Tool Rationalization Automation: Build Scripts to Detect Underused SaaS and Reclaim Licenses

Hook: Stop paying for seats no one uses — automate the cleanup

Uncontrolled SaaS sprawl and unused licenses are silently draining engineering budgets and slowing platform teams. If you’re a developer or platform engineer being asked to recover cost without blocking product teams, this guide gives you a practical, developer-centric playbook: sample scripts, API calls, detection logic, notification templates, and a safe reclamation runbook you can implement in 2026.

Executive summary — what you'll get (inverted pyramid)

Bottom line: Automate detection, notification, and safe reclamation of underused SaaS licenses to recover cost and reduce operational complexity. Use programmatic access via SaaS APIs, SCIM, SSO and billing exports to create a repeatable pipeline that integrates with your CMDB, cost center tags and ticketing system.

This article gives you:

• Architectural blueprint for license-detection automation
• Concrete detection rules and thresholds tuned for engineering orgs
• Sample scripts and API calls (Python, cURL, Node) you can adapt
• Communication and escalation templates for minimal disruption
• Metrics, KPIs and a runbook to measure recovered spend

Why automation and tool rationalization matter in 2026

By early 2026, platform teams are under greater pressure to show measurable FinOps outcomes while enabling developer velocity. The last 18 months (late 2024–2025) saw major SaaS vendors expand admin APIs, improve SCIM and SSO integrations, and provide richer exportable telemetry — making automation more feasible. At the same time, the frequency of point tools and AI-first trials increased, amplifying license churn and shadow subscriptions.

Key trend: FinOps + Platform Engineering convergence. Rather than one-off audits, modern cost recovery is automated, continuous, and integrated into developer tooling.

High-level architecture for license reclamation automation

Design the automation as modular components so teams can adopt pieces independently:

1. Discovery & Inventory: Source of truth (CMDB / internal tool inventory) + supplier billing exports + SaaS admin APIs.
2. Telemetry & Usage Signals: Last login, API calls, file edits, project membership, storage consumption, SSO events.
3. Detection Engine: Rules and thresholds (stateless scripts or serverless functions) that flag underused seats.
4. Notification & Escalation: Automated emails, Slack notifications, and ticket creation for owners.
5. Reclamation Workflow: Soft reclaim (suspend / reduce license tier) → grace period → hard reclaim (deprovision).
6. Audit & Finance Integration: Logs, CSV exports, cost allocation updates to FinOps tools.

Data sources you'll rely on

• SaaS admin APIs (REST/GraphQL) and SCIM endpoints
• SSO provider logs (Okta, Azure AD, Google Workspace)
• Billing exports from vendors and procurement systems
• HRIS and identity lifecycle events (joiners/leavers)
• Internal CMDB and cost-center tagging

Detection logic — practical rules you can start with

Below are conservative, developer-friendly detection rules that minimize false positives. Tweak thresholds to your company culture.

• Last activity > 90 days: No user activity recorded by the vendor (last message, API request, file edit).
• Never activated a seat: Provisioned but never logged in (30–60 days after license assignment).
• Low API or compute usage: For engineering tools, < 5 API calls or CI minutes in 60 days.
• Duplicate tools: Users with equivalent capabilities in another approved tool (mapped via CMDB taxonomy).
• Suspicious or orphaned seats: Email domains not matching corporate, or accounts not mapped to an active employee in HRIS.

Developer-centric sample scripts and API calls

Below are sample snippets to detect and act on underused seats. These are intentionally generic and use environment variables for secrets. Adapt them to vendor-specific APIs.

