Step-by-Step Guide to Auditing and Reclaiming Unused SaaS Licenses Across Your Full Stack

Your SSO dashboard tells you one story. Your finance team's credit card statement tells another. The gap between them is where your SaaS license waste lives - and for most growing companies, it's substantial.

According to Zylo's 2025 SaaS Management Index^{1According to Zylo's 2025 SaaS Management Index}, organizations waste an average of $21 million annually on unused SaaS licenses - a 14.2% increase year-over-year. Even at smaller scale, small companies lose an average of $2 million on unused licenses annually. And the kicker: most teams only audit the apps their SSO actually knows about. That's typically 30-40% of everything running in the company.

The other 60-70% - tools bought on department credit cards, apps without SCIM support, ex-employee accounts quietly billing every month - never show up in your SSO reports. They don't get reviewed. They just keep billing.

This guide walks you through exactly how to fix that: a practical, step-by-step process to discover every app in your stack, identify every orphaned and inactive seat, calculate your recoverable spend, and automate ongoing reclamation so the waste doesn't rebuild itself.

The Audit Most Companies Are Already Running (And Why It's Not Enough)

Most IT teams run some version of a license review. They pull a report from Okta or Entra, look at provisioned users per app, flag anything obviously wrong, and call it done.

That review beats doing nothing. But it has a structural blind spot: it only sees apps connected to your SSO. Anything provisioned manually, bought outside IT's approval process, or running on a plan without SCIM support simply doesn't appear.

Shadow IT is more widespread than most IT leaders expect.^{2Shadow IT is more widespread than most IT leaders expect.} In 2024, 42% of SaaS apps companies use are shadow IT - operating outside IT's control, with 65% of apps remaining unapproved. More than one-third of a company's applications are shadow IT, and 67% of IT leaders cited rogue software purchases among their top SaaS challenges.

The result: you run an audit, feel confident, miss two-thirds of your exposure, and wonder why the SaaS bill keeps climbing at renewal time.

A complete audit starts from the assumption that IT doesn't already know everything. Here's how to run one that actually does.

The 7-Step SaaS License Audit and Reclamation Process

Step 1: Discover Every App in Your Stack (Including Shadow IT)

Before you can audit licenses, you need to know what you're auditing. That sounds obvious - it's also where most teams stop too early.

Pull from every source you can access:

• SSO provider (Okta, Microsoft Entra, Google Workspace): Export connected apps and their provisioned users. This is your starting point, not your complete picture.
• HRIS (Workday, BambooHR, Rippling): What tools are referenced in onboarding checklists? What's included in role-based access packages?
• Expense reports and credit card statements: Filter for recurring SaaS charges - monthly and annual subscriptions, unfamiliar vendor names, department-level software spend.
• Accounts payable: Annual contracts and invoices with software vendors often live here, especially for multi-year deals.
• Employee survey or department interviews: Ask team leads what tools their people actually use day-to-day. You'll surface tools IT has never heard of.

The goal is a complete application inventory - every tool being paid for, not just the ones IT manages. Expect surprises.

Step 2: Map Every Account to a Real Person - or Flag It as Orphaned

Once you have your app list, pull the user account list for each tool. Then cross-reference against your current employee roster from HRIS.

For each account, ask:

• Does this person still work here? If not, this is an orphaned account - a zombie license actively billing for an ex-employee.
• Is this a contractor, consultant, or external collaborator? These often fall outside standard offboarding workflows and are easy to miss.
• Is this a service account, bot, or AI agent? Non-human identities need governance too. An unused API integration or decommissioned bot can sit in a licensed tier indefinitely.

Any account that doesn't map to an active employee or a documented, justified non-human identity is a reclamation candidate. Flag everything. You'll triage in Step 5.

This is also where the SSO-only audit breaks down most painfully. 31% of companies have experienced former employees accessing assets stored in SaaS applications after departure - because removing someone from SSO doesn't automatically remove their direct login to apps they set up independently, or apps that don't enforce SSO.

Step 3: Analyze Usage Patterns - Last Login, Frequency, and Activity

An account assigned to an active employee isn't automatically an active account. People change roles, projects end, tools fall out of favor.

