Workflow: License reclamation
Overview
Description
Large enterprises can easily lose track of the number of software licenses delivered to their employees. Over time, unused and forgotten licenses silently accumulate unnecessary costs for the business. In addition, once detected, removing a user's license can take time and is often done on a case-by-case basis.
The License reclamation workflow can be triggered on any group of devices identified as not using, or underusing, a specific application. This triggers an API call to Entra ID to remove a user (based on their user ID) from an application group, which automatically uninstalls and, if the configurations are set in Entra, reclaims the license.
This workflow can potentially create significant cost savings through license reclamation at scale and saving IT support time.
Fully automated process to remove a user from Entra ID group using Nexthink Flow.
Option to ask user permission or enforce application removal.
API call to Entra ID to check user's group membership and remove the user from it.
Changelog
V1.0.0.0 - Initial Release
Dependencies
To utilize this workflow, you need to install the necessary content into your Nexthink Infinity tenant.
Engage campaign
License reclamation request - Workflow invoke
Configuration
Campaign
Please note: The following campaign needs to be set up as it is utilized in the workflow. For more information about setting up campaigns, please refer to the https://docs.nexthink.com/platform/latest/campaigns section. For details on how campaigns function within workflows, please consult the https://docs.nexthink.com/platform/latest/workflows-designer#:~:text=the%20remote%20action.-,Campaigns,-The%20Campaign%20Thinklet section.
License reclamation request - Workflow invoke
Entra ID integration
The workflow utilizes the Universal Principal Name (UPN) from Entra ID integration. This is necessary to populate the UPN into the Nexthink data model, where it is mapped to the user.ad.name field. For more information on setting up the Nexthink connector to Entra ID, refer to the Connector for Microsoft Azure Active Directory on https://docs.nexthink.com/platform/latest/connector-for-azure-active-directory . The result of this integration should be that the user UPN is populated in the Nexthink user table. This user UPN is then utilized in the workflow when making graph API calls. The following screenshots provide an example of an Entra ID connector setup and demonstrate that, when correctly set up, the users table populates with user names.
Graph API connector credentials
The configuration of connector credentials is essential for enabling API calls. See detailed information at https://docs.nexthink.com/platform/latest/webhooks-manage-credentials . Each Service/API thinklet has a dropdown field for credentials that needs to be filled out. When the workflow is installed or copied from the Library, this field will be blank as it is a local setup of each environment and is not included in the Library. It’s crucial to add API read/write permissions in the Entra ID application registration setup.
Application ID in Entra application is maintained as Client ID in credential setup.
Tenant ID is used as part of the Access token URL.
Client ID and Client secret needs to be copied from App registrations, Certificates & secrets.
Entra ID security group
The workflow can be duplicated, and each copy can be used for a specific security group. For each Entra ID security group, the global parameter must be updated.
Trigger configuration for the workflow
This workflow is primarily designed to run automatically using a scheduled trigger. However, it can also be manually triggered for ad hoc usage. The first step of the workflow is to check if a user belongs to a security group associated with a specific software license. This allows the workflow to be run on all users who are not using the software. For instance, in the case of a Miro license, the application can be defined in Applications (https://docs.nexthink.com/platform/latest/applications ), and the following query can be used as a workflow schedule or investigation. This process selects all devices where no Miro usage was detected. The workflow then checks each user using those devices for group membership. If any of these users belong to the group, which implies they have the license, they will be asked if the license can be reclaimed.
NQL:
devices during past 30d
| where login.last_login_user_name != null
| include web.events during past 30d
| where application.name == "Miro"
| compute app_usage_ = event.duration.sum()
| where app_usage_ == null
| where count == 0
Workflow Structure
This section describes the key steps in this workflow:
Verify the group membership of the device user. If the user is not a part of the specified group in the workflow parameter, terminate the process. If they are a part of the group, initiate an Engage campaign to request software uninstallation.
If the user agrees, or if the workflow parameter “Ask for user permission” is set to “No”, the workflow performs a technical step to retrieve the user’s UUID. This is necessary for the subsequent step of removing the user from the group.
RELATED TOPICS