Skip to main content
Skip table of contents

Workflow: License reclamation



Large enterprises can easily lose track of the number of software licenses delivered to their employees. Over time, unused and forgotten licenses silently accumulate unnecessary costs for the business. In addition, once detected, removing a user's license can take time and is often done on a case-by-case basis.

The License reclamation workflow can be triggered on any group of devices identified as not using, or underusing, a specific application. This triggers an API call to Entra ID to remove a user (based on their user ID) from an application group, which automatically uninstalls and, if the configurations are set in Entra, reclaims the license. 

This workflow can potentially create significant cost savings through license reclamation at scale and saving IT support time.

  • Fully automated process to remove a user from Entra ID group using Nexthink Flow. 

  • Option to ask user permission or enforce application removal. 

  • API call to Entra ID to check user's group membership and remove the user from it. 


V1.0.0.0 - Initial Release


To utilize this workflow, you need to install the necessary content into your Nexthink Infinity tenant.

Engage campaign

  • License reclamation request - Workflow invoke



Please note: The following campaign needs to be set up as it is utilized in the workflow. For more information about setting up campaigns, please refer to the section. For details on how campaigns function within workflows, please consult the,Campaigns,-The%20Campaign%20Thinklet section.

License reclamation request - Workflow invoke

Entra ID integration

The workflow utilizes the Universal Principal Name (UPN) from Entra ID integration. This is necessary to populate the UPN into the Nexthink data model, where it is mapped to the field. For more information on setting up the Nexthink connector to Entra ID, refer to the Connector for Microsoft Azure Active Directory on . The result of this integration should be that the user UPN is populated in the Nexthink user table. This user UPN is then utilized in the workflow when making graph API calls. The following screenshots provide an example of an Entra ID connector setup and demonstrate that, when correctly set up, the users table populates with user names.

Credentials setup example

Field mappings example

User names are populated in users table

Graph API connector credentials

The configuration of connector credentials is essential for enabling API calls. See detailed information at . Each Service/API thinklet has a dropdown field for credentials that needs to be filled out. When the workflow is installed or copied from the Library, this field will be blank as it is a local setup of each environment and is not included in the Library. It’s crucial to add API read/write permissions in the Entra ID application registration setup.

Example of credentials configuration

Thinklet with credentials field maintained

Application ID in Entra application is maintained as Client ID in credential setup.

Tenant ID is used as part of the Access token URL.

Client ID and Client secret needs to be copied from App registrations, Certificates & secrets.

Entra ID security group

The workflow can be duplicated, and each copy can be used for a specific security group. For each Entra ID security group, the global parameter must be updated.

Security group ID which needs to be maintained as workflow parameter value.

Workflow parameter for Entra ID group ID.

Trigger configuration for the workflow

This workflow is primarily designed to run automatically using a scheduled trigger. However, it can also be manually triggered for ad hoc usage. The first step of the workflow is to check if a user belongs to a security group associated with a specific software license. This allows the workflow to be run on all users who are not using the software. For instance, in the case of a Miro license, the application can be defined in Applications ( ), and the following query can be used as a workflow schedule or investigation. This process selects all devices where no Miro usage was detected. The workflow then checks each user using those devices for group membership. If any of these users belong to the group, which implies they have the license, they will be asked if the license can be reclaimed.


devices during past 30d
| where login.last_login_user_name != null
| include during past 30d
| where == "Miro"
| compute app_usage_ = event.duration.sum()
| where app_usage_ == null
| where count == 0

Workflow Structure

This section describes the key steps in this workflow:

  • Verify the group membership of the device user. If the user is not a part of the specified group in the workflow parameter, terminate the process. If they are a part of the group, initiate an Engage campaign to request software uninstallation.

  • If the user agrees, or if the workflow parameter “Ask for user permission” is set to “No”, the workflow performs a technical step to retrieve the user’s UUID. This is necessary for the subsequent step of removing the user from the group.



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.