<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Can Okta Remove Group Inherited Licenses in O365 when Deprovisioning
May 26, 2025
Okta Classic Engine
Okta Identity Engine
Okta Integration Network
Overview

This article details which deprovisioning options allow for group inherited licenses to be removed on Microsoft Office 365.

Applies To
  • Deprovisioning
  • Office 365
  • Lifecycle Management Status
Cause

Okta cannot remove group-inherited licenses from O365 users during provisioning updates. However, if a user is deleted during deprovisioning, then all licenses are removed.

 

If a user has a group license managed in O365, the API request sent by Okta during a provisioning update errors out as described in Microsoft Office 365 Provisioning Error "Insufficient privileges to complete the operation.

 

Solution

As stated in Deprovisioning options for Office 365, Okta supports multiple deprovisioning options for Microsoft Office 365.

 

The following table shows each deprovisioning option and whether the group license is removed in the process:

OptionWhat it doesAre group licenses removed in the process?

Block sign-in
  • Blocks the Office 365 user from signing in, but retains license and user data on the user account.
No

Block sign-in and remove licenses
  • Blocks the Office 365 user from signing in and immediately removes any licenses assigned to them.
  • This also triggers the deletion of stored data from the user's personal folders within other Office 365.
  • Currently, Microsoft retains the data for 30 days. After that, this data is irrecoverable.
No

Block sign-in and remove licenses after a grace period
  • Blocks the Office 365 user from signing in and waits for a specified number of days before removing the user licenses.
  • The grace period allows admins time to temporarily retain the user data and licensing to back up information or to enable others to gain access and review the account.
  • Once the grace period expires, data stored in personal folders within other Office 365 apps goes through the Microsoft deletion process.
  • Currently, Microsoft retains the data for 30 days. After that, this data is irrecoverable.
  • If the user is reassigned to Office 365 before the grace period expires, the licenses are not removed, and the user is restored to their original state.
No

Block sign-in, remove licenses, and delete the user
  • Blocks the Office 365 users from signing in, immediately removes any licenses assigned to them, and deletes their Office 365 account.
  • This also triggers the deletion of stored data from the user's personal folders within other Office 365 apps (for example, OneDrive or SharePoint).
  • Currently, Microsoft retains the data for 30 days. After that, this data is irrecoverable.
Yes

Block sign-in, remove licenses, and delete the user after a grace period
  • Blocks the Office 365 user from signing in and waits for a specified number of days before removing the user licenses and deleting their Office 365 accounts.
  • The grace period allows admins to temporarily retain the user data, licensing, and account to back up information or allow others to gain access and review the account.
  • Once the grace period expires, data stored in personal folders within other Office 365 apps goes through the Microsoft deletion process, and the user's Office 365 account is deleted.
  • Currently, Microsoft retains the data for 30 days. After that, this data is irrecoverable.
  • If the user is reassigned to Office 365 before the grace period expires, the licenses are not removed, and the user is restored to their original state.
Yes

 

NOTE: Enabling one of the options that allows group licenses to be removed does not allow Okta to perform the same action during regular profile updates; this only applies to account deprovisioning. 

 

 

Related References

Recommended content

Still looking for help?
Loading
Can Okta Remove Group Inherited Licenses in O365 when Deprovisioning