Would it be possible to have some global setting in the Security Console where if the token “Last Used to Authenticate” date goes beyond a set period, the system would automatically unassign the token and put it back in the available pool.  So if for example, I set it to that if the tokens have not authenticated with 90 days, then from this post (27/01/2023), all tokens that had not authenticated since 29 October 2022 would be unassigned.  There would have to be some feature to exclude certain users (like users on long term leave) but if this could be an overnight maintenance task, it would help keep our licenced number of users in balance and add more tokens to the available pool.