1) Generic OAuth2 token retrieval (bash + cURL)

#!/usr/bin/env bash
# Exchange client credentials for an access token
CLIENT_ID='$CLIENT_ID'
CLIENT_SECRET='$CLIENT_SECRET'
TOKEN_URL='https://api.vendor.com/oauth2/token'

response=$(curl -s -X POST "$TOKEN_URL" \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET")

ACCESS_TOKEN=$(echo "$response" | jq -r '.access_token')
echo "$ACCESS_TOKEN"

2) Query users via SCIM (Python requests)

import os
import requests

TOKEN = os.environ['VENDOR_TOKEN']
SCIM_URL = 'https://api.vendor.com/scim/v2/Users'

headers = {
    'Authorization': f'Bearer {TOKEN}',
    'Accept': 'application/scim+json'
}

params = {'count': 200}
resp = requests.get(SCIM_URL, headers=headers, params=params)
resp.raise_for_status()
users = resp.json().get('Resources', [])

# Filter for inactive: lastLogin custom attribute or meta.lastModified
inactive = []
for u in users:
    last_login = u.get('urn:ietf:params:scim:schemas:extension:enterprise:2.0:User', {}).get('lastLogin')
    if not last_login or older_than_90_days(last_login):
        inactive.append(u)

print(f'Found {len(inactive)} potential inactive users')

Note: implement older_than_90_days() using datetime parsing. Many vendors include lastLogin in SCIM extension or provide audit APIs.

3) Deactivate user via SCIM PATCH (cURL)

# Soft-suspend (set active false)
curl -s -X PATCH "https://api.vendor.com/scim/v2/Users/{id}" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/scim+json" \
  -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations":[{"op":"replace","value":{"active":false}}]}'

4) Create a Jira ticket for owner notification (Node.js example)

const fetch = require('node-fetch');
const JIRA_BASE = process.env.JIRA_BASE;
const JIRA_USER = process.env.JIRA_USER;
const JIRA_TOKEN = process.env.JIRA_TOKEN;

async function createTicket(username, tool, reason) {
  const body = {
    fields: {
      project: { key: 'ENGOPS' },
      summary: `License reclaim request: ${username} - ${tool}`,
      description: `Candidate: ${username}\nTool: ${tool}\nReason: ${reason}`,
      issuetype: { name: 'Task' }
    }
  };

  const resp = await fetch(`${JIRA_BASE}/rest/api/2/issue`, {
    method: 'POST',
    headers: {
      'Authorization': `Basic ${Buffer.from(`${JIRA_USER}:${JIRA_TOKEN}`).toString('base64')}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify(body)
  });
  return await resp.json();
}

5) Slack notification template (cURL)

curl -X POST -H 'Content-type: application/json' \
  --data '{"channel":"@owner","text":":warning: We detected an underused seat for user@example.com in ExampleTool. We plan to suspend the seat on 2026-02-15 unless you respond."}' \
  https://slack.com/api/chat.postMessage -H "Authorization: Bearer $SLACK_BOT_TOKEN"

Notification and human-in-the-loop policy

Automated detection without human review destroys trust. Adopt a staged notification process:

1. Owner notification: Automated email + Slack DM with 14-day response window.
2. Team lead escalation: If no owner response, create ticket and notify sprint lead — 7-day window.
3. Soft reclaim: After windows, suspend the seat (read-only or limited access) for 14 days.
4. Hard reclaim and data export: After suspension window, deprovision and archive user data per policy.

Include a clear appeal path in every message and keep an audit trail of notifications and actions.

Safe reclamation runbook (step-by-step)

1. Export user data (files, workspace) and store in a secure bucket for retention days defined by policy.
2. Change license to lowest tier or set status to suspended; tag event with ticket and financial impact.
3. Update CMDB: mark seat as recyclable and record timestamp and actor.
4. Execute hard revoke after retention — remove license from vendor and update procurement records.
5. Notify finance for cost allocation and update monthly FinOps dashboard.

Audit, compliance, and data privacy considerations

Always align reclamation with data retention, legal holds and regulatory requirements. Before automating deletes:

• Check for legal holds or active incidents tied to the user.
• Preserve encrypted exports for required retention periods.
• Log every action to immutable storage (WORM or write-once object) if needed for audits.

Integration patterns with existing systems

Choose integration points where you already have trust and ownership:

• SSO / IDP: Use SSO logs for last auth time and HR-driven lifecycle events.
• CMDB / Service Catalog: Map tool to cost centers and owners.
• Ticketing: Automate record creation so owners cannot ignore notifications.
• FinOps dashboards: Push reclaimed license values for ROI tracking.

