Nudge Security gives you three ways to find and clean up these accounts, ranging from one-off cleanup on a single app to bulk audits across your entire SaaS landscape.
Prerequisites: Complete the Start Here setup guides first, especially Define your SaaS landscape (so your approval statuses and technical contacts are in place). Having the browser extension deployed, SSO providers connected, and connected apps configured also gives you richer account activity data.
How Nudge Security identifies abandoned accounts
Before you start cleaning up, it helps to understand how accounts get flagged as abandoned or inactive in the first place. There are three ways:
User self-reports via nudge. When you nudge an account holder to ask if they're still using an app, they can respond "No, I'm not using this." That response automatically sets the account status to Abandoned.
SSO inactivity detection. For apps provisioned through SSO, Nudge Security automatically marks accounts as Inactive after 90 days with no SSO activity. This happens without any nudging - the system detects it based on your identity provider data.
Manual status update. You can always set an account's status manually from the app's overview page or the user's profile.
Method 1: Nudge account holders for a single app
Use this when you want to check usage on one specific app - for example, before a renewal, or when you notice an app has a lot of accounts but suspect many are unused.
Go to Apps and open the app's record
On the app's overview page, you'll see an account status breakdown showing how many accounts are active, abandoned, inactive, etc.
Send a Request app update nudge to either all account holders or specific account holders - this asks each user whether they're still using the app
Users respond directly from the nudge: "I'm still using it," "No, I'm not using this," or "Account has been deleted"
Their responses automatically update the account status in Nudge Security
This is the simplest approach - good for targeted cleanup on a single app. But if you need to audit multiple apps at once, the playbook (Method 2) is more efficient.
Method 2: Use the Abandoned Accounts playbook for bulk cleanup
Use this when you want to audit usage across multiple apps at the same time - for example, a quarterly cleanup, a pre-renewal sweep across your paid apps, or an effort to reduce your overall SaaS attack surface.
Go to Playbooks > Abandoned Accounts to get started.
Step 1: Select apps to audit
Choose which apps you want to include in this round of cleanup. You can filter by category, approval status, number of accounts, compliance scope, or sign-on mode to focus on what matters most. Common starting points:
Paid apps with the most accounts - the biggest license cost savings
Apps approaching renewal - clean up before you negotiate
Apps in sensitive categories (file sharing, developer tools) - orphaned data and access risk
SSO-provisioned apps with inactive accounts - these already have accounts flagged as Inactive, so you're starting with data
Step 2: Nudge account holders
The playbook sends a Request app update nudge to every account holder across all the apps you selected. Each user gets a single multi-app nudge asking whether they're still using the list of apps you selected in step 1.
Users respond directly from the nudge, and their responses automatically update account statuses - just like the individual approach.
Step 3: Wait for responses
Track responses as they come in from within the playbook. The playbook shows you response rates per app so you can see which apps have enough data to act on and which need more time. A good threshold to aim for before moving on is around 50% response rate, but you can proceed whenever you're comfortable.
Step 4: Nudge technical contacts to remove abandoned accounts
Once you have enough responses and know which accounts are abandoned, the playbook lets you send a Request removal of abandoned accounts nudge to each app's technical contact. The technical contact receives a list of the abandoned accounts along with instructions to delete or suspend them and reclaim any available licenses.
Method 3: Nudge technical contacts directly
Use this when accounts have already been identified as abandoned or inactive - through Methods 1 or 2, through SSO inactivity detection, or through a previous audit - and you need the technical contact to actually remove them.
This is the action step. Methods 1 and 2 identify which accounts are unused. Method 3 gets them deleted.
From an app's overview page, you can see which accounts are marked as Abandoned or Inactive
Send a Request removal of abandoned accounts nudge to the app's technical contact
The technical contact receives a list of the accounts to clean up, along with instructions to delete or suspend them
As the technical contact confirms actions taken, account statuses update automatically
How the three methods fit together
Method | Best for | Who gets nudged | What it does |
Individual app nudge | One-off cleanup on a single app | Account holders | Asks users if they're still using the app. Responses update account statuses. |
Abandoned Accounts playbook | Bulk audit across multiple apps | Account holders, then technical contacts | Asks users across many apps at once, then hands off abandoned accounts to technical contacts for removal. |
Technical contact nudge | Removing accounts already flagged as abandoned/inactive | Technical contacts | Sends a list of abandoned accounts to the app admin for deletion and license reclamation. |
In practice, most organizations use Method 2 (the playbook) for periodic bulk cleanup - quarterly or ahead of major renewals - and Method 1 for one-off situations. Method 3 is the follow-through step in both cases: once you know which accounts are unused, the technical contact handles the actual removal.
Considerations
Start with your most expensive apps. License cost savings are the most visible outcome. Cleaning up 20 abandoned accounts on a $50/seat app saves $1,000/month - that's an easy win to demonstrate value.
Technical contacts must be accurate. The removal nudge goes to the technical contact. If that person has left or changed roles, the nudge won't reach someone who can act. Review your technical contacts before running the playbook - see Define your SaaS landscape.
Non-responders are still a signal. If a user doesn't respond to the nudge after a reasonable time, that silence is useful data - it may indicate they've forgotten the app exists, which makes the account a strong candidate for cleanup. Follow up directly or treat persistent non-responses as abandoned.
This reduces both spend and risk. Abandoned accounts aren't just wasted money. They're orphaned data sitting in tools nobody monitors, and they're unnecessary entry points in your attack surface. Frame the cleanup as both a cost and security initiative when building support internally.
Tips
Run the playbook on a quarterly cadence - or tie it to your renewal calendar so cleanup happens before you negotiate license counts
Pair this with the Nudge billing contacts of app renewal rule for a comprehensive renewal preparation workflow - the rule handles the renewal alert, while this playbook handles the deeper account-level audit
After a bulk cleanup, share the results with finance and procurement - the license savings data helps justify the effort and builds support for ongoing SaaS governance
Use the account status breakdown on each app's overview page to track cleanup progress over time - the ratio of active to abandoned/inactive accounts is a useful health metric
Key features
Feature | Where to find it | What it does |
Abandoned Accounts playbook | Automations > Playbooks > Remove abandoned accounts | Bulk audit across multiple apps: nudge account holders, collect responses, then hand off to technical contacts for removal. |
Request app update nudge | Individual app records | Asks account holders if they're still using an app. Responses automatically update account statuses. |
Request removal of abandoned accounts nudge | Individual app records | Sends technical contacts a list of abandoned accounts to delete/suspend, with a CSV of affected accounts. |
Account status tracking | Apps > individual app records | Visual breakdown of account statuses (Active, Abandoned, Inactive, Deleted, Access Revoked) on each app's overview page. |
SSO inactivity detection | Automatic | Marks SSO-provisioned accounts as Inactive after 90 days of no activity - no nudging required. |
Technical contacts | Individual app records | The person responsible for administrative actions on each app, including account removal. |