Configuration guide: License reclamation
Pre-requisites
This library pack contains content from the following expansion products
Included content and dependencies
This library pack contains the following content and dependencies:
License reclamation
An API call to Entra ID removes a user (based on their user ID) from an application group, which automatically reclaims the license.
License reclamation (on-premises Active Directory)
Triggers a remote action to Active Directory to remove a user (based on their SAM account name) from an application group, which automatically reclaims the license.
License reclamation request - Workflow invoke
Asks users if they are still using an application.
Invoke remove user from AD group
The purpose of the Remote Action is to remove a specified user from an on-premises Active Directory group.
Configuring License reclamation
Follow these steps to install and configure content:
Before configuration - Install library pack content from Nexthink Library
Step 1 – Configure remote actions
From the main menu, go to Remote actions > Manage remote actions.
Locate Invoke remove user from AD group.
Review and edit its input parameters as needed for your AD environment.
Set up a manual or scheduled trigger depending on the license cleanup frequency.
Step 2 – Edit campaigns
From the main menu, navigate to Campaigns > Manage campaigns.
For each installed campaign:
Customize the sender name and image.
Review and adjust campaign questions.
Publish the campaign when ready.
Nexthink recommends these settings for the license campaign:
License Reclamation Request
Manual
Not urgent
Step 3 – Configure Entra ID integration
If Entra ID is not yet configured, ask your Azure administrator for assistance.
Two integration points are required:
Import the UPN into the user table.
Store API credentials in the Entra ID connector.
Refer to Entra ID integration for workflows for full setup instructions.
Check the permissions listed in the Entra ID connector thinklet documentation.
Step 4 – Configure workflow parameters
In the workflow editor, verify these parameters:
Ask for permission? – Choose whether to require user consent before revoking access.
Authorization group – Name of the AD group tied to license provisioning.
Application name – Name of the app being managed.
Example use case:
Use the parameters to target users of "Salesforce Lightning" who:
Used the app for < 5 minutes in the past 90 days.
Did not confirm they still need access in the campaign.
Example NQL (requires Application Experience + Software Metering):
users during past 30d
| where ad.email_address != null
| include software_metering.events during past 90d
| where application.name == "Salesforce Lightning"
| compute focus_time = web_focus_time.sum()
| include campaign.license_reclamation_request.responses during past 90d
| where parameters.application_name == "Salesforce Lightning"
| where state == answered
| where answers.question1.label == "yes"
| compute user_needs_application = user.count()
| where focus_time < 5min
| where user_needs_application == 0Step 5 – Maintain API thinklet credentials
Each Service/API thinklet needs a credential configuration.
Go to Administration > Connector credentials.
Add the required credentials for:
Microsoft Graph API
Active Directory integration
In the workflow, fill in the Credentials field of each relevant API thinklet.
Step 6 – Maintain workflow trigger
This workflow is designed to run on a scheduled basis.
Open the workflow from Workflows > Manage workflows.
Go to the General tab.
Enable the Schedule checkbox.
Define separate schedules per application or group if needed.
RELATED TOPICS
Last updated
Was this helpful?