Introduction
In this blog, you will learn how to automate offboarding workflows in Google Workspace. Manually managing the offboarding process can be time-consuming and prone to errors. By automating tasks like disabling accounts, revoking access, removing recovery phone numbers and emails, deleting user tokens, and resetting user passwords, organizations can significantly reduce human error and improve overall efficiency. This guide will walk you through the steps to set up automated offboarding workflows efficiently, ensuring a smoother, more secure transition.
Illustration of how xFanatical Foresight automates the user offboarding process in Google Workspace.
Now, we are going to show you how xFanatical Foresight can automate offboarding workflows in Google Workspace, saving you time and ensuring security.
Introducing xFanatical Foresight Automation
xFanatical Foresight is a powerful automation platform designed specifically for Google Workspace. It enables administrators to effortlessly automate offboarding workflows, ensuring efficient account management and compliance. With its simple interface and customizable workflows, xFanatical Foresight simplifies tasks like disabling accounts, removing recovery phone numbers and emails, deleting user tokens, and resetting passwords, ultimately optimizing license usage and enhancing security.
Automation Setup Instructions
In this section, we guide you through the automation setup in xFanatical Foresight. We have 2 ways to set up automation rules, Set up automation from a template and Set up automation from scratch. After completing the automation rule, verify whether the automation meets your requirements.
Set Up Automation From a Template
Supported plans: xFanatical Foresight Elite plan.
Prerequisites:
- Create a new organizational unit for deprovisioning in Google Admin Console, e.g., /Deprovision.
- Ensure the departing user is active in the organization.
- Sign into xFanatical Foresight with your Google Admin account .
- Go to the Templates page.
- Click the Automate offboarding workflows in Google Workspace template.
- In the Templates > Automate offboarding workflows in Google Workspace page, click Copy rule.
- For the first time use of the template rule, an dialog Action needed will display requesting necessary permissions required to copy the rule. Click Connect with Google and authorize the permissions.
- Upon authorization, a dialog titled Copy of Automate offboarding workflows in Google Workspace will display.
- Click Next. The rule is pre-configured, hence no further configuration is required.
- Click Review.
- In the Review screen,
- In Rule name, customize the automation rule name.
- Click Create.
- The rule is created in the Rules page.
xFanatical Foresight workflow for automatically suspending Google Workspace users.
Set Up Automation From Scratch
Supported plans: xFanatical Foresight Elite and Professional (Legacy).
- Sign into xFanatical Foresight with your Google Admin account.
- Go to the Rules page.
- Click the New Rule
button at the bottom right to create a new rule. - In the Select a trigger screen, select User’s organizational unit changed trigger.
- In the Edit trigger > User’s organizational unit changed screen,
- In the New organizational unit field, select /Deprovision organizational unit from the dropdown list.
- Click Next.
- In the Select an action screen, select the Update recovery phone action.
- In the Edit actions > Update recovery phone screen,
- In the User primary email field, select the User primary email variable from User’s organizational unit changed trigger.
- Leave the Phone number field blank to remove the recovery phone associated with the account.
- For demonstration purposes, we've included only one action here. To add more offboarding actions from the list below, click Add next action.
- Once all the actions are added, click Review.
- In the Review screen,
- In Rule name, give your rule a name for easy identification.
- Click Create.
- The automation rule appears on the Rules page and is active by default upon creation.
xFanatical Foresight rule graph for automating user offboarding process.
button at the bottom right to create a new rule.
List of Actions for Efficient User Off-boarding in Google Workspace
The following actions are designed to support a smooth and efficient user off-boarding process in Google Workspace. These actions can be executed in any order based on your specific administrative needs.
Important: We recommend performing the Suspend User and Delete User actions at the end of the off-boarding workflow. Many other actions require an active user account, and executing these prematurely may cause certain steps to fail or disrupt the workflow.
Update recovery phone
A recovery phone number allows former employees to regain access to their old account, even after you’ve reset their password. To prevent unauthorized access through the password recovery feature, it’s recommended to remove the recovery phone number.
You can do this in the Google Admin Console by navigating to:
Users > [user’s name] > Security > Recovery information > Phone.
Setup instructions
- In the Select a action step, select Update recovery phone trigger.
- In the Edit actions > Update recovery phone screen, in the User primary email field, select the User primary email variable from the drop down list.
- In the User primary email field, select the User primary email variable from the User’s organizational unit changed trigger.
- Leave the Phone number field blank to remove the recovery phone associated with the account.
Update recovery email
Similar to a recovery phone number, a recovery email allows users to regain access to their accounts if they forget their password or get locked out.
To prevent former employees from regaining unauthorized access after leaving your organization, it’s important to remove their recovery email from your Google Workspace domain.
You can do this in the Google Admin Console by going to:
Users > [user’s name] > Security > Recovery information > Email.
Setup instructions
- In the Select an action screen, select the Update recovery email action.
- In the Edit actions > Update recovery email screen,
Revoke third-party application accesses
Employees may use their Google Workspace accounts to sign in to third-party applications (e.g., Google Workspace Marketplace apps). Once authorized, these apps retain access to your organization’s data until explicitly revoked—either by the user or an administrator.
