How to Build a Monthly Microsoft 365 License Governance Cycle
Most Microsoft 365 license problems aren't technology problems. They're process problems. The licenses are there. The data is accessible — through the Admin Center, through the Graph API, through PowerShell. The tools exist to see what's happening. What's missing is a structured, repeatable process that happens consistently, involves the right people, and produces decisions rather than reports.
A monthly governance cycle is that process. It's not a new concept — finance teams have been running monthly close cycles for decades. Project management offices run sprint reviews. HR runs quarterly performance cycles. The principle is the same: regular cadence, defined participants, specific outputs, clear accountability.
Applied to Microsoft 365 license governance, a monthly cycle transforms license management from a reactive firefighting exercise into a predictable, auditable process that catches problems before they compound and keeps license spend aligned with actual need.
This article describes how to build that cycle, what it should include, who should participate, and how to run it whether you have dedicated tooling or you're doing it entirely manually. By the end, you'll have a practical framework you can implement this month — with or without any additional software.
Why Monthly? The Case for Cadence
Before getting into the mechanics, it's worth addressing why monthly is the right cadence for most organizations.
Shorter than monthly — weekly or bi-weekly — is too frequent for the scale of change that happens in most organizations. License needs don't change fast enough to justify weekly reviews, and the overhead of running the process every week quickly becomes unsustainable.
Longer than monthly — quarterly or annually — is too infrequent. In a 500-user organization with normal turnover and growth, 30 to 60 days is enough time for meaningful drift to accumulate: people who have left but whose licenses are still active, new hires who need licenses that weren't planned for, out-of-band assignments that happened in response to urgent needs.
Monthly aligns with the billing cycle, which matters for financial reconciliation. It creates a predictable rhythm that regional admins can plan around — they know requests need to be in by a specific date each month, rather than dealing with ad-hoc requests whenever someone needs something. And it's frequent enough to catch most issues before they become expensive.
The Four Components of a Monthly Governance Cycle
A complete monthly governance cycle has four phases: preparation, request, review, and reconciliation. Each phase has specific inputs, outputs, and participants.
Phase 1: Preparation (Days 1–3 of each month)
Preparation is the Global IT team's work. Before the cycle opens for requests, you need a clear picture of where you stand.
What happens in preparation:
Pull the current license inventory from Microsoft. At minimum: total licenses purchased by SKU, total assigned, total available. Ideally broken down by region if you have the tooling or the data to do it manually.
Compare current assigned count against your records from the previous month. The difference — assignments that appeared or disappeared since last month — is your starting point for identifying what happened outside the formal process.
Review the previous month's approved requests and confirm they were executed correctly. If you approved 10 E1 licenses for Germany and Germany's count went up by 12, the two extra assignments need explanation.
Flag any accounts that have been inactive for 30 days or more and still have licenses. These are your reclamation candidates — licenses that could be freed up before the request window opens.
Flag any SKU inconsistencies you're aware of — users with both E5 and Power BI Pro assigned separately, for example. These can potentially be released without impacting any user's access.
The output of the preparation phase is a pre-cycle status report: current inventory by region and SKU, available licenses after accounting for reclamation and inconsistency candidates, and any anomalies from the previous month that need follow-up.
Time required: Two to four hours for a 500-user tenant done manually. Significantly less with tooling that maintains this data continuously.
Phase 2: Request Window (Days 4–15 of each month)
The request window is when regional admins and department heads submit their license needs for the coming month. The key design principle of this phase is standardisation — every request should contain the same information, submitted through the same channel, at the same point in the cycle.
What a license request should contain:
- Region/country/subsidiary
- License type (SKU)
- Quantity requested
- Business justification (who needs it, for what role)
- Urgency level (standard vs. genuine emergency)
- Requested effective date
Where requests come from:
In a mature governance environment, requests come from regional IT coordinators who aggregate needs from their region before submitting. In organisations without dedicated regional IT, requests may come directly from department heads or managers — with the regional IT coordinator as the approver at the local level before the request reaches Global IT.
