Why Manual Harvesting Fails
Most organisations approach licence harvesting as a project: run a usage report, identify inactive accounts, reclaim licences, brief IT and HR, close the project. This is better than nothing. It is not good enough.
The problem is entropy. The moment your manual harvesting project closes, licence waste starts accumulating again. Joiners receive licences automatically. Movers change roles but keep all their previous-role licences. Leavers are disabled in Active Directory but their M365 licences remain assigned for weeks or months. Contractors finish engagements but their accounts linger in a "disabled but not deprovisioned" state. Project team licences assigned for a specific initiative remain assigned long after the project ends.
Within 18 months of a manual harvesting exercise, the average enterprise is back to 70–80% of its pre-harvest waste level. The only sustainable solution is automation — continuous detection, continuous reclaim, continuous reporting.
The commercial imperative: Automated harvesting is not just an IT efficiency project. It is a direct input to your EA renewal negotiation. The licence count you present at renewal should reflect your actual active user population, not a bloated count inflated by ghost accounts and inactive assignments. For a 5,000-user organisation with 20% inactive licence rate, that difference is 1,000 licences — approximately £360,000–£540,000 per year at E3/E5 pricing.
The Four Sources of Licence Waste
An automated harvesting programme needs to address all four sources, not just the most visible one:
| Waste Source | Detection Method | Typical % of Total Waste | Automation Difficulty |
|---|---|---|---|
| Ghost accounts — leavers whose accounts remain licensed after offboarding | Account disabled + licence still assigned; HRIS comparison | 35–45% | Low — clear policy trigger (account disable = reclaim) |
| Inactive accounts — active accounts with no M365 activity for 30+ days | M365 Usage Analytics / Graph API last activity signals | 25–35% | Medium — requires inactivity threshold governance and exception handling |
| Over-assigned SKUs — E5 assigned where E3 is sufficient; add-ons not used | Feature utilisation reports (Secure Score, usage analytics per service) | 20–30% | Medium-High — requires per-service utilisation analysis and manager approval workflow |
| Duplicate/orphaned assignments — test accounts, shared mailboxes over-licensed, service accounts | Account type classification; shared mailbox audit; non-human account audit | 5–15% | Medium — requires account classification taxonomy |
Data Sources for Inactivity Detection
The Microsoft Graph API and M365 Admin Centre provide the primary data inputs for automated harvesting. Key signals:
Microsoft 365 Usage Reports (Graph API)
The Graph API reports endpoint provides per-user last activity data across all M365 workloads. The most useful endpoints for harvesting automation:
- getEmailActivityUserDetail — last email send/receive date per user
- getTeamsUserActivityUserDetail — last Teams chat/meeting activity date
- getSharePointActivityUserDetail — last file view/edit date in SharePoint/OneDrive
- getOneDriveActivityUserDetail — last OneDrive sync/access activity
- getOffice365ActiveUserDetail — last active date across all M365 workloads combined
- getM365AppUserDetail — last Microsoft 365 Apps (Office) activation and usage date
The composite signal — a user who shows no activity across Exchange, Teams, SharePoint, OneDrive, and M365 Apps for 30+ consecutive days — is the strongest inactivity indicator. Single-workload inactivity is unreliable (a user who only uses Teams will appear inactive in Exchange reports).
API data latency: Microsoft's usage reports have a 48–72 hour data latency. Reports queried today reflect activity up to 2–3 days ago. Build this lag into your inactivity detection logic — a 30-day inactivity threshold should be measured as "no activity in the last 32–33 days" to account for reporting lag. Failure to account for this creates false positives that erode trust in the harvesting programme.
Entra ID (Azure AD) Account Status
Cross-referencing M365 activity data with Entra ID account status provides the second validation layer:
- Disabled accounts with active licences: immediate reclaim candidates (no policy exception needed)
- Accounts not signed in for 90+ days (Entra ID sign-in logs): strong corroboration for M365 inactivity signals
- Accounts approaching Entra ID guest expiry: reclaim licences before account expiry to avoid compliance complications
HRIS Integration
The most reliable early warning for licence waste is HRIS data. When an employee's departure date is confirmed in your HR system, the automated harvesting programme should trigger the licence reclaim process — ideally within 24 hours of offboarding, not weeks later when someone manually checks. The typical gap between HRIS offboarding and M365 licence reclaim in organisations without automation is 47 days. At E3 pricing, that is £47/user wasted per offboarding — £47,000/year for an organisation with 1,000 annual leavers.