For each app, pull:

• Last login date per user
• Login frequency over the past 60-90 days
• Feature usage where the app's API provides it (e.g., GitHub commits, Figma file edits, Notion page activity)

General thresholds to apply:

• Daily-use tools (Slack, Jira, GitHub, Linear): No login in 30 days -> flag as inactive
• Collaborative tools (Figma, Miro, Notion): No login in 60 days -> flag as inactive
• Periodic-use tools (reporting, analytics, HR tools): No login in 90 days -> flag as inactive

Inactive seats held by current employees are reclamation candidates too - you can reach out to confirm whether access is genuinely needed, downgrade to a lower tier, or deprovision and re-provision on request.

Step 4: Calculate Your Recoverable Spend Per App

Now the number that matters: how much can you actually get back?

For each app, the calculation is straightforward:

Recoverable Spend = Orphaned/Inactive Seats × Per-Seat Annual Cost

Run this for every app in your inventory. The table below shows what this looks like for a 200-person company across a typical SaaS stack:

A few things to add on top of the per-seat calculation:

• Enterprise plan premiums paid for SCIM access: If you're on an enterprise plan primarily to unlock automated provisioning - not for the actual enterprise features - that's the SCIM tax. Calculate the delta between your current plan and the tier you'd actually need without the SCIM requirement. That delta becomes recoverable spend once you have universal connector-based governance.
• Duplicate tools: The average company has 15 duplicative online training apps, 11 project management tools, and 10 team collaboration apps. Consolidating redundant tools is often the highest-ROI reclamation action.
• Auto-renewed shelfware: Most SaaS contracts include auto-renewal clauses with price uplifts - if you're not actively monitoring utilization, you renew empty seats and pay more for them every year.

Use the interactive calculator below to estimate your own recoverable spend:

Step 5: Prioritize by Highest-Cost, Lowest-Usage Apps First

You now have a list of reclamation candidates across your full stack. Don't try to action everything at once - prioritize ruthlessly.

Sort by: Annual waste per tool (highest to lowest)

Your quick wins are tools where:

• Per-seat cost is high (design tools, dev platforms, business intelligence)
• The number of inactive/orphaned seats is large
• The tool isn't deeply embedded in daily workflows (lower disruption risk)

Your secondary targets are:

• Tools on enterprise plans primarily for SCIM/SSO, where a universal connector alternative would let you drop to a lower tier
• Duplicate tools doing the same job as another app you're already paying for

What to skip in this pass:

• Low-cost tools with minor waste (< $500/year) unless they pose a security risk
• Tools mid-contract with no early exit clause (flag for renewal-time action instead)

Step 6: Execute Reclamation - Deprovision, Downgrade, or Cancel

With your priority list in hand, act. For each flagged account or tool:

Orphaned accounts (ex-employees):

• Deprovision immediately. No approval required - these are security risks, not just cost items.
• Confirm the account is fully removed, not just suspended, where the vendor bills on active accounts.

Inactive seats (current employees):

• Send a lightweight confirmation: "We're running a license review. Are you actively using [Tool]? If we don't hear back in 5 days, we'll deprovision and you can re-request if needed."
• This catches edge cases (extended leave, seasonal use) without leaving waste unaddressed.

Tool consolidation:

• Migrate users from the lower-adoption tool to the primary platform.
• Cancel or downgrade the redundant subscription before the next renewal date.

Plan downgrades (SCIM tax recovery):

• If a tool is on enterprise tier solely for SCIM, evaluate whether your identity governance platform can connect on a standard plan instead. If yes, downgrade after confirming connector coverage.

Step 7: Automate Ongoing Reclamation So the Problem Doesn't Rebuild

This is the step most teams skip - and exactly why license waste keeps coming back. A one-time audit is a point-in-time snapshot. The next hire, the next departure, the next team buying a new tool: waste starts accumulating again immediately.

