We get a global group from the Active Directory with all users who can possibly login to our applications.
But by configuring this group for potential access to the application, the licences are based on the number of users in that group, even if the many of those users never logged in to the application.
Only users who connected to the application at least once should take a licence and not all the users configured in the access groups.
We have about 3600 people in this potential user group. We don't want to have the burden of adding every person in a group each time they want to access the application. That's the reason we want to keep this group configured. But at this time, only 2000 of these users are connecting and using the application.
The rest will eventually connect when the documentation and agility grows in the company. And we would even configure the 22000 users eventually if we can only pay for the connecting users we have in all of those.