To review and revoke access, go to the Google Admin Console:
Users > [user’s name] > Security > Connected applications.
Learn more about viewing and removing access to third-party applications.
Note: Removing an app’s access does not prevent a former employee from reauthorizing it if they can still sign in to their Google account.
Setup instructions:
- In the Select an action screen, select the Delete user tokens action.
- In the Edit actions > Delete user tokens screen,
- In the User primary email field, select the User primary email variable from the User’s organizational unit changed trigger.
- Check the Delete all checkbox. This will automate revoking all accesses to all connected applications for the given user.
Reset user password
Resetting the password of a departing employee is a critical step in minimizing the risk of unauthorized access to their account. This action not only secures the account but also automatically revokes access to third-party applications previously authorized by the user.
As such, password reset is an essential part of the off-boarding process. Learn more about resetting a user’s password.
To reset a user’s password, go to the Google Admin Console:
Users > [hover over the user] > Reset password.
Note: Use Generate password action to generate a secure and random password automatically and use the output variable in the next action.
Setup instructions:
- In the Select an action screen, select Reset user password action.
- In the Edit actions > Reset user password screen,
- In the User primary email field, select the User primary email variable from the User’s organizational unit changed trigger.
- In the New password field, select the Generated password variable from the Generate password action.
- In the Require a password change at the next sign-in field, select true.
Revoke 2-Step Verification (2SV) backup codes
2-Step Verification (2SV) adds an extra layer of protection against unauthorized access—even if a user’s username and password are compromised. One common 2SV method is the use of backup codes.
If a departing employee still possesses their password and backup codes, they may still be able to access their old account. To prevent this, it’s important to revoke any existing backup codes as part of the off-boarding process. Learn more about using backup codes for account recovery.
You can manage this in the Google Admin Console under:
Users > [user’s name] > Security > 2-step verification.
Setup instructions:
- In the Select an action screen, select the Invalidate backup codes action.
- In the Edit actions > Invalidate backup codes screen,
- In the User primary email field, select the User primary email variable from the User’s organizational unit changed trigger.
Revoke App Passwords
An App Password is a 16-digit passcode used by less secure apps to access your Google account when Sign in with Google is not supported. While this is an uncommon setting for most modern apps, it’s important to check and manage it during the off-boarding process.
To revoke or manage App Passwords, go to the Google Admin Console:
Users > [user’s name] > Security > Application-specific password.
Learn more about signing in with App Passwords.
Setup instructions:
- In the Select an action screen, select the Delete app passwords action.
- In the Edit actions > Reset user password screen,
- In the User primary email field, select the User primary email variable from the User’s organizational unit changed trigger.
- Check the Delete all checkbox. This will automate revoking all app passwords for the given user.
Delete all user email aliases
Email aliases allow users to receive messages sent to multiple email addresses within a single Gmail inbox. When an employee leaves the organization, it’s important to remove or reassign their email aliases to ensure no important communication is lost.
You can manage aliases in the Google Admin Console by navigating to:
Users > [user’s name] > User information > Email aliases.
Learn more about Google Workspace email aliases.
Setup instructions:
- In the Select an action screen, select the Delete user email aliases action.
- In the Edit actions > Delete user email aliases screen,
- In the Primary email field, select the User primary email variable from the User’s organizational unit changed trigger.
- Check the Delete all checkbox. This will automate deleting all user email aliases.
Revoke Super Admin role
If a departing employee holds Super Admin privileges, it’s essential to revoke their access to protect your organization’s data and maintain administrative security.
The Update Super Admin Status action allows you to either assign or revoke Super Admin privileges for a user. In the context of off-boarding, this action should be used to remove the user’s super admin role as part of the security protocol.
Setup instructions:
- In the Select an action screen, select the Update super admin status action.
- In the Edit actions > Update super admin status screen,
- In the Primary email field, select the User primary email variable from the User’s organizational unit changed trigger.
- In the Assign super admin field, select false.
Hide user in the directory
When an employee leaves the organization, it’s best practice to hide their contact information from the organizational directory to signal the personnel change to others.
Once hidden, the user’s profile will no longer appear in email auto-complete, Google Contacts, or Cloud Search results, helping prevent confusion and maintain a clean directory.
Learn more about how to hide a user from the directory.
Setup instructions:
- In the Select an action screen, select the Update user directory sharing action.
- In the Edit actions > Update user directory sharing screen,
- In the Primary email field, select the User primary email variable from the User’s organizational unit changed trigger.
- In the Share user in the directory field, select false.
Remove user from all groups
It’s important to remove a departing employee from all Google Groups to prevent unauthorized access to group-shared resources such as shared drives, files and calendars.
This can be done manually in the Google Admin Console by viewing and editing the user’s group memberships.
Learn how to view a user’s group memberships.
Setup instructions:
- In the Select an action screen, select the Remove user from all groups action.
