Software Decommission

Reclaim a specific M365 license seat from a user with full audit trail — distinct from full offboarding. Snapshots the seat pool before/after, optionally surfaces the user's Intune-enrolled devices that have the matching app for follow-up cleanup visibility.

Integrates with

Microsoft 365Microsoft Intune

The problem

Software seat sprawl is one of the most predictable cost leaks in mid-market IT. License pools accumulate inactive seats — role transitions, app sunsets, dormant single-app assignments — that nobody reclaims because the operation is manual and tedious. By the time IT reconciles seat usage during contract renewal, six months of waste is already booked.

What AscendCore does

An IT admin initiates a per-user, per-license decommission. AscendCore confirms the license is currently assigned to the target user, snapshots the seat pool before revoke (so the audit row shows the exact freed-seat delta), discovers any of the user's Intune-enrolled devices that have the corresponding app, and on approval revokes the M365 license. The audit chain captures the affected device list for follow-up cleanup visibility.

Workflow

Trigger — /software-decommission <user-email> <license-name> from Slack or software-decommission <user-email> <license-name> from Teams
Resolve — confirm the license (by friendly name OR raw skuPartNumber) is currently assigned to the user
Snapshot — capture current seat pool size for the post-revoke delta
Discover — list user's Intune-enrolled devices that have the matching mobile app
Propose — admin approval card with license details + seat-pool snapshot + affected-device count
Approve — IT admin approval (always required for cost-visibility)
Revoke — M365 license removed via Microsoft Graph
Audit — software_decommission.executed row written to the tamper-evident chain with full payload (revoked SKU, freed seats, affected devices)

Integrations

Microsoft 365 — License revocation and pool snapshot
Microsoft Intune — Mobile-app discovery + user device enumeration (audit visibility only — no auto-uninstall in Phase 2)
Slack + Microsoft Teams — Request trigger and confirmation

Configuration

SOFTWARE_DECOMMISSION_DISCOVER_INTUNE  (default: "true")  # Skip Intune lookup on customers without Intune Graph permissions
SOFTWARE_DECOMMISSION_SNAPSHOT_POOL    (default: "true")  # Pool snapshot adds one Graph call; set "false" for tight rate-limit budgets

Roadmap

Phase 3: Optional auto-issue of Intune uninstall commands per affected device (per-customer config — risk-controlled).
Phase 3: Jamf Pro app uninstall for macOS fleets.
Phase 3: Per-customer license → policy-group mapping for automatic Entra group cleanup alongside license revoke.

Status

Live in production — admin-initiated approval flow on Slack + Teams with full audit-chain coverage. Phase 2 ships M365 license reclaim + Intune device discovery; Jamf and per-device uninstall are Phase 3.

Versioned, deterministic, auditable

Every runbook is defined as a versioned YAML manifest with explicit triggers, steps, and approval policies. The runbook itself is the audit-ready record of what AscendCore can and will do — chat is just the interface that triggers it.

name: software-decommission trigger: channels: [slack, teams] intents: [license_revoke] steps: - resolve_license_on_user # exact match by friendly name OR skuPartNumber - snapshot_seat_pool # optional (SOFTWARE_DECOMMISSION_SNAPSHOT_POOL=true) - discover_intune_devices # optional (SOFTWARE_DECOMMISSION_DISCOVER_INTUNE=true) - revoke_license_from_user approval: required: true approvers: [it-admins]

Software Decommission

The problem

What AscendCore does

Workflow

Integrations

Configuration

Roadmap

Status

Versioned, deterministic, auditable

Run software decommission from Teams or Slack today

Employee Offboarding

M365 License Assignment

New Hire Provisioning