Out-of-Band License Assignments: The Silent Budget Leak in Your Microsoft 365 Tenant
There's a category of problem in IT management that's worse than the problems you know about. It's not the outage that wakes you up at 3am. It's not the failed backup you discover during a restore. It's the thing that's been happening quietly, every week, for months — and you only find out about it when someone asks an awkward question in a budget meeting.
Out-of-band license assignments are that problem for Microsoft 365.
They don't announce themselves. They don't generate alerts. They don't appear in your monthly report unless someone specifically looks for them. And in every multinational tenant I've seen or spoken to, they're happening — consistently, regularly, and at a cost that compounds every billing cycle.
This article explains exactly what they are, why they happen, how much they cost, and what a governance layer that actually catches them looks like.
What Is an Out-of-Band Assignment?
The term sounds technical. The concept is simple.
Your organization has a process for assigning Microsoft 365 licenses. Maybe it's a ticketing system. Maybe it's an approval workflow. Maybe it's a monthly batch cycle where regional admins submit requests and Global IT reviews and approves them. Whatever the process, it exists — and it's how licenses are supposed to move from the global pool to individual users.
An out-of-band assignment happens when someone bypasses that process entirely and goes directly to the Microsoft 365 Admin Center to assign a license.
No ticket. No approval. No reservation. No record in your internal system. Just a license consumed from the global pool, silently, by someone with admin permissions who was under time pressure or simply didn't know — or didn't care — that there was a process to follow.
The assignment is perfectly valid from Microsoft's perspective. The license is assigned, the user gets access, everything works. The problem is entirely on your governance side: you now have a license assignment that doesn't exist in your records, doesn't follow your approval chain, and may or may not be justified by actual business need.
Why It Happens — And Why It Will Keep Happening
Before getting into the cost, it's worth understanding why out-of-band assignments happen. Because the answer isn't "bad actors" — it's "rational people under pressure."
Scenario 1: The urgent onboarding
A new hire starts Monday. IT in the local office is swamped. The request went through the normal channel but hasn't been approved yet. The local admin has Global Admin rights — or License Admin rights, which is enough — and just goes ahead and assigns the license. The new hire can work on Monday. The ticket gets closed. Nobody mentions the out-of-band assignment because from the local admin's perspective, the problem is solved.
Scenario 2: The forgotten offboarding
An employee leaves. HR notifies IT via email. The email gets actioned — partially. The account is disabled, the laptop is recovered. The license is not removed because that's "a different team" or "a different system" or simply because nobody followed through. Months later, you're paying for a license assigned to a disabled account.
Scenario 3: The workaround
Your approval process takes three to five business days. A department head needs someone to access a system immediately — a customer visit, a contract deadline, an audit. The local IT coordinator has the permissions. They make the exception. The exception becomes a pattern.
Scenario 4: The test assignment
An IT admin assigns an E5 license to a test account to verify a configuration. The test ends. The license is forgotten. It sits there, assigned to an account nobody logs into, for months or years.
None of these scenarios involve bad faith. All of them result in license assignments that exist outside your governance framework — invisible to your process, unaccounted for in your budget, and impossible to catch without specifically looking for them.
The Scale of the Problem
Industry data on M365 license management is consistent: approximately 27% of assigned Microsoft 365 licenses belong to users who haven't been active in 30 days or more. About 12% belong to disabled or departed accounts.
Out-of-band assignments are a significant contributor to both numbers. When a license is assigned outside your process, it's also outside your review cycle. There's no mechanism to revisit it — no approval that expires, no ticket that reminds someone to check. The assignment persists until someone actively looks for it and removes it.
In a 500-user tenant with a €22 average license cost, assume conservatively that 5% of licenses — 25 assignments — were made out-of-band in the past year and haven't been reviewed. That's €6,600 per year in unreviewed assignments. Some of those will be legitimate. Some will be redundant. Some will be assigned to accounts that shouldn't have licenses at all.
The problem isn't that every out-of-band assignment is wrong. The problem is that you don't know which ones are wrong — and without visibility, you can't make that determination.
