Any user, with any single way to authenticate or more, takes 1 off the licence.
One user with: token, two tokens, three, a fixed passcode, on-demand, or any combination, takes 1 off the licence.
Passwords alone, do not. An authenticator, or more, does.
----
When a user is deleted from the internal database,
authenticators go back to unassigned, and the licence will free up one slot.
When you have an AD or LDAP user, and you remove them from AD,
the authenticators do not get unassigned, the userid and any authenticators remain assigned to <unknown> and the idea is, if the reason the user is missing is a simple network outage or other problem reaching LDAP, everything is normal once LDAP connectivity is restored. The system does not know if you deleted a users from LDAP intentionally, or there is an outage, so it keeps things assigned in the internal database, hoping to see the userid come back.
The identity source cleanup routine is what will go in the database and scrub all LDAP orphans and free up licence slots if you know you've made some changes and want tokens freed. The 'cleanup now' has a preview of objects it could clean, and you can review it and if you know why certain userids are on the list, then a cleanup can fix the licence count.
The scheduled cleanup can take care of this automatically, and also this cleanup job be set to not run if there are suddenly more objects to clean than expected (in case there is a network outage you may not want the cleanup to assume all ldap user info can be erased) so it has adjustable settings such as 'do not run if more than 50 objects' or 'do not run unless objects have been sitting for 7 days or more).