Sustainable license hygiene requires automated, trigger-based reclamation:

• Offboarding trigger: When an employee is marked as departed in HRIS, automatically deprovision their accounts across every app in the stack - not just SSO-connected apps.
• Role change trigger: When someone moves teams, automatically apply the access profile for the new role and revoke what's no longer needed.
• Inactivity threshold: Run continuous access checks against your defined thresholds (30/60/90 days). Flag inactive seats for automatic review or deprovisioning.
• New app detection: Alert when expense reports or SSO logs show a new tool appearing - catch shadow IT at the point of entry, not months later.

The critical detail: this automation only works if your governance platform reaches every app in your stack - not just the ones with SCIM support.

Tools that only automate SCIM-connected apps leave the long tail - and most of your waste - completely untouched. Analysis of popular SaaS apps shows 57% lack SCIM support at any price tier, and just 9 offer it below enterprise pricing. If your lifecycle automation relies on SCIM, the majority of your stack stays manual by default, and your license waste rebuilds itself between audits.

This is the structural reason the 30% coverage trap persists: automation covers the easy 20-40%, and the rest of the stack remains a manual, waste-generating blind spot.

Why Your Audit Is Only as Good as Your App Coverage

Running a full-stack audit manually is exhausting. But automating it with an SSO-only tool doesn't solve the problem - it just automates the part that was already easier to solve.

The comparison that matters:

Iden's universal connectors close this gap. Instead of requiring SCIM support on a vendor's enterprise plan, Iden connects to apps via their native APIs - and to apps with no API at all - delivering the same discovery, provisioning, and deprovisioning coverage across your entire stack. That means:

• Shadow IT apps get pulled into governance the moment they're detected
• Non-SCIM tools (the majority of your stack) get the same automated lifecycle treatment as Okta-connected apps
• Orphaned accounts across every tool are caught and removed automatically on offboarding - not just the ones IT remembers to check
• License reclamation runs continuously, not just when someone thinks to run an audit

You also stop paying the SCIM tax. If your current identity governance setup forces enterprise plan upgrades on tools like Notion, Figma, or Asana just to get automated provisioning, Iden's standard-plan connectors eliminate that cost. Full automation without the enterprise tier surcharge.

The result across a typical mid-market stack: up to 30% reduction in SaaS waste through automated license reclamation - plus the security benefit of eliminating orphaned accounts and zombie licenses that create attack surface.

Making It Stick: The Reclamation Lifecycle

A one-time audit plus a single wave of deprovisioning is a good start. But you need a process that runs itself. Here's what that looks like in practice:

• Monthly: Review inactivity reports. Deprovision or confirm seats flagged by your 30/60/90-day thresholds.
• Every offboarding: Automated full-stack deprovisioning triggered by HRIS. No checklist, no manual ticket. Confirm completion.
• Every renewal: Pull utilization data 60-90 days before each renewal date. Negotiate based on actual active seats, not provisioned seats.
• Quarterly: Review shadow IT alerts for new unmanaged tools. Pull them into governance or block them.
• Annually: Full recalculation of recoverable spend. Compare against prior year. Track reclamation ROI for finance stakeholders.

If you've read our guide to calculating the true ROI of identity automation, you'll recognize how license reclamation feeds directly into the SaaS spend pillar of your business case. The math compounds fast - especially when auto-renewals and price uplifts are in play.

FAQ

Takeaways

SaaS license waste isn't a knowledge problem - most IT teams already know it exists. It's a coverage and automation problem. The apps generating the most waste are the ones your current tools can't reach: shadow IT, non-SCIM apps, long-tail SaaS bought outside IT's view.

The playbook is straightforward:

1. Discover everything - go beyond SSO to expense reports, AP, and employee input
2. Map every account - cross-reference against HRIS; orphaned = immediate reclamation
3. Analyze usage - last login and activity data by tool type
4. Calculate recoverable spend - per seat × per app, including SCIM tax premiums
5. Prioritize by impact - highest cost, lowest usage first
6. Execute reclamation - deprovision, downgrade, cancel, or consolidate
7. Automate the lifecycle - so waste doesn't rebuild itself between audits

The last step separates a one-time exercise from a structural fix. And it only works if your governance platform covers 100% of your stack - not just the 30-40% your SSO already sees.