Scale this to a 2,000-user tenant operating across eight countries, where multiple regional admins have license assignment permissions, and the number of untracked assignments grows significantly. The cost isn't just financial — it's the audit exposure. If your organization is subject to a Microsoft license audit, untracked assignments are a liability. If you're subject to SOC 2, ISO 27001, or similar frameworks, an assignment trail that exists outside your documented process is a finding.
Why the Microsoft Admin Center Doesn't Solve This
The Microsoft 365 Admin Center shows you current license assignments. It does not show you which assignments were made through your process and which were made directly. There is no "source" field on a license assignment. There is no audit log that distinguishes between "assigned via IT governance portal" and "assigned directly by admin on a Tuesday afternoon."
The Graph API does have an audit log — the Microsoft 365 Unified Audit Log — which records license assignment events with timestamps and the user who performed the action. But accessing it requires navigating to the Microsoft Purview Compliance Portal, running a search with appropriate date ranges, filtering for license-related events, and then cross-referencing the results against your internal records. This is a manual process, it requires specific permissions, and it produces raw data that needs interpretation.
In practice, this audit log is used for forensic investigation — "let's find out what happened" — not for continuous governance. By the time you're running that query, the out-of-band assignment is weeks or months old, the cost has already accumulated, and the person who made the assignment may not remember why.
What you need is not forensic capability after the fact. You need detection at the point of occurrence — or as close to it as possible.
What Detection Actually Looks Like
Out-of-band detection works by comparing what Microsoft says is assigned against what your governance system says should be assigned.
On each sync cycle, the governance layer reads all current license assignments from Microsoft Graph. It then compares each assignment against its own records: reservation batches that were approved, manual assignments made through the portal, and historical records of legitimate assignments.
Any assignment that exists in Microsoft's records but doesn't have a corresponding entry in the governance system's records is flagged as out-of-band. The flag includes the user, the SKU, the country or region, and the date the discrepancy was first detected.
What happens next is critical — and this is where the governance philosophy matters.
The correct response to an out-of-band detection is not automatic reversal. Automatically removing a license assignment because it wasn't made through the portal would create exactly the kind of disruption that makes IT teams reluctant to adopt governance tools. If a regional admin made a legitimate emergency assignment and the system automatically reverted it, you have a user who loses access, an angry department head, and a governance tool that's now seen as an obstacle rather than an aid.
The correct response is visibility and human decision. Show the flagged assignment to the Global IT team. Give them three options: mark as reviewed (the assignment is legitimate, we're aware of it), regularize in the portal (create a proper record for this assignment so it's tracked going forward), or escalate (flag it to the regional admin for explanation). No automatic action. Human decision, informed by data.
The Audit Trail Gap
There's a second dimension to out-of-band assignments that goes beyond immediate cost: the audit trail.
When a license assignment goes through a governance process, there's a record of why it was made. Who requested it. What business justification was provided. Who approved it. When it was approved. This record exists in your system, not just in Microsoft's logs.
When a license assignment is made directly in the Admin Center, the only record is in Microsoft's audit log — which timestamps the action and identifies the admin who performed it, but captures no business context. No justification. No approval chain. No indication of whether this was a planned business need or an unreviewed workaround.
For organizations subject to external audits — SOC 2, ISO 27001, GDPR compliance audits, Microsoft's own license compliance reviews — the absence of business context in license assignment records is a finding. Auditors don't just want to know that licenses were assigned. They want to know that licenses were assigned through an authorized process with appropriate oversight.
Out-of-band assignments by definition lack that oversight documentation. The governance layer that catches them also creates the mechanism to retroactively document them — through the regularization workflow — so that your audit trail is complete even when the initial assignment was made outside the process.
The Operational Cost Nobody Measures
Beyond the financial and compliance dimensions, out-of-band assignments have an operational cost that's harder to quantify but immediately recognizable to anyone who's dealt with it.
Every month, someone on the Global IT team spends time reconciling license counts. They pull a report from the Admin Center. They compare it against their internal records. They find discrepancies. They try to figure out where the discrepancies came from. They contact regional admins. Some regional admins respond quickly. Some don't respond for a week. Some don't know what the discrepancy is either.
