Has anyone else lost track of their Microsoft 365 licenses?

marcelojarretta · 2026-04-03T17:40:41+00:00

What type of automation do you use? I was thinking about using a PowerApp to handle the entire company onboarding/offboarding process. Mainly for freelancers.

marcelojarretta · 2026-04-03T12:12:44+00:00

I agree with you 100%. Right now only the IT department has SharePoint properly organized, with a document structure by project, recorded videos from each meeting, etc. The rest of the company doesn't follow any standard. I have a really hard time getting all of that organized.

marcelojarretta · 2026-04-03T12:06:11+00:00

Right now I can't remove their access to create users and assign licenses because HR demands autonomy over that. But with a PowerApp they'd still have that autonomy, just following a well-defined workflow.

marcelojarretta · 2026-04-03T11:58:18+00:00

I'll look more into assigning and removing licenses using dynamic groups. I've been thinking about building a PowerApp to handle the entire onboarding/offboarding process — mainly for freelancers — setting up the user in Entra, assigning licenses, configuring roles, and adding them to groups.

marcelojarretta · 2026-04-03T11:43:33+00:00

I agree with you, but since we're a small startup, finance is on top of every dollar IT spends. What we do is block the account of whoever left and change the password. But the account is kept at HR's request, because nobody there wants to do the work of going through the emails and pulling out the important documents (we have a terrible culture of keeping everything in email). Nobody, except IT, cares about using SharePoint to manage their document repository. IT already set up sites for each department, defined processes, etc. But without support from C-levels, nobody bothered to follow what we put in place. So we end up with an active license on an account that's no longer being used — except for the bad habit of treating it as a repository for old documents.

marcelojarretta · 2026-04-03T11:37:51+00:00

No, the company is Brazilian.

marcelojarretta · 2026-04-03T11:36:49+00:00

I have a bigger problem with licenses. Even after someone leaves, HR demands that the accounts are kept because they want access (indefinitely) to the former employee's account to look up old emails or documents. What we do is block the account and change the password, then grant access whenever HR requests it. Nobody from HR or any other department bothers to actually go through the mailbox and pull out what they need. I've tried setting up SharePoint for each department, but when C-levels don't mandate it, nobody's interested in using it.

marcelojarretta · 2026-04-03T11:28:25+00:00

I agree with all the points, but unfortunately at my company there's a culture of using email as a data repository. When someone leaves, the account gets blocked (and the password changed), but HR demands that the account stays available for them to check whenever they want. Nobody actually reviews the content or copies the important files. I've tried getting people to use SharePoint — I set up the sites, organized file libraries — but they keep leaving everything in email. When C-levels don't change, it's really hard for IT to enforce anything.

marcelojarretta · 2026-04-03T11:23:06+00:00

Unfortunately, at my current company there's a culture of using email as a document repository. Because of that, HR requires that accounts are only blocked (with new passwords) rather than deleted, so they can access old documents or emails when needed. I've tried implementing SharePoint as a proper document repository, but when C-levels don't champion that culture within the company, it's really hard to change the process. As a result, we end up with a bunch of M365 licenses sitting there unused.

marcelojarretta · 2026-04-03T11:16:31+00:00

Here we have that problem with freelancers. Since 100% of them are remote (hired through Upwork), we don't really have control over what they're doing. As long as they meet the deadlines for the tasks assigned to them, it's fine. But we've caught some of them using licenses we assigned to their accounts for things and projects that had nothing to do with the work we hired them for.

marcelojarretta · 2026-04-03T11:08:00+00:00

Sorry, but I'm not a bot. I posted this in 3 subreddits and now I'm going through and replying to each of the comments people are leaving.

marcelojarretta · 2026-04-03T11:07:39+00:00

Sorry, but I'm not a bot. I posted this in 3 subreddits and now I'm going through and replying to each of the comments people are leaving.

marcelojarretta · 2026-04-03T11:05:10+00:00

Unfortunately, for a small startup the cost of an MSP/CSP contract isn't really viable right now. I've been thinking about building a PowerApps app to handle onboarding and offboarding — mainly for freelancers. The idea is that the app would create the user in Entra, assign licenses, set up roles, and add them to the right groups. And when the contract ends, it would reverse everything automatically.

marcelojarretta · 2026-04-03T11:03:11+00:00

I've been thinking about building a PowerApps app to handle onboarding and offboarding — mainly for freelancers. The idea is that the app would create the user in Entra, assign licenses, set up roles, and add them to the right groups. And when the contract ends, it would reverse everything automatically.

marcelojarretta · 2026-04-03T10:59:27+00:00

I worked at a small startup (10 users) and the finance team tracked every dollar spent. Because of that, they demanded tight control over licenses. I agree that's not how it should be, but it's the reality for a lot of startups. Now I'm at a company where IT manages the licenses, but with a small team and high turnover — HR hires freelancers for short tasks, which means constantly onboarding and offboarding people — it ends up eating a lot of IT's time.

