Optimization Candidate Scoring

This page explains how the system scores overlicensing candidates before selecting an action.

Activity class calculation

Each assigned user/SKU seat is classified into one activity bucket:

• active_30d: recent activity inside stale threshold (default 30 days).
• stale_30_89d: no recent 30-day activity, but still active before inactive threshold (default 90 days).
• inactive_90d: report identity exists, but activity is outside threshold.
• unknown: no mapped report identity.

Weighted overlicensing formula

For each SKU:

weightedOverlicensedSeats = inactiveSeats90d + (staleWeight * staleSeats30to89d)

Default staleWeight is 0.5.

Why this exists:

• inactive_90d seats are treated as strong reclaim candidates.
• stale_30_89d seats are treated as weaker signals and discounted.

Candidate priority score

Priority score is used to rank candidates for operator attention:

score = (reviewPressureSeats / assignedSeats) * 100
      + waitingMembersCount * 10
      + assignmentErrorCount * 8
      + (nearDepleted ? 12 : 0)
      + assignedByRank * 2
      + activityBonus
      + activationPenaltyBonus
      - rankWithinSku * 0.01

Where:

• activityBonus: +30 for inactive_90d, +16 for stale_30_89d.
• activationPenaltyBonus: +6 when identity is mapped but no activation evidence exists.
• assignedByRank: direct=3, inherited=2, group=1.

Why this exists:

• Seat pressure (queues/errors/depletion) increases urgency.
• Inactivity and no activation evidence increase reclaim confidence.
• Direct assignments are prioritized because they are usually easiest to reclaim quickly.

Confidence calculation

Confidence is computed from report availability and mapping completeness:

• No report snapshot: low.
• Reports available but stale/partial: medium.
• Reports fresh and mapping complete (>=95% mapped seats): summary can be high.
• A candidate is high only when summary is high and that specific user maps to report identity.

When report identities are concealed, Graph usage reports contain obfuscated identifiers instead of real user principal names. This prevents user-level identity mapping, which reduces mapped-seat coverage and limits confidence. Add-on removal automation is also blocked until identities are visible.

Why this exists:

• It prevents aggressive actions when telemetry quality is weak.
• It supports safer defaults (review_only) when evidence is incomplete.