This reconciliation process is where IT management time goes to die. It's manual, it's slow, it produces results that are already out of date by the time they're complete, and it doesn't prevent the same discrepancies from appearing next month.
The governance layer that detects out-of-band assignments doesn't eliminate this reconciliation — it transforms it. Instead of a month-end hunt for discrepancies, you have a continuous list of flagged items that can be reviewed and actioned at any point. The reconciliation meeting becomes a ten-minute review of this week's flags, not a two-hour audit of the past month's activity.
What to Look For in Your Tenant Today
If you want to get a rough sense of your current out-of-band exposure before deploying any tooling, here's a manual approach that gives you a directional answer:
Export your current license assignments from the Microsoft 365 Admin Center (Users → Active users → Export). Export your internal records of approved license assignments — from your ticketing system, your spreadsheet, your governance tool, wherever they live.
Compare the two lists. Any user who appears in the Microsoft export but doesn't have a corresponding approved assignment record in your internal system is a candidate for out-of-band investigation.
This comparison is painful to do manually at scale — which is exactly why it doesn't get done regularly. But doing it once gives you a baseline. If you find that 5% to 10% of your assignments have no corresponding internal record, you have a meaningful out-of-band problem. If you find 15% or more, the problem is significant.
Use that number to make the business case for continuous detection. At €22/user/month, 10% untracked assignments in a 500-user tenant is €13,200/year in licenses that may or may not be justified and are definitely outside your oversight.
The Connection to Regional Governance
Out-of-band assignments don't happen uniformly across a multinational tenant. They cluster where the governance process has the most friction.
If the approval process takes five business days and a regional admin needs a license in two hours, they'll bypass the process. If the approval process requires submitting a ticket in a system the regional admin doesn't have easy access to, they'll bypass the process. If the regional admin in a smaller office has never had a clear explanation of why the process matters, they'll bypass the process.
This is why out-of-band detection alone isn't enough. Detection tells you what happened. A regional governance structure — with clear quotas, a monthly request cycle, and an approval workflow that's fast enough to be usable — reduces the pressure that leads to bypassing in the first place.
The best governance environments have low out-of-band rates not because they've deployed aggressive detection, but because the process is easy enough that bypassing it isn't worth the effort. Detection catches the exceptions. Process design prevents the systematic bypassing.
Practical Steps
Whether you're deploying a governance tool or improving your current manual process, three steps reduce out-of-band assignment rates significantly:
Communicate the process clearly to all regional admins. Not as a policy document — as a practical explanation of why it matters. Regional admins who understand that their direct assignments affect other regions' availability, quota calculations, and budget accuracy are much more likely to follow the process than those who see it as bureaucratic overhead.
Make the approval process fast enough to compete with the workaround. If your governance process takes five days and bypassing it takes five minutes, you've designed a system that incentivizes bypassing. A monthly reservation cycle with pre-approved batches removes most of the urgency that leads to out-of-band assignments in the first place. For genuine emergencies, a fast-track approval path that takes hours rather than days removes the remaining pressure.
Review the flags, not just the counts. When out-of-band assignments are detected, don't just count them — categorize them. Which assignments are legitimate emergencies? Which are systematic bypassing by a specific region? Which are the same person making the same type of assignment repeatedly? The pattern tells you where to focus process improvement, not just where to apply detection.
About Portalliz
Portalliz detects out-of-band assignments automatically on every Microsoft Graph sync cycle. Every assignment made directly in the Microsoft 365 Admin Center that doesn't correspond to a Portalliz reservation is flagged with the user, SKU, country, and detection date. Your team reviews and decides: mark as reviewed, regularize in the portal, or escalate. Nothing is auto-reversed.
The out-of-band detection is one of six core capabilities in Portalliz — alongside regional license quotas, monthly reservation cycles, SKU inconsistency detection, Graph sync, and analytics.
Try it yourself: portalliz.com/download — fully functional demo with sample out-of-band assignments pre-loaded, no Microsoft 365 credentials needed.
Request a pilot: portalliz.com/contact — 90 days free, no credit card, no commitment.
Microsoft 365 and Microsoft Graph are trademarks of Microsoft Corporation. Portalliz is an independent product and is not affiliated with or endorsed by Microsoft.