The results in brief

• Nearly 2,800 disabled accounts with no known reason, cleared out

• Inactive identities removed. 41% of accounts were not signing in as expected

• Sign-in locations reviewed for high-privilege service accounts with no known owner

• Around $20,000 a month in realized savings

• Setup: one day

It started with one municipality

Over 20 years, the IT partnership IT-Centrum grew from one municipality to five in Region Uppsala, north of Stockholm. Every new municipality that joined brought its own routines, its own culture and its own way of dividing up responsibility. The cloud brought four Entra tenants that had to tie together with five local AD environments, and as the municipalities started working more closely, they invited each other into Teams and SharePoint across the board.

Samuel Carlid has been there for the whole journey. He has worked with Active Directory since it arrived in 2000, and knew these environments better than most. IT-Centrum had also done what most do: installed an IAM system connected to the HR and school systems, so user accounts were created and removed automatically as people joined and left. The edge cases they handled with a bit of PowerShell and a bit of Excel.

Puzzle solved, we thought. Not quite.

Because user accounts are only part of the picture. Every machine has an account. Every guest in a team has an account. Every system that talks to other servers has a service account. And when a system is retired, who makes sure the service accounts actually disappear? Somewhere along the way they realised that decent control in each individual municipality no longer added up to control over the whole.

They expected a bit of tidying up. The numbers said otherwise.

IT-Centrum brought in Bsure to see the whole organisation in one view, across every tenant. Expectations were modest: a few old councillor and temp accounts the automation had missed, some test accounts from IT and a couple of service accounts from retired systems.

The data showed something else. 41% of accounts were not signing in as expected. Nearly 2,800 disabled accounts were sitting there with no one knowing why. 20 service accounts held high privileges with no known owner, and could in practice sign in from anywhere in the world. 2,000 guest accounts had not signed in for 90 days: external identities that still had a way into shared Teams and SharePoint spaces.

The licences told the same story: 32% sat on accounts that never signed in, 12,000 kr a month went to licences on disabled accounts, and 379 accounts held both an E3 and an F3 licence at the same time.

One collection point, delegated ownership

The setup itself was done in a day: all four tenants connected to one central point.

The real key was IT-Centrum's own way of working. Instead of letting one central group clean up everything, they chose to push visibility out across the organisation. Each person sees their own part of the environment, so whoever works in health and social care sees the accounts in health and social care, and can answer directly whether they should exist and whether they have the right licence. That spread the work across the people who actually know the accounts, instead of landing it all on one central team.

The work started in late January, and the clean-up lists have been coming in from the municipalities ever since. Four months on, the money was saved, not just calculated.

It's actually more fun to remove things than to build them, sometimes.

Shared insight, better collaboration

The thinking behind the delegation was simple. The findings were not a technical problem. The technology can identify the problems, but the solution sits with the people who own the identities: the manager who hires, HR, IT, or whoever works with the accounts day to day. Samuel has seen what happens when that link is missing:

I've seen a lot of systems over the years that get bought in to solve every problem. Then they get stuck with the IT department or with a manager, and never reach the people who could actually use them.

So the insight had to get out of the IT department and out to everyone in the municipalities who works with accounts and coordination, along with clear responsibility to act on it.

And the work had an effect no one had planned for: collaboration between the five IT environments got noticeably better. The clean-up forced conversations across municipal lines about who owns what and who is responsible for which identities, and information got shared back and forth. As Samuel put it, that collaboration is going to help them in plenty of other areas going forward.

Smaller attack surface, lower costs

On the security side, the inactive identities are effectively gone. Accounts that could sign in but never did have been removed, and for high-privilege service accounts, where they actually sign in from has been reviewed. A service account that only runs in Sweden does not need to be able to sign in from another continent.

On the cost side, the clean-up freed up around 200,000 kr a month in licences no one was using. The usage analysis also found users on an E3 licence who, based on actual usage, would do just as well on F3: a further potential of 42,000 kr a month.

And the rollout met no internal resistance.

This is one of the few things no one objects to. Everyone can see the point of it.

No new password rules and no new day-to-day friction, just a clean-up everyone understands the value of.

The road ahead

IT-Centrum keeps delegating ownership so the right people in each municipality own their own identities, and the clean-up continues based on the data coming in. Samuel's advice to others is simple:

You can never manage or secure something you don't know exists. That's why it matters so much to find out what you actually have.

Four questions to ask yourself

And for anyone who wants to test themselves, Samuel has a short checklist. It applies not just to user accounts, but to every identity: machines, guests, resources and service accounts included.

1. Do you know how many identities you have?

2. Do you know how they are used?

3. Do you know who is responsible for each one?

4. And what do the poor souls outside the IT department know?

These experiences were shared in a webinar Bsure ran together with Microsoft in June 2026. Want to know what's lurking beneath the surface in your own Entra environment? Get in touch and we'll show you.