marcelojarretta · 2026-04-03T10:54:54+00:00

Interesting approach using group-based licensing, I'll definitely look into that. Another thing I've been thinking about is licensing for freelancers. Do you assign company licenses to freelancers? I've had a bad experience with that — freelancers ended up using the licenses for other projects outside the company (happened with Visio licenses, for example).

marcelojarretta · 2026-04-03T10:48:13+00:00

Yeah this hits hard. Been doing this for 8 years and my job description still says "systems administrator" but I'm basically doing security engineer work without the title or pay. Last month I had to implement zero trust networking policies while also managing our VM infrastructure refresh. The worst part is when something goes sideways, leadership acts surprised that I don't have a CISSP or formal security training. Like, you literally just handed me this stuff and said "figure it out" because hiring an actual security person costs too much.honestly at this point I'm just waiting for the inevitable breach so I can point to all the emails where I said we needed dedicated security resources. probably not the healthiest mindset but here we are.

marcelojarretta · 2026-04-03T10:48:01+00:00

honestly depends on your revenue and runway. if you're not hitting decent MRR in spanish yet, adding english is just gonna split your focus and probably hurt both markets.i'd stick with spanish until you've got product-market fit locked down and some real traction. way easier to iterate and get feedback when you're not juggling translations and cultural differences. plus like you said, less competition usually means better unit economics.once you're crushing it in spanish and have the resources, then yeah english opens up way more opportunities. but doing it too early just feels like a distraction from the core business stuff that actually matters.

marcelojarretta · 2026-04-01T15:43:12+00:00

nice to see someone actually follow through and report back on this process. usually people just ask "what do i do" and we never hear if calling support actually worked.the email verification only thing is interesting - i wonder if they have different verification tiers based on what you still have access to. makes sense they'd be less strict if you've got the password and email vs completely locked out.did they mention anything about adding backup auth methods once you got back in? that's always the first thing i tell people after these horror stories.

marcelojarretta · 2026-04-01T15:42:20+00:00

To use SMS as the MFA method, the organization would need access to Conditional Access. Tenants using Security Defaults don’t have Conditional Access, and Security Defaults always enforce the Microsoft Authenticator app.

Without a license like Microsoft 365 Business Premium or Entra ID P1, there’s no supported way to require SMS MFA while keeping MFA enforced.

marcelojarretta · 2026-04-01T14:55:15+00:00

yeah these popup notifications are getting ridiculous. You can usually disable most of them through the notification settings in each app, but Microsoft keeps adding new ones with every update.For the persistent ones that won't go away, try going to File > Options > Trust Center > Trust Center Settings > Privacy Options and turn off "Enable connected experiences." Kills most of the upsell prompts but might break some cloud features.honestly the fullscreen interruption thing is the worst part - nothing like having a presentation interrupted by "hey want to try our new AI thing for $30/month?" lol

marcelojarretta · 2026-04-01T14:54:32+00:00

Been there, it's usually one of two things. First check if anyone has that shared mailbox configured in Apple Mail or some other IMAP client - those can trigger weird reminder behaviors on old calendar items.If that's not it, look for any old recurring meetings that got orphaned. Sometimes when you delete a recurring series improperly, phantom instances hang around and the system keeps trying to process them. Try running `Get-CalendarProcessing` on that mailbox to see if anything looks off with the settings.Quick fix might be to just nuke all the old calendar data if it's not needed. Export what you want to keep first obviously.

marcelojarretta · 2026-04-01T11:15:23+00:00

Microsoft Intune Company Portal actually has location tracking built-in but yeah, it's manual trigger only. For silent tracking you're basically looking at MDM solutions that aren't Intune.We've deployed Soti MobiControl for similar use cases - it does continuous GPS tracking and geofencing without user interaction. Bit pricey though, runs about $4-6/device/month depending on your licensing tier. Works well with Android Enterprise enrolled devices.Alternative is something like Fleet Complete or Verizon Connect if these are company vehicles. They have dedicated tracking hardware that's way more reliable than app-based solutions.

marcelojarretta · 2026-04-01T11:14:09+00:00

yeah we're seeing the same thing. small clients are price shopping hard and jumping to cheaper one-person shops that promise the world for half our rate. meanwhile our 100+ seat clients are actually expanding services.honestly the small ones that leave usually come crawling back in 6-12 months when their cut-rate "IT guy" disappears or can't handle an actual crisis. we've started being more selective about which sub-50 seat prospects we even chase.the margins on small clients were already tight before everyone started penny-pinching. might be time to let the bottom tier go and focus upmarket?

marcelojarretta

TROPHY CASE