Need help building a licence harvesting automation that integrates with your HRIS, Entra ID, and EA renewal timeline? We have designed this architecture for 50+ enterprise clients.
Get an Architecture Review →The Automation Architecture
Tier 1: Immediate Reclaim (No Approval Required)
These triggers should automatically reclaim licences without human approval:
- Entra ID account disabled AND licence assigned: reclaim within 24 hours
- HRIS offboarding event received AND account confirmed disabled: reclaim within 24 hours
- Account deleted or converted to shared mailbox: reclaim all productivity licences immediately
- Guest accounts expired or removed: reclaim any licences assigned to guest accounts
Tier 2: Managed Reclaim (Manager Notification + 14-Day Window)
These triggers require manager notification before reclaim to prevent false positives:
- 30+ days combined M365 inactivity (Exchange + Teams + SharePoint + M365 Apps)
- 90+ days of Entra ID inactivity (no sign-in)
- Contractor accounts with confirmed contract end date passed
The 14-day notification window allows managers to confirm legitimate inactivity (e.g., extended leave, secondment) and prevents reclaim from employees on protected leave who retain a legitimate licence entitlement under employment law.
Tier 3: SKU Right-Sizing (Quarterly Review Cycle)
These require more analysis and a formal approval workflow:
- E5 users with zero utilisation of any E5-exclusive features for 90+ days (Purview, advanced security features, advanced compliance)
- Visio Plan 2 / Project Plan 3 users with no document creation activity for 60+ days
- Copilot licences with zero chat interactions for 30+ days (high-cost, highly visible)
- Power Platform add-ons (Power Apps per-user, Power Automate) with no app access or flow execution for 60+ days
PowerShell and Graph API Implementation
The core harvesting automation can be built on native Microsoft tooling. Here is the logical structure (not production code — implement with your security and compliance review):
Implementation note: Use the Microsoft.Graph PowerShell SDK (not the legacy MSOL or AzureAD modules, which are deprecated). Ensure your service principal has the User.ReadWrite.All and Reports.Read.All Graph API permissions. Store all harvesting decisions in an audit log — you will need this evidence for EA renewal negotiations and true-up reconciliation.
Power Automate as the Orchestration Layer
For organisations that prefer a low-code approach or want manager notification workflows without custom development, Power Automate provides a viable orchestration layer:
- Scheduled flow runs nightly Graph API queries and writes results to a SharePoint list
- Approval flow sends manager notifications for Tier 2 candidates with a 14-day approval window
- Reclaim flow executes licence removal via Graph API action on approval or timer expiry
- Reporting flow generates monthly harvesting summary sent to IT and finance
Power Automate is not ideal for very high-volume environments (10,000+ users) due to throttling and run duration limits. For larger deployments, Azure Logic Apps or a custom Azure Function app provides better performance and reliability.
The Inactivity Policy Framework
Automation without policy is just scripts running unsupervised. The policy framework defines the rules that the automation enforces, the exceptions that override automatic reclaim, and the governance process that keeps the programme commercially credible.
| Policy Element | Recommended Standard | Notes |
|---|---|---|
| Inactivity threshold (standard) | 30 days composite inactivity | Composite = no activity across Email + Teams + SharePoint + M365 Apps |
| Inactivity threshold (senior/executive) | 60 days | Higher threshold for C-suite; consider manual approval for VP+ roles |
| Notification window | 14 days from notification to reclaim | Manager receives notification with one-click extend or confirm action |
| Protected leave exemption | Suspend harvesting flag on HRIS integration for mat/pat/sick/protected leave | Employment law requirement — failure creates legal exposure |
| Contractor end-of-term | Automatic reclaim on HRIS contract end date + 48 hours | No manager approval required; document in service level agreement |
| Reclaim audit log | Retain 36 months minimum | Required for EA true-up reconciliation and audit defence |
| Re-assignment SLA | Reclaimed licences available for re-assignment within 4 hours | Prevents operational disruption from harvesting programmes |
Connecting Harvesting to EA Renewal
This is where automated harvesting becomes a commercial programme rather than an IT efficiency exercise. Your EA renewal negotiation depends on presenting a credible, evidence-based licence count to Microsoft. An automated harvesting programme that has run for 12–18 months before your renewal date provides:
1. A Defended Licence Count
Instead of Microsoft proposing a renewal based on your current peak count (which includes all waste), you can present a count based on active, productive users with documented methodology. The automation provides the audit trail that validates the count. Microsoft will attempt to anchor on your previous year's count — your harvesting data is the counter-anchor.