The request channel should be one channel. Not email for some regions, Teams chat for others, a ticketing system for others. One channel, every time. This is the single most important structural decision in the governance cycle — without it, you'll spend half the review phase just finding all the requests.
Practical options: a shared mailbox with a structured request template, a form in Microsoft Forms, a dedicated channel in Teams with a structured thread format, or a purpose-built governance portal. The technology matters less than the discipline of using it consistently.
What happens during the request window:
Regional admins know the window opens on the 4th and closes on the 15th. Requests submitted outside that window go into the next cycle unless flagged as genuine emergencies. This predictability reduces the volume of ad-hoc requests that would otherwise disrupt the Global IT team's week.
During the window, Global IT monitors for requests that need clarification and follows up quickly — slow responses during the request window create pressure to bypass the process entirely.
Handling emergencies:
Every governance process needs an emergency path. If someone needs a license before the next review date, there should be a defined mechanism for emergency approval that's faster than the standard cycle but still involves some form of human sign-off.
The emergency path should require a specific justification — what's the business impact of waiting? — and should be available to a limited number of people to prevent it from becoming the default route. Every emergency approval should be logged and reviewed at the next month's preparation phase to understand whether the emergency was genuine or a symptom of process failure.
Phase 3: Review and Approval (Days 16–20 of each month)
The review phase is the core of the governance cycle. This is where requests are evaluated, approved, partially approved, or rejected, and where the approved allocations are locked for the coming month.
The review meeting:
In organisations with a dedicated Global IT function, the review happens in a scheduled meeting — typically 60 to 90 minutes — that covers all pending requests. The attendees should include whoever has authority to approve license expenditure, whoever understands the current inventory position, and ideally at least one person who can provide business context for the larger or more unusual requests.
In smaller organisations, the review may happen asynchronously through a shared document or a workflow tool rather than a live meeting. The important thing is that decisions are documented and communicated.
What the review covers:
For each request, the review answers three questions:
Is this request within the region's quota? If the region has 120 E5 licenses reserved and is using 115, a request for 5 more E5 is within quota and can be approved without increasing the overall allocation. If the request would exceed the regional quota, it requires a quota increase decision — which is a different and more significant approval.
Is the business justification sufficient? A request for 10 E1 licenses for new hires in the customer service team, starting on the 1st, is straightforward to approve. A request for 5 E5 licenses "for IT staff" without further detail requires clarification before approval.
Is this the right license tier for the stated need? This is the rightsizing question applied in real time. If a request comes in for E5 licenses for users whose role description suggests E3 would suffice, the review is the right moment to push back — not after six months of paying the difference.
The output of the review:
Each request is either approved, partially approved (different quantity than requested), approved with a tier change, or rejected with a reason. The decisions are documented. Approved quantities are locked — counted against the available pool so they can't be double-committed.
The total approved spend for the month is calculated. This is the number that goes to Finance as the planned license expenditure for the period.
Communication to regional admins:
Within 24 hours of the review, regional admins receive notification of the outcome for their requests. Approved requests include the approved quantity and effective date. Rejected or modified requests include the reason and any guidance for resubmission.
This communication step is often skipped or delayed — which creates uncertainty for regional admins and pressure to bypass the process the next time they're under time pressure. Fast, clear communication after the review is as important as the review itself.
Phase 4: Reconciliation (Days 21–28 of each month)
Reconciliation is the closing phase: comparing what was approved with what was actually executed, identifying discrepancies, and preparing the baseline for next month's preparation phase.
What reconciliation covers:
Approved assignments executed: For each approved request, verify that the license was actually assigned in Microsoft 365 and that the count matches the approval. Discrepancies here are either execution errors or evidence that someone modified the assignment after the fact.
Unapproved assignments detected: Any license assignment that appears in Microsoft 365 but wasn't part of an approved request this cycle is an out-of-band assignment. Document each one, identify the assigning admin, and flag for follow-up. Some will be legitimate emergency assignments that need to be retroactively documented. Some will be unauthorized.
