365 E3, Business Premium, and above
👉 Important change since September 2024
Microsoft Entra ID Admin Center and the Azure Portal no longer support licence assignment through their user interfaces. All group and user licence assignments must now be managed through the Microsoft 365 Admin Center. PowerShell and API access remain unaffected.
Best Practice 3: Automate Offboarding Lifecycle Workflows
Orphaned licences from departed employees are one of the highest-value and most addressable sources of waste, and one of the most significant identity security risks. The solution is automating the offboarding process so that licence removal is a guaranteed outcome of the departure event, not a manual follow-up task.
Microsoft Entra ID Governance provides Lifecycle Workflows with built-in templates for employee offboarding covering pre-offboarding group removal, account disablement on the last day, and post-offboarding licence removal and mailbox conversion. When connected to an HRIS via Entra ID provisioning connectors (Workday, SuccessFactors, and others are natively supported), the entire process can be fully automated.
IBM’s 2024 Cost of a Data Breach Report found that breaches involving compromised credentials took an average of 292 days to identify and contain and cost an average of $4.81 million. Automated offboarding directly reduces this exposure by ensuring accounts are deprovisioned at the moment of departure, not weeks or months later.
Best Practice 4: Define Licence Personas by Role
A persona-based licence model assigns licence tiers based on the actual needs of different user populations, rather than applying a single tier across all users. It is the most impactful structural change available to organisations that currently run a uniform licence strategy.
A practical starting framework for most enterprise organisations:
| Persona | Recommended Licence |
| Executive / Senior Management | M365 E5 (full security, compliance, voice) |
| Knowledge Worker (standard) | M365 E3 or Business Premium |
| Legal / Compliance / HR | M365 E3 + E5 Compliance add-on |
| IT Security / SOC | M365 E5 or E3 + E5 Security add-on |
| Task Worker / Light User | M365 F3 or Office 365 E1 |
| Frontline / Shared Device | M365 F1 or F3 |
| Shared Mailbox (no active user) | No licence required |
| Service / Automation Account | Application licence or unlicensed, as appropriate |
Persona definitions should be reviewed annually and whenever there is a significant change to organisational structure, regulatory environment, or Microsoft’s licensing terms.
Best Practice 5: Conduct Regular Licence Audits
Even with group-based licensing and automated offboarding in place, periodic audits are essential. User roles change, projects end, add-on licences accumulate, and Microsoft’s own licensing terms evolve. A quarterly audit cadence is appropriate for most organisations; monthly is recommended for those with high headcount velocity.
A complete licence audit covers five areas:
- Inactive users: accounts with no sign-in activity in 30 or more days that still hold full licences
- Unassigned licences: licences purchased but not assigned to any user
- Add-on utilisation: premium add-ons (Power BI Pro, Visio, Project, Copilot) with low or zero active usage
- Non-human accounts: service accounts, shared mailboxes, and resource accounts holding user licences unnecessarily
- Duplicate capabilities: M365 entitlements that overlap with third-party tools being paid for separately
Microsoft’s native reporting in the Admin Center (Reports > Usage) provides per-product activity data. The Microsoft 365 Licensing Report PowerShell script, maintained by Tony Redmond and widely referenced in the Microsoft technical community, provides a more detailed export including cost analysis by department and country.
Best Practice 6: Govern the Copilot Rollout Separately
Microsoft 365 Copilot at $30 per user per month is the highest per-seat cost in the M365 ecosystem. Microsoft’s own guidance on Copilot deployment consistently emphasises the importance of data governance prerequisites before broad enablement: sensitivity labels, DLP policies, and permissions hygiene in SharePoint and Teams. Copilot surfaces content according to the permissions of the user; ungoverned data becomes accessible data.
Best practice for Copilot licence governance:
- Define measurable success criteria before assigning licences. What productivity outcome are you measuring and over what time period?
- Start with cohorts where use cases are well-defined: legal drafting, financial analysis, code generation, sales proposal writing. Measure before expanding.
- Assign Copilot licences through a dedicated security group managed with the same group-based approach as base licences, so unused licences can be reclaimed programmatically
- Review Copilot usage data monthly via the Microsoft Copilot Dashboard in Viva Insights. Active use is defined as at least one Copilot interaction per month; this is a low bar. Measure substantive usage alongside self-reported time savings.
- Ensure data governance prerequisites are in place before enabling Copilot at scale.
Best Practice 7: Integrate Licence Data with Financial Management
Licence management that sits entirely within IT is less effective than Microsoft 365 licence management connected to financial planning and business unit accountability. Chargeback or show back models, where M365 licence costs are allocated to business units based on actual consumption, create the incentives for departments to manage their own licence footprint rather than treating M365 as a free shared resource.
- Work with Finance to establish a licence cost allocation model by department or cost centre
- Include M365 licence costs in the IT financial reporting that goes to senior management and budget holders
- Provide business unit heads with a quarterly view of their licence consumption and cost, including unused licences
- Use chargeback data to build the business case for licence governance investments
Organisations that implement charge back models consistently report faster uptake of licence right-sizing recommendations, because the financial consequence of over-licensing is visible to the people who control headcount and budget.
Best Practice 8: Prepare a Renewal Negotiation Dossier
The commercial relationship with Microsoft is more negotiable than most IT leaders realise, but only when you have the data to support your position. Gartner consistently advises that organisations seeking to optimise software costs must arrive at renewal conversations with detailed consumption data, benchmarked pricing intelligence, and documented alternative scenarios. Without these, the default outcome is acceptance of vendor-proposed terms.