KPIs and how to measure cost recovery

Track these metrics weekly or monthly:

• Licenses reclaimed: count by vendor and cost center.
• Cost recovered (annualized): sum of per-seat annual costs reclaimed.
• False positive rate: Reclaims that were reverted due to owner objections.
• MTTR (time to reclaim): average days from detection to final reclaim.
• Developer satisfaction: measured via brief NPS or feedback after automation rollout.

Advanced strategies and future-proofing (2026+)

As vendor APIs mature, adopt these advanced approaches:

• Standardize on SCIM and SSO metadata: Ensure tools are provisioned with consistent identity attributes and cost tags.
• Use ML to reduce false positives: Model typical usage patterns per role and detect outliers instead of static thresholds.
• Programmatic license tiering: Automatically downgrade to cheaper tiers for low-activity users rather than full suspension.
• Self-service reclamation portal: Allow owners to release seats proactively and redeem them to developer teams.

Short case example — hypothetical but realistic

In Q3–Q4 2025, a 1,500-engineer company automated license detection for three core tools: an IDE SaaS, a CI service and a collaboration tool. After a 6-week pilot using the detection rules above, they reclaimed 120 seats across the three vendors — annualized savings of ~$72k. False positives were <3% due to owner notification windows and manual review for exceptions.

Implementation checklist (first 90 days)

1. Inventory: Catalog top 20 SaaS by spend and seat count. Identify owners and cost-centers.
2. Access: Obtain admin API credentials and enable SCIM where supported.
3. Build: Implement detection scripts (start with non-destructive reporting mode).
4. Notify: Run communications and get buy-in from engineering leads.
5. Pilot: Run a 4–6 week pilot on low-risk tools and measure KPIs.
6. Scale: Integrate with CMDB, ticketing, and FinOps dashboards and roll out broadly.

Common pitfalls and how to avoid them

• Pitfall: Automating hard deletes too soon — avoid by using a staged policy.
• Pitfall: Missing edge cases (contractual or legal holds) — integrate legal and compliance checks.
• Pitfall: No owner mapping — reduce noise by enriching inventory with cost-center metadata.
• Pitfall: Poor communication — provide clear appeal steps and track responses programmatically.

Developer tips: practical habits to reduce churn

• Tag projects and repos with cost-center and tool usage intent.
• Use ephemeral or shared licenses for contractors and experimenters.
• Automate onboarding so licenses are only provisioned on first access.
• Centralize procurement to reduce shadow subscriptions.

“Automating license reclamation is not about policing developers — it’s about returning budget to teams and reducing noise so engineers can focus on building.”

Actionable takeaways (implement this week)

1. Run a read-only scan of your top 10 SaaS vendor admin APIs and produce a CSV of users with last activity > 90 days.
2. Enrich that CSV with HRIS and CMDB data to map owners and cost-centers.
3. Send the first round of owner notifications with a 14-day response window (use your Slack bot).
4. Build a scheduled Lambda/Cloud Function to run your detection script weekly and write results to a central bucket.

Final thoughts and next steps

Tool rationalization automation is one of the highest-leverage ways platform engineering teams can deliver measurable FinOps outcomes in 2026. Start conservatively: run detection in reporting mode, get stakeholder buy-in, then gradually automate suspensions and reclaims. Use standardized protocols (SCIM, SSO) and integrate with your CMDB to minimize friction.

Call to action

If you want a jump start, download our starter repository with ready-to-run scripts, or contact our platform engineering team for a 4-week pilot to recover seats and integrate reclamation into your FinOps pipeline. Reclaim cost, reduce complexity, and keep developers focused on shipping.

Related Reading

• Adaptive Breakfast Shakes: How AI, Wearables, and Micro‑Popups Rewrote Morning Nutrition in 2026
• Playlist Strategies After Spotify Price Hikes: Promote Independent Artists Without Breaking Your Budget
• This Week’s Best Phone-Related CES Deals: Speakers, Lamps, Vacuums and More
• From Broadway to Karachi Stages: What the ‘Hell’s Kitchen’ Tour Means for Local Theater Fans
• Which Premier League Club Matches Your Zodiac—and How to Use Matches for Caregiver Bonding