- In the Edit actions > Remove user from all groups screen,
- In the Primary email field, select the User primary email variable from the User’s organizational unit changed trigger.
Create data transfer request
When an employee leaves, they often have GBs of important work stored in their Google Drive. Since this data belongs to the company, it’s a smart move to transfer ownership to their manager before deleting the account.
You can do this using the Create data transfer request action, which moves their Drive files, Calendar events, Brand Accounts, and Looker Studio reports to another active user, like their direct manager. This works just like the Transfer user’s data option you see when deleting a user in the Google Admin Console.
Setup instructions:
- In the Select an action screen, select the Create data transfer request action.
- In the Edit actions > Create data transfer request screen,
- In the From user field, select the User Primary Email variable from the User’s organizational unit changed trigger.
- In the To user field, select the Manager email variable from the Get user info action.
- In the Select data to transfer field, check the application data to be transferred.
Archive user
Once you’ve revoked all access to a departing employee’s Google account, the next step is to archive the user account. Unlike deleting a user, which permanently erases their data, archiving retains all user data while removing access.
Learn more about archiving users in the Google Admin Console.
Setup instructions:
- In the Select an action screen, select the Archive user action.
- In the Edit actions > Archive user screen,
- In the Primary email field, select the User primary email variable from the User’s organizational unit changed trigger.
Suspend user
After revoking a departing employee’s access and backing up their data, the next step is to suspend their account. Suspending a user is a temporary measure and can be reversed, allowing the account to be reactivated later if necessary. During suspension, all data remains intact, ensuring no loss of important information.
Learn more about temporarily suspending a user.
Setup instructions:
- In the Select an action screen, select the Suspend user action.
- In the Edit actions > Suspend user screen,
- In the Primary email field, select the User primary email variable from the User’s organizational unit changed trigger.
Delete user
Deleting a user account is usually the final step in the offboarding process. Once a user is deleted, Google begins permanently removing their data, so it’s important to use the Delete User action.
Make sure all necessary data transfers and security steps are completed before taking this step. In the Google Admin Console, you can delete a user by going to Users > [hover over a user] > Delete user.
Learn more about deleting a user in the Google Admin Console.
Setup instructions:
- In the Select an action screen, select the Delete user action.
- In the Edit actions > Delete user screen,
- In the Primary email field, select the User primary email variable from the User’s organizational unit changed trigger.
Notify stakeholders
It’s also crucial to keep yourself and other key stakeholders (such as the employee’s manager) informed throughout the offboarding process. For instance, you can set up an initial notification to alert yourself when the offboarding process begins, and a final notification to confirm the employee has been successfully offboarded, notifying both you and the employee’s manager. These notifications are sent via email.
Note: Use the Get user info action to retrieve the user’s details, including their manager’s email to streamline the notification process.
Setup instructions:
- In the Select an action screen, select the Email action.
- In the Edit actions > Email screen,
- In the To field, select the Manager email variable from the Get user info action.
- In the Subject field, enter a custom subject line that clearly indicates the purpose of the email.
- In the Email body field, compose a personalized message that includes relevant details about the offboarded employee.
Verify Automation
To ensure that your rule setup automates as expected, it’s essential to conduct a simple test. The following instructions demonstrate how xFanatical Foresight automates offboarding workflows in Google Workspace.
- For demonstration purposes, following is a test user with active status in Google Admin Console.
- Now move the test user to /Deprovision Organization Unit to start the offboarding workflow automation.
- Sign into xFanatical Foresight with the same Google Admin account.
- Wait momentarily until you receive a notification in the top right of xFanatical Foresight. In the notification message, click View log.
- In the Logs > Log details page, the Rule history section explains the automation history and task xFanatical Foresight has automated on behalf of your Google account.
- Sign into your Google Admin Console. And verify that the user has been suspended by the automation rule.
Notes
- Once the automation rule is established, xFanatical Foresight will auto-pilot the offboarding of the users. No manual intervention is required. xFanatical Foresight frees you up from hours of repetitive tasks of offboarding.
- The automation allows for bulk management of Google Workspace users, making large-scale offboarding quick and efficient.
- At each time a rule is executed, you will receive a notification in the app telling you how it has happened to your rules and whether rules ran successfully or not.
- Google administrators can customize offboarding workflows to align with their organization's policies and requirements.
- If the user is suspended, some actions will fail with unmet conditions. Ensure the user is active before the automation starts. If necessary, add a Reactivate user action as the first action to un-suspend the user before automating the rest of the offboarding workflow.
- xFanatical Foresight may continue to offer new user offboarding actions, which are not documented in this tutorial.
Conclusion
Automating offboarding workflows in Google Workspace ensures a seamless and efficient user deprovisioning process, reducing manual effort and minimizing security risks. With xFanatical Foresight, IT administrators can schedule user suspensions, reassign data, and enforce compliance policies automatically. By streamlining offboarding, organizations can maintain better control over user access, improve security, and enhance operational efficiency.
Try a 14-day free trial with xFanatical Foresight and manage your tasks.
Related Articles
For more article please visit our website: Articles
xFanatical Foresight Login