2. True-Up Liability Reduction
Licences reclaimed during the year reduce your true-up liability at anniversary. An automated programme that continuously reclaims inactive licences ensures your count never inflates unchecked between true-up periods. For a 5,000-user organisation at E3 pricing, reducing the true-up addition from 400 to 100 licences saves £108,000 in a single true-up cycle. See our true-up preparation guide for the full true-up methodology.
3. Right-Sizing Evidence
Automated harvesting of over-assigned SKUs (E5 where E3 suffices, Project Plan 3 where Planner Premium is sufficient) produces the utilisation data needed to propose a right-sized renewal. Without this data, Microsoft's renewal proposal defaults to whatever SKU mix you currently hold.
Building Your Harvesting Programme Before Renewal?
The optimal time to start automated harvesting is 18–24 months before your EA renewal date. At 12 months, you will have enough data to defend a reduced licence count. At 6 months or less, the data is too thin to credibly challenge Microsoft's renewal proposal. Start now.
Discuss Your EA Renewal Timeline → Download the Cost FrameworkTooling Options
| Approach | Cost | Best For | Limitations |
|---|---|---|---|
| Native PowerShell + Graph API | £0 (development time only) | Technical teams with PowerShell expertise; organisations wanting full control | Requires development, testing, ongoing maintenance; no built-in UI |
| Power Automate + SharePoint | Included in M365 E3 (standard connectors) | Low-code environments; small to mid-size orgs | Throttling at scale; limited error handling; Power Automate premium connectors may be needed |
| Microsoft 365 Admin Centre (built-in) | Included in M365 | Basic inactivity reporting; starting point for analysis | No automation — reporting only; no HRIS integration; no workflow |
| SAM Platform (Flexera, Snow, Lansweeper) | £20,000–£80,000+/year depending on size | Large enterprises with complex hybrid estates; organisations needing broader SAM programme | Significant cost; may include capabilities you do not need; vendor independence risk |
| Microsoft 365 Advanced ITAM (Intune add-on) | Intune Plan 2 / Suite required | Organisations already standardised on Intune for device management | Primarily device-focused; M365 SaaS licence harvesting limited |
Measuring the Programme
An automated harvesting programme needs clear KPIs to demonstrate ROI and maintain organisational support:
- Active licence ratio: Target >88% of assigned licences showing 30-day activity. Below 80% indicates systemic process failures upstream of harvesting.
- Leavers-to-reclaim latency: Time between HRIS offboarding event and M365 licence reclaim. Target <24 hours; measure monthly.
- Monthly licence reclaim count: Number of licences reclaimed each month, by harvest tier. Trend analysis shows whether upstream provisioning discipline is improving.
- Avoided true-up cost: Compare projected true-up liability with and without harvesting programme. Quantifies programme financial ROI.
- Renewal count reduction: At EA renewal, compare the renewal licence count to the count 24 months prior. The delta is partially attributable to harvesting — document it.
Related Cost Optimisation Guides
- M365 Licence Harvesting Guide — the manual methodology to run before building automation
- Microsoft 365 License Harvesting: The Systematic Approach — systematic harvesting framework
- Microsoft Licensing Governance Framework — the policies and processes that make harvesting sustainable
- Building a Microsoft SAM Programme — the broader SAM context for licence management
- Microsoft Cost Reduction Roadmap — how harvesting fits the 12-month cost reduction plan
- How to Reduce M365 Licensing Costs — 12 proven strategies including harvesting
Ready to Build Your Harvesting Programme?
We design automated licence harvesting programmes that integrate with HRIS systems, Entra ID governance frameworks, and EA renewal timelines. The programme design typically takes 2–3 weeks; first licence reclaims typically happen within 30 days of deployment.
Start the Conversation → View Client Results