Configuration guide: License reclamation


To get started with this library pack, please ensure all related content is installed and configured appropriately. This page provides guidance on which content is included and how to configure it.

Please keep in mind this is just a guide and represents suggested configurations. You are free to customize and edit content as you see fit based on your specific environment.

This page will guide you through the structure of the content.


This library pack contains content from the following expansion products

Some of these products offer default access to their respective content, and can still be used without the expansion products. To learn more about the default thresholds for expansion products, visit the extended documentation.

Content list and dependency


License reclamation

An API call to Entra ID removes a user (based on their user ID) from an application group, which automatically reclaims the license.

License reclamation (on-premises Active Directory)

Triggers a remote action to Active Directory to remove a user (based on their SAM account name) from an application group, which automatically reclaims the license.

License reclamation request - Workflow invoke

Asks users if they are still using an application.

Invoke remove user from AD group

The purpose of the Remote Action is to remove a specified user from an on-premises Active Directory group.

Configuration guide

To effectively use this library pack, the content must be installed and configured appropriately. Below are some suggested steps to install and configure the content properly before use.

Step 1) Install library pack content

Go to the Nexthink Library and install all required content.

Step 2) Edit campaigns

Navigate to the manage campaigns administration page to review and edit your campaigns.

For each installed campaign, please ensure to:

  • Customize the sender name and image.

  • Review and adjust questions.

  • Publish the campaign when you are ready to use it.

We recommend the following configurations for these campaigns:


Device assignment verification


Not urgent

Step 3) Configure remote action(s)

NameTriggerSchedule QueryParameters to edit

Invoke remove user from AD group

API trigger should be enabled so that it can be triggered from the Workflow

Invoke remove user from AD group - input parameters

NameDefault valueDescriptionAllow the user to enter a custom value



User account SAM name of the target user




Active Directory group SAM name on the target domain


Step 4) Configure Entra ID integration

The configuration of connector credentials is essential for enabling API calls. See detailed information at Connector credentials . Each Service/API thinklet has a dropdown field for credentials that needs to be filled out. When the workflow is installed or copied from the Library, this field will be blank as it is a local setup of each environment and is not included in the Library.

Step 5) Check workflow parameters

The parameters for the workflow are defined to capture 3 elements controlling the process of automatic license assignment group members.

  • Ask for permission?: This parameter determines whether user consent is necessary for reclaiming the license.

  • Authorization group: Authorization group display name.

  • Application name: Application whose licensing is managed by an authorization group.

Step 6) Maintain API thinklets locally defined credentials

Each Service/API thinklet requires locally maintained credentials. In this step review all relevant thinklets and maintain credentials.

Step 7) Maintain workflow trigger

This workflow recommended trigger is “Schedule” . To configure the trigger attribute, select the "Schedule" checkbox in the "General" configuration tab of the workflow.

Multiple schedules can be defined. Typically, each application will have a dedicated license group and a dedicated schedule.

The NQL query example below identifies all users who have used the "Salesforce Lightning" application for less than 5 minutes in the past 90 days. It omits users who were targeted in the previous campaign run and indicated they need the license, regardless of their usage time being under 5 minutes in the past 90 days. To utilize this query, the application must be set up in both Application Experience and Software Metering.

users during past 30d
| where ad.email_address != null
| include during past 90d
| where == "Salesforce Lightning"
| compute focus_time = web_focus_time.sum()
| include campaign.license_reclamation_request.responses during past 90d
| where parameters.application_name == "Salesforce Lightning"
| where state == answered
| where answers.question1.label == "yes"
| compute user_needs_application = user.count()
| where focus_time < 5min
| where user_needs_application == 0

Usage guide

Your content is now configured and ready to be used. For usage overview and recommendations, you can visit the usage guide:

Usage guide: License reclamation


Last updated