Automate Google Workspace Offboarding Workflow

This article is written for Google Workspace administrators.

Are you still manually off-board an employee in Admin Console when they leave the company? That process perhaps is a bit clunky. You need to pull various security plugs in the Admin Console, as Google does not provide an off-board standard and feature beyond some best practices.

Streamlining an off-board process is critical for your organization. IT professionals have the responsibility to ensure the data security for the organization, preventing data from illegitimately accessed by ex-employees after they leave.

This article will guide you to automate your employee off-board process using Foresight, a workflow automation building tool designed for Google Workspace.

Demo: Google Workspace Offboarding with Foresight Automation

This following video is an oversimplified offboarding workflow on Foresight. When the employee Ed Lobo is moved to organizational unit /Deprovision, Foresight automatically deletes his recovery phone, deletes the recovery email, resets the password, deletes all email aliases, and suspends him.

Instructions

In Foresight, an automation rule consists of one trigger and one or more actions. In plain English, when something happens, then do this, this and this. An off-boarding process can be described as, When the leaving employee is added to the organizational unit Deprovision, then delete the user's recovery phone, then delete the user's recovery email, then ..., then revoke all accesses of third party apps, and it's done!

Foresight is a flexible automation building tool with many pieces ready for you to construct your own workflow. The following is one workflow setup for you reference.

Create an organizational unit called Deprovision in Admin Console. This organizational unit will be referenced in the trigger.
Log into Foresight.
Go to Rules.
Click the button to create an automation rule.
In the Select a trigger page, select User's organizational unit changed trigger.
In the Edit trigger page, configure the fields as described in the article section User's organizational unit changed.
Click NEXT.
In the Select an action page, select Update recovery phone.
In the Edit actions > Update recovery phone page, configure the fields as described in the article section Delete recovery phone.
Click ADD NEXT ACTION. This adds a subsequent action into the chain.
Repeat steps 8-10 for other off-boarding actions listed below.
Once all the actions are added, click REVIEW.
Give the automation rule a name, e.g. User offboard workflow.
Click CREATE.
Your automation workflow may look like

The trigger to off-board a user

To trigger the user deprovisioning workflow, choose one of the following recommended triggers. You can find more triggers in Foresight Trigger List.

User's organizational unit changed

An off-board process can also be initiated by moving the employee account to a specific organizational unit (OU). For example, if a user is moved to the OU named Your domain > Deprovision, the user will be automatically off-boarded.

Steps in Foresight

In the Select a trigger step, select User’s organizational unit changed trigger.
In the Edit trigger step,
- Sign in with Google
- In the New organizational unit field, select the new OU you use for deprovisioned users. The OU is displayed in the form of Organizational Unit Path.

Group member added

An off-board process can be initiated by adding the employee account into a specific group. For example, if a user is added to the Group named Deprovision, the user will be automatically off-boarded.

Steps in Foresight

In the Select a trigger step, select Group member added trigger.
In the Edit trigger step,
- Sign in with Google
- In the Group field, select the group you use for deprovisioned users.

Additional notes

If you also integrate the Remove user from all groups action after this trigger in the offboarding workflow, the user will be removed again from the group you just added the user as member of.

Action list to offboard a user

The actions below follow no strict order. Pick actions that matter to your Google Workspace administrations. Having that said, the Suspend user and Delete user actions are recommended to put in the end of the offboard workflow, because some actions assume an active user and would fail and break the workflow if the user has already been suspended.

Delete recovery phone

A recovery phone number enables your ex-employee to recover their old account, even you have reset their password. Remove the recovery phone so they can’t use the password recovery feature. In Admin Console, this setting is in Users > [user’s name] > Security > Recovery information > Phone.

Steps in Foresight

In the Select an action step, select Update recovery phone action.
In the Edit actions > Update recovery phone page,
- Sign in with Google
- In the User primary email field, select the User Primary Email variable from the drop down list.
- Leave the Phone number field empty.

Delete recovery email

Like the recovery phone number, a recovery email serves the same purpose of recovering a user account when the user forgets the password or was locked out.

To prevent your ex-employees from unauthorized access after they leave your organization, you need to remove their recovery email from your Google Workspace domain. In Admin Console, this setting is in Users > [user’s name] > Security > Recovery information > Email.

Steps in Foresight

In the Select an action step, select Update recovery email action.
In the Edit actions > Update recovery email step,
- Sign in with Google
- In the User primary email field, select the User Primary Email variable in the drop down list.
- Leave the Recovery email field empty.

Revoke third-party application accesses

Your employees may have used their Google Workspace accounts for logging in third-party applications (for example, Google Workspace Marketplace apps). If so, these applications continue to hold the access key to your organizational data unless your user or you explicitly revokes the access. In Admin Console, this setting is in Users > [user’s name] > Security > Connected applications. Learn more about View and remove access to third-party applications.

Removing the access to an app doesn’t prevent your ex-employee to reauthorize it if they still can log into their Google account.

Steps in Foresight

In the Select an action step, select Delete user tokens action.
In the Edit actions > Delete user tokens step,
- Sign in with Google
- In the User primary email field, select the User Primary Email variable in the drop down list.
- Check the Delete all checkbox. This will automate revoking all accesses to all connected applications for the given user.

Reset user password

Resetting your leaving employee’s password can greatly reduce the risk of malicious access to their old account. Changing a user’s password also revokes the accesses for third-party applications. Thus, this is an important task in the user off-boarding process. In Admin Console, resetting a user’s password is done by Users > [Hover on a user] > Reset password. Learn more about Reset a user’s password.

Steps in Foresight

In the Select an action step, select Reset user password action.
In the Edit actions > Reset user password step
- Sign in with Google
- In the User primary email field, select the User Primary Email variable in the drop down list.
- In the New password field, input a new password for your leaving employee’s account. Notes: The password is hashed with a strong algorithm before sending to Google. Once you save the automation rule, this password is never returned to you, so keep the password in secret.
- For the Require a password change at the next sign-in checkbox, it’s up to you.

Reset user sign-in cookies

A reset of user sign-in cookies forces users to be logged out from all devices and browsers. This mitigates the risks of unauthorized accesses from devices of leaving employees. That said, this is not a security solution for your ex-employees because they can still gain access to their user account by logging again using the old password.

To have the action complete successfully, the target user must be active.

Steps in Foresight

In the Select an action step, select Reset user sign-in cookies action.
In the Edit actions > Reset user sign-in cookies step,
- Sign in with Google
- In the Primary email field, select the User Primary Email variable in the drop down list.

Revoke 2-Step Verification (2SV) backup codes

2SV puts an extra protection against unauthorized access when the username and password were stolen. Backup codes are one of 2SV methods. If a leaving employee still hold their password and the backup codes, it’s possible for them to sneak in their old account. The old backup codes need to be revoked when they leave the organization. In Admin Console, the closest setting is in Users > [user’s name] > Security > 2-step verification. Learn more about Use backup codes for account recovery.

Steps in Foresight

In the Select an action step, select Invalidate backup codes action.
In the Edit actions > Invalidate backup codes page,
- Sign in with Google
- In the User primary email field, select the User Primary Email variable in the drop-down list.