A renewal negotiation dossier should contain:
- Current licence inventory: every SKU, quantity, and current utilisation rate
- Projected licence mix at renewal: what you expect to need, based on headcount forecast and planned deployments
- Benchmark data: what comparable organisations in your sector and region pay for equivalent licences
- Optimisation history: licences recovered and costs avoided since the last renewal, demonstrating active estate management
- Scenarios: renewal at current mix, right-sized mix, and early renewal, with cost impact modelled at both current and July 2026 list prices
Microsoft’s channel partners are commercially incentivised to bring customers to early renewal conversations ahead of July 2026. Use that momentum to negotiate multi-year pricing, incentive funding, or expanded terms, but only if you arrive with a clear baseline and a documented alternative.
4. Implementation Roadmap
The Microsoft 365 governance framework described in this guide does not need to be implemented all at once. The following phased approach balances quick wins with sustainable structural change.
Phase 1: Visibility (Weeks 1 to 4)
Establish the baseline before taking any corrective action.
- Run a full licence inventory export from the M365 Admin Center
- Activate Usage Reports and identify inactive users with no activity in 30 or more days
- Identify unassigned licences across all SKUs
- Map current third-party tool spends against M365 entitlements to surface obvious duplications
- Produce an initial financial model: current spend, estimated waste, and potential savings
Phase 2: Quick Wins (Weeks 5 to 12)
Address the highest-value and lowest-risk optimisations first.
- Deprovision licences from confirmed inactive and departed user accounts
- Convert shared mailboxes holding full user licences to Exchange shared mailbox accounts
- Remove or reassign unassigned shelfware licences
- Disable unused add-on licences (Project, Visio, Power BI Pro) where active usage is confirmed zero
- Implement automated offboarding via Entra ID Lifecycle Workflows
Phase 3: Structural Governance (Months 3 to 6)
Put the frameworks in place that prevent waste from re-accumulating.
- Design and implement group-based licensing aligned to persona model
- Migrate from direct licence assignment to group-based assignment across all SKUs
- Configure dynamic group membership rules based on HR attributes
- Establish the quarterly audit cadence and assign ownership
- Set up licence cost allocation model with Finance
Phase 4: Continuous Optimisation (Ongoing)
Embed licence governance as a permanent operational discipline.
- Quarterly licence audit and persona review
- Annual renewal preparation and benchmark update
- Monthly Copilot and premium add-on utilisation review
- Bi-annual third-party spend vs M365 entitlement reconciliation
- Licence data integrated into IT financial management reporting
5. Governance Checklist for IT Leaders
Use this checklist to assess current maturity and track progress against the framework.
Foundation
- Consolidated licence inventory maintained and owned by a named individual
- Financial model in place: current spend, waste estimate, and savings opportunity
- July 2026 price impact modelled for current and right-sized licence mix
Provisioning & Deprovisioning
- Group-based licensing implemented via Entra ID (no direct assignment)
- Dynamic group membership rules configured based on HR attributes
- Automated offboarding via Entra ID Lifecycle Workflows in place
- Onboarding workflow assigns correct persona licence automatically
Optimisation
- Persona model defined and documented by role and department
- Quarterly licence audit cadence in place
- Inactive user report reviewed monthly
- Premium add-on utilisation tracked monthly (Copilot, Power BI, Project, Visio)
- M365 entitlements mapped against third-party tool spend (bi-annual)
Financial & Commercial
- Licence costs allocated to business units (chargeback or showback)
- Renewal negotiation dossier prepared 6 months before contract anniversary
Benchmark data sourced from partner or procurement network
Final Thoughts
Microsoft 365 is not going to get cheaper. The July 2026 increases are confirmed, the Copilot add-on continues to expand, and the elimination of volume discounts under EA is removing a mechanism that many organisations have relied on for years to offset list price growth. The financial case for active licence governance is compelling today. After July 2026, it will be more so.
The organisations that manage this most effectively share a common characteristic: they treat licence management as a continuous operational discipline. They have clear ownership, automated controls, regular audit cycles, and a financial model that makes the cost and value of M365 visible to the people who control budgets.
The framework in this guide is designed to be implemented progressively. Starting with visibility, moving to automation, and building toward integrated financial governance gives most organisations a realistic path to a mature model within six months.
Gartner estimates that organisations can cut software spending by up to 30% through structured licence optimisation. That potential does not disappear at renewal. It compounds if left unaddressed.
Key Sources
Research and data referenced in this guide:
- Gartner, Magic Quadrant for SaaS Management Platforms, 2025 (five times more susceptible to cyber incident; 25% overspend on SaaS; 70% centralization prediction)
- Gartner, Cut Software Spending Safely With SAM (30% cost reduction from licence optimisation best practices)
- Gartner, Predicts 2022: SaaS Dominates Software Contracting by 2026 (software ownership costs increase up to 35% with subscription model shift)
- Gartner, Forecast Analysis: Software Asset Management, 2024 (25% of enterprise software licences go unused)
- IBM Security, Cost of a Data Breach Report 2025 (global average breach cost $4.44 million; compromised credentials top attack vector at 16%; 292 days average detection and containment time)
- Microsoft, Advancing Microsoft 365: New Capabilities and Pricing Update, December 2025 (July 2026 pricing changes)
- Microsoft Learn, Group-based licensing in Microsoft Entra ID, 2025
- Microsoft Learn, Automate employee offboarding tasks with Lifecycle Workflows, 2025
- Microsoft Learn, Microsoft 365 Admin Center Usage Reports, 2025
- TeamsFox, Microsoft 365 Price Increases 2026: Why Cost Governance Matters More Than Ever, December 2025