License reclamations executed: Confirm that the reclamation candidates identified in the preparation phase — inactive accounts, disabled accounts — actually had their licenses removed. Unexecuted reclamations carry over to next month's list.
Cost summary: Total license spend for the month, broken down by region and SKU. This is the number that goes to Finance as the actual license expenditure for the period. Compare against the planned expenditure from the review phase and explain any variance.
The reconciliation report:
The output of the reconciliation phase is a monthly governance report — a single document that captures: current inventory by region and SKU, changes from the previous month, approved requests and their execution status, out-of-band assignments detected and their resolution status, cost summary, and any items that need follow-up in the next cycle.
This report serves multiple purposes: it's the Finance reconciliation document, it's the audit trail for the period, and it's the input to next month's preparation phase. If your organisation is subject to external audits, this report is what you show auditors when they ask how license assignments are controlled.
The RACI for License Governance
Clarity about who does what is essential for a governance process to work across organisational boundaries. A simple RACI model for the monthly cycle:
| Activity | Global IT | Regional IT/Admin | Department Head | Finance |
|---|---|---|---|---|
| Monthly preparation | R/A | Informed | — | — |
| Submitting requests | — | R | Consulted | — |
| Review and approval | R/A | Informed | Consulted | Consulted |
| Executing approved assignments | R/A | — | — | — |
| Reconciliation | R/A | Informed | — | Informed |
| Out-of-band follow-up | R | A | Consulted | — |
R = Responsible, A = Accountable, C = Consulted, I = Informed
The key accountability decisions: Global IT is accountable for the process integrity and the final assignment decisions. Regional IT or admin is accountable for the accuracy of requests from their region — they own the business case for their requests. Department heads are consulted on business justification but are not in the approval chain for license decisions. Finance is informed of planned and actual spend, and consulted on quota increase decisions that have budget implications.
Doing This Without Dedicated Tooling
A monthly governance cycle can be run entirely with tools you already have. Here's the minimum viable version:
Microsoft Forms or a structured email template for request submission. Create a form with the required fields and share the link with regional admins. Responses go into a spreadsheet automatically.
A shared Excel workbook for tracking: one tab for current inventory (updated from Admin Center export at the start of each cycle), one tab for pending requests (populated from the form responses), one tab for approved requests (marked up during the review), one tab for out-of-band tracking.
A Teams channel or recurring calendar invite for the review meeting. Use the channel to communicate decisions to regional admins after the review.
Monthly PowerShell export to compare current assignments against last month's approved list. The difference — new assignments that don't correspond to approvals — is your out-of-band candidate list.
This approach works. It's time-consuming, it requires discipline to maintain, and the manual data reconciliation is error-prone at scale. But it's functional, it creates an audit trail, and it establishes the process discipline that tooling later automates.
The common failure mode of the manual approach isn't technical — it's the review meeting. When the review meeting is cancelled because people are busy, or runs long because the data isn't ready, or produces decisions that aren't communicated clearly, the process breaks down. Protecting the review meeting — treating it as non-negotiable, preparing for it properly, keeping it focused — is the single most important success factor for a manual governance cycle.
What Changes When You Add Tooling
Dedicated governance tooling doesn't replace the process — it automates the parts of the process that are most error-prone and time-consuming when done manually.
The preparation phase becomes continuous rather than monthly: the tool maintains current inventory data in real time, flags out-of-band assignments as they're detected rather than after month-end, and surfaces inconsistencies without a manual audit.
The request phase becomes structured: instead of a form that populates a spreadsheet, requests flow through a workflow that tracks status, enforces the quota check automatically, and presents the review panel with the information they need without manual data assembly.
The review phase becomes faster: instead of spending 30 minutes at the start of the meeting pulling data together and checking quota headroom, the review panel sees the current position immediately and can focus on the actual decisions.
The reconciliation phase becomes a verification task rather than a discovery task: the tool has already flagged everything that happened outside the approved process; reconciliation is reviewing those flags and marking them as resolved, not hunting for discrepancies in Excel.
