Stop Paying for Microsoft 365 Seats Nobody Uses
A practice manager's guide to auditing Microsoft 365 licences: find inactive accounts, right-size tiers and offboard leavers to cut cost and close security gaps.
- Microsoft 365
- Cost
- Practice Management
Most practices we meet are paying for at least one Microsoft 365 account that nobody uses. The January temp who covered self-assessment and left in February. The partner who retired last year. An old shared mailbox sitting on a full paid licence for no reason. None of these stand out on the invoice, so they quietly roll over month after month.
There are two problems here, and they matter to a practice manager for different reasons. The first is money. Every one of those seats is a small monthly cost you are not getting anything back for. The second is security. Each account is still a live door into your systems, and a dormant one is exactly the kind of door a criminal likes to try.
The good news is that tidying this up is a job a practice manager can lead. You do not need to be technical, just methodical, in the same way you would reconcile a ledger.
Why ghost accounts cost more than you think
A single unused licence might be £15 to £20 a month. Easy to ignore. But they add up, and they hide.
Picture a twenty-person practice. Over a couple of years you take on seasonal help, lose a member of staff to maternity, see a partner retire and merge in a sole trader. If three or four of those accounts are never properly closed, you can be paying several hundred pounds a year for nothing. One online account from a firm of similar size found eight unused premium licences quietly costing around £240 a month, close to £2,880 a year.
The most common leak is subtle. When someone leaves and their mailbox is turned into a shared mailbox so colleagues can still see the email, the paid licence is often left attached. A shared mailbox under 50GB does not need one. So you keep paying for a seat that no longer belongs to a person.
Finding the accounts you are paying for
Start with a simple list of every licensed account and when each one last signed in.
In the Microsoft Entra admin centre (entra.microsoft.com) you can follow Identity, then Monitoring and health, then Usage and insights, then Licence utilisation. That gives you sign-in activity and which licences are assigned. If that path feels like a step too far, your IT support can pull the same list for you in a few minutes.
Then do the part only the practice knows how to do. Put that list next to your current staff roster and ask three questions of every account:
- Is this a real, current member of the team?
- When did they last actually sign in? Flag anything dormant for 30 days or more.
- Does this account still need a paid licence at all, or is it a mailbox that could be shared?
Anything that fails those questions goes on a shortlist to deal with. You will often spot names you had genuinely forgotten were still there.
Right-sizing the licence, not just removing it
Not every fix is a deletion. Sometimes the account is needed but is sitting on the wrong tier.
A reception or part-time admin account might be on a premium business plan when a lighter, cheaper plan would do everything that person needs. The reverse happens too, where someone handling sensitive client data has been left on a basic plan that lacks the security controls you actually want. Right-sizing means matching the licence to the role, so you are neither over-paying nor leaving a gap.
This is also a good moment to check that the security features you are paying for are switched on. There is no point holding licences with multi-factor authentication and email protection included if they were never turned on for the people who need them. Our guidance on cyber security and Cyber Essentials covers what good looks like for a practice.
An offboarding routine you can run every time
The reason ghost accounts build up is almost always the same. There is no fixed routine for when someone leaves, so each departure is handled slightly differently and something gets missed. A simple checklist fixes that. Run the same steps every time, in order.
- Block the person’s sign-in straight away on their last day. This is the security step, and it comes first.
- Reset the password and sign them out of all active sessions, so an old logged-in device cannot keep working.
- If you need to keep the mailbox, convert it to a shared mailbox so the address still works and colleagues can see the history.
- Remove the paid licence the same day you convert. This is the step most often forgotten, and it is where the recurring cost hides.
- Take the person out of Teams, SharePoint sites and any distribution lists or shared inboxes they had access to.
- Reassign the freed-up licence to a new starter if you have one, rather than buying another.
- Write down what you did and the date in a simple spreadsheet, so there is a record for next time and for your own peace of mind.
That last step matters more than it looks. For a practice with AML and data-protection duties, being able to show that access was removed promptly when someone left is part of doing things properly.
Do not forget the guest accounts
Licensed staff are not the only accounts on your tenant. Over time you accumulate guest accounts too. The bookkeeper at a client you no longer act for. A contractor who helped with a one-off project. A software supplier given temporary access during an install.
These often do not cost a licence, so they slip under the radar on a cost review. But they are still live accounts that can reach shared files, which makes them a security item worth the same housekeeping. Review the guest list alongside the staff list, and remove anyone who no longer has a reason to be there.
Why this is a security job, not just a finance one
It is tempting to file this under cost control and leave it there. That misses half the point.
A dormant account is the one least likely to have multi-factor authentication set up, least likely to be watched, and most likely to use an old password that has turned up in a breach somewhere. A criminal does not need the active, careful partner’s login if there is a forgotten temp account sitting wide open. As we explain in how one stolen Microsoft 365 login exposes client files, a single account can be the key to far more than email.
So every seat you close or disable does two jobs at once. It trims the bill, and it removes one more way into your client data. That is a rare thing in IT, a tidy-up that saves money and improves security in the same afternoon.
Where to start
If you have never done this, do not try to boil the ocean. Pull the licence list, sit it next to your staff roster, and deal with the obvious ghost accounts first. Then put a recurring reminder in the diary, once a quarter and after every leaver, so it never builds up again.
If you would rather have a second pair of eyes on it, a free Practice IT Health Check includes a look at exactly this. We can also fold an offboarding routine into ongoing managed IT support so it happens automatically every time, and our pricing is per user, which gives you a built-in reason to keep the count honest.
Frequently asked questions
How often should a small accountancy practice audit its Microsoft 365 licences?
A full review once a quarter works well for most practices, with a quick check after every staff change and around the January self-assessment peak when temporary help comes and goes. Quarterly catches the accounts that slip through, and tying a check to each leaver stops the costly seats building up in the first place.
Is it safe to delete a leaver's Microsoft 365 account straight away?
Usually no, not immediately. If the person handled client email or holds files you may need, block their sign-in first, then convert the mailbox to a shared mailbox so the address still works and the history is kept. Only delete once you are sure nothing is needed for client service, AML records or your retention duties. A shared mailbox under 50GB does not need a paid licence.
Does removing unused Microsoft 365 accounts actually improve security?
Yes. Every live account is a door a criminal can try, and dormant ones are the least likely to have multi-factor authentication set up or to be watched. A retired partner's mailbox or a forgotten temp account is a quiet target. Closing or disabling them shrinks the number of ways into your client data while also trimming the bill.
Want this checked for your own practice?
Book a free Practice IT Health Check, a plain-English, no-obligation review of where your IT stands.
Book your free Health Check