License costs don’t usually spike because your organization suddenly doubled in size.
They creep up quietly: dormant accounts accumulate, groups multiply, contractors come and go, and “temporary access” becomes permanent by accident. Then one day Finance asks the question that forces every admin to stop and investigate:
“Do we know how many inactive licenses we’re paying for?”
In our webinar, The Ultimate User Management Guide for Data Center & Cloud, we walked through a practical framework to answer that question with evidence, and to turn user management into a repeatable operating system rather than a quarterly panic clean-up.
Below is a recap of what the session covered, including the migration playbook for Data Center customers, the continuous governance model for Cloud, and the Cloud demo workflows we used to show how this works end-to-end.
The core idea: optimize before you migrate, and keep optimizing after
We framed the session around two journeys:
The Data Center → Cloud migration journey
The continuous Cloud governance journey
The key message for Data Center customers was simple:
Don’t migrate your mess.
If your Data Center environment contains inactive accounts, redundant access, and messy group structures, your Cloud tier estimate will be inflated, and you’ll carry permission sprawl forward into Cloud, where it becomes harder to unwind.
And if you’re already on Cloud, the problem isn’t that provisioning is difficult, it’s that it’s easy, which is exactly why sprawl returns.
The “waterline” concept: where license waste hides
One of the most useful mental models we shared was the waterline:
the glass represents the user tier you pay for
the water level represents active, consistent usage
the gap represents wasted or avoidable license consumption
What often pushes companies into higher tiers isn’t always their “everyday users.”
It’s the “sometimes users”, people who log into Confluence only for annual policy training, or need Jira for one project once in a while. Those users can push you into the next tier even if their usage doesn’t justify full-time licensed access.
Optimization lowers the waterline, helping you avoid tier upgrades, keep costs predictable, and justify renewals with evidence rather than estimates.
For Data Center customers: a practical pre-migration checklist
We dedicated an early section to what Data Center teams should do before migration — even though the live demo was Cloud-only.
Here’s the playbook we shared:
1) Baseline your users
Get a clean view of:
licensed vs. active users
major user segments (employees, contractors, leavers, service accounts)
the groups driving access
2) Define “inactive” in a way your org can defend
Pick a starting threshold (a common first pass is 14 days) and align internally on what inactivity means.
3) Clean up access before estimating your Cloud tier
Start with low-risk segments first (contractors and leavers are typically the fastest wins). Reclaim licenses by removing product access or deactivating access safely, without deleting identity.
4) Tune your threshold to find the sweet spot
Compare outcomes at 14 days vs. 30 days and evaluate the impact. The goal is a policy that matches how your teams actually work.
5) Use your cleaned baseline to set your Cloud tier
This is where Finance gets the clarity they need: a tier estimate backed by evidence.
6) Start Cloud clean, then keep it clean
The most important point: optimization is not a one-time migration task. It needs to become continuous.
The migration story: “Sandbox Institute”
To make the migration journey real, we used a story example of a fictional organization, Sandbox Institute, running Jira, Confluence, and Bitbucket on Data Center.
We introduced two personas:
Donna (Atlassian Admin): owns access control, the migration outcome, and admin workload
Aaron (Finance): needs cost predictability and proof of ROI
Over time, Sandbox Institute accumulated inactive accounts and messy access patterns. When they began planning their Cloud move, Finance saw the projected subscription costs and challenged the numbers.
The turning point was Donna reframing the project:
“We don’t migrate first, we optimize first.”
From there, we laid out a simple blueprint:
implement a cleanup approach on Data Center
identify inactive users
remove access safely
tune thresholds
estimate Cloud tier from the cleaned baseline
migrate into Cloud on the right tier
implement continuous optimization rules so sprawl doesn’t return
The Cloud demo: visibility → rules → automation → proof
The live demo section showed how the “continuous optimization loop” works in practice.
1) Visibility into access
We started with the foundation: fast answers without spreadsheets.
The mindset: you can’t govern what you can’t see, so step one is always visibility across product access, groups, last activity, and (where relevant) site scope.
2) Identify inactivity (14-day example)
We applied an inactivity threshold and then added the safety rails we recommend for real environments:
exclude service accounts and automation users
exclude protected groups (admins, executives, critical teams)
start with a low-risk segment first
3) Choose safe actions: remove access vs. “hard” actions
We emphasized governance-first actions:
start by removing product access / deactivating license consumption
reclaim cost without deleting identity
build a policy you can defend in audits
4) Build the automation rule
Then we turned the filter logic into a repeatable rule:
trigger based on inactivity threshold
scope by product(s) and/or groups
exclusions for protected groups/service accounts
action to reclaim licenses safely
This is the part that stops sprawl from returning.
5) Reactivation without friction
Because governance can’t block productivity, we covered how reactivation should work in a user-friendly way, especially in SCIM/SSO environments where provisioning logic matters.
6) Reporting for Finance + audit trail for compliance
Finally, we showed how reporting provides:
reclaimed licenses and trends over time
actions taken (what changed, when)
auditability: who was changed, why, and by which rule
This is what turns user management from “best effort” into something measurable and provable.
How UMLO fits into the picture
We also covered practical context around the solution used in the demo:
the app is built on Atlassian Forge
it can be installed on one Jira instance and used to manage users across Atlassian products via Organization access
Org admins set it up and then grant access to other admins
Marketplace pricing is structured to be budget-friendly, particularly if installed on the largest instance (so you can manage the broadest user base)
The takeaway: turn user management into an operating system
If there was one theme across the whole webinar, it was this:
User management shouldn’t be a quarterly cleanup project.
It should be a continuous loop that runs in the background, with guardrails, automation, and proof.
Whether you’re preparing for Cloud migration or stabilizing governance after moving, the goal is the same:
control license growth
reduce admin effort
stay audit-ready
and make decisions based on evidence, not assumptions
If you’d like to share your setup (multi-site, SCIM, contractor patterns, group sprawl), we can propose a rule structure you can copy and tailor to your environment.