The governance report becomes an export rather than a manual compilation.
The time saved in the preparation and reconciliation phases — two to four hours monthly in a 500-user tenant — doesn't go away; it goes into higher-value IT work.
The Conversation With Regional Admins
No governance process works without the cooperation of the people it governs. Regional admins who experience the monthly cycle as bureaucratic overhead will find ways around it — and out-of-band assignment rates will tell you exactly how well the process is being accepted.
The conversation with regional admins should cover three things:
Why the process exists. Not "because Global IT said so" — that creates resentment. The real reason: if one region consumes more than its share of a limited global pool, another region can't get the licenses they need. The process protects everyone equally, including the person you're talking to.
What's in it for them. A regional admin who goes through the proper process gets predictability: their approved request is locked in, other regions can't consume it, and they know exactly what they have available before they need it. The alternative — competing with other regions for a shared pool with no reservations — is what creates the 3pm Teams conversations about licenses that have already been consumed.
How to handle genuine emergencies. Every process has edge cases. Making it clear that there is an emergency path — and that using it appropriately is acceptable — removes the pressure to bypass the normal process for situations that actually are urgent.
Regional admins who understand the reasoning behind the process and trust that the emergency path is available tend to follow the process. Regional admins who feel the process is arbitrary overhead imposed from above will bypass it whenever it's inconvenient.
Measuring the Health of Your Governance Cycle
Three metrics tell you whether your governance cycle is working:
Out-of-band assignment rate: The percentage of license assignments in a given month that happened outside the approved process. A healthy governance environment has an out-of-band rate below 5%. A rate of 10% or higher indicates that the process is being routinely bypassed and needs to be addressed at the process level, not just the detection level.
Request-to-approval cycle time: How long does it take from when a regional admin submits a request to when they receive a decision? If the answer is more than five business days, the process is slow enough to incentivize bypassing. Three business days or fewer is a reasonable target for standard requests.
Reclamation rate: The percentage of inactive or departed-user licenses that are reclaimed within 30 days of the user leaving or becoming inactive. A reclamation rate above 80% within 30 days indicates a healthy offboarding integration with the governance cycle. Below 60% indicates that license reclamation is a systemic gap.
Track these three metrics monthly. Changes in the out-of-band rate tell you whether process compliance is improving or deteriorating. Changes in the cycle time tell you whether the review process is working efficiently. Changes in the reclamation rate tell you whether your offboarding process is feeding into the governance cycle properly.
Starting This Month
If you don't have a monthly governance cycle today, here's how to start this month:
Set a date for the review meeting. Pick a day in the third week of the month, invite the relevant stakeholders, and protect it.
Send a request template to regional admins. Tell them requests for next month need to be submitted by the 15th. Keep the template simple — five fields is better than fifteen.
Pull the current inventory from the Admin Center. Calculate how many licenses you have available by SKU. This is your baseline.
Run the review, make decisions, communicate them within 24 hours.
At month end, compare what you approved with what's actually in Microsoft 365. The gap is your out-of-band baseline.
The first cycle will be imperfect. That's expected. The value of starting is establishing the rhythm — the second cycle is easier, the third easier still. By month six, the process should be running smoothly enough that the manual overhead is manageable and the audit trail is meaningful.
About Portalliz
Portalliz automates the monthly reservation cycle — the request, review, and approval workflow — and makes it the foundation of regional license governance rather than an additional administrative burden. Regional quotas, batch request submission, line-by-line review with cost calculations, and automatic out-of-band detection on every sync cycle.
The monthly governance cycle described in this article is exactly what Portalliz implements — built around the process design principles that make governance sustainable rather than theoretical.
Try it yourself: portalliz.com/download — the demo shows a complete monthly cycle with sample requests, approvals, and out-of-band flags, no Microsoft 365 credentials needed.
Request a pilot: portalliz.com/contact — 90 days free, no credit card, no commitment.
Microsoft 365 is a trademark of Microsoft Corporation. Portalliz is an independent product and is not affiliated with or endorsed by Microsoft.