Skip to main content
Skip table of contents

Workflow: Microsoft 365 E5 license optimization



Microsoft 365 is a crucial productivity suite - but it is also an expensive one. One way to curb Microsoft 365 licensing costs is by assigning the right license to the right users. However, that is easier said than done, as it can be very complex to gain visibility into who has which license and assess if they genuinely need it. This lack of clarity in license utilization leads to significant hidden and unnecessary costs to the organization.

In addition, the actual process of detecting different licensing models, verifying the need for an E5 license, asking employees' consent for license reclaim, and subsequently changing the license can be a very manual, time-consuming, and frustrating process for IT teams.

Orchestrate the E5 to E3 licensing optimization process to drastically save time from the manual license reclaim process and reduce costs from unnecessarily assigned licenses. This is possible through a fully automated workflow that detects users with an E5 license, asks for license reclaim permission, and changes the licensing model to E3 within Entra ID.

A good indicator of which employees to target is by looking at their Power BI Pro consumption, as it is based on real user activity. The Power BI application in this library pack allows you to detect the no-usage of Power BI, which can then be selected/filtered by groups of devices for more granular targeting. This application can also be configured through software metering to get a longer usage trend to rely on. You can then set more accurate triggers and schedules for your workflow.

  • Fully orchestrated process to simplify and accelerate Microsoft 365 license management process.

  • Remove the unnecessary Microsoft 365 licensing cost at scale.

  • Use of software metering information as a detection mechanism to look at 90 days' worth of Power BI usage data.

  • Option to keep users involved for transparency, awareness, and ensure approval.

  • API call to Entra ID to modify a user's group assignment.


To utilize this workflow, you need to install the necessary content into your Nexthink Infinity tenant. The Microsoft 365 E5 license optimization dashboard has a dependency of workflow and the workflow has the dependency of Campaign and Application.

Engage campaign

  • M365 E5 to E3 license - workflow invoke


  • Microsoft 365: Power BI


Workflow parameters

Here are the parameters for the Microsoft 365 E5 license optimization workflow:

  • Ask for permission?: This parameter controls the option of optimizing the license with or without user consent. It has two possible values: "Yes", which means that a campaign should be triggered to obtain user consent, or "No", which means that the changes of licensed group assignment will be done without user consent.

  • MS365 E5 authorization group: This parameter contains the ID of the Entra ID licensed group, which controls Microsoft 365 E5 license assignments. The parameter needs to be maintained with a locally assigned ID.

  • MS365 E3 authorization group: Similar to the MS365 E5 parameter, this parameter contains the E3 licensed group.

Licensed group ID

Maintain workflow parameters


Please note: The following campaign needs to be set up as it is utilized in the workflow. For more information about setting up campaigns, please refer to the Campaigns section. For details on how campaigns function within workflows, please consult the Workflows Designer page.

  • M365 E5 to E3 license - workflow invoke

Entra ID integration

To integrate Graph API of Microsoft with Nexthink platform, you need to integrate two points of integration. One point of integration is required to bring UPN to data model user table. Another integration point is required to handle the API credentials. Please visit Entra ID integration for workflows for full details.

Trigger configuration for the workflow

This workflow is primarily designed to run automatically using a scheduled trigger. However, it can also be manually triggered for ad hoc usage. The first step of the workflow is to check if a user belongs to a security group associated with a specific software license. This allows the workflow to be run on all users who are not using the software. For instance, in the case of Microsoft 365: Power BI license, the application can be defined in Applications, and the following query can be used as a workflow schedule or investigation. This process selects all devices where no Power BI usage was detected. The workflow then checks each user using those devices for group membership. If any of these users belong to the group, which implies they have the license, they will be asked if the license can be reclaimed.

NQL using Application Experience data:

devices during past 30d
| where login.last_login_user_name != null
| include during past 30d
| where == "Microsoft 365: Power BI"
| compute app_usage_ = event.duration.sum()
| include during past 30d
| where == "Microsoft 365: Power BI"
| compute desktop_app_usage_ = execution_duration.sum()
| where app_usage_ == null and desktop_app_usage_ == null

An alternative way to select devices for the workflow is to use Software Metering. In this case, 90 days of data is available. For more information on how to configure application in Software Metering visit Managing Software Metering page.

NQL using Software Metering data:

| include during past 90d
| where meter_configuration.nql_id == "microsoft_365_power_bi"
| compute desktop_app_usage = desktop_execution_duration.sum(),
          web_app_usage = web_focus_time.sum()
| where desktop_app_usage == null and web_app_usage == null

Workflow Structure

This section describes the key steps in this workflow:

  • Verify the group membership of the device user. If the user is not a part of the specified group in the workflow parameter, terminate the process. If they are a part of the group, initiate a campaign to ask if user will need Microsoft Power BI application in the near future.

  • If the user agrees, or if the workflow parameter “Ask for user permission” is set to “No”, the workflow performs a technical step to retrieve the user’s UUID. This is necessary for the subsequent steps of adding to the group and removing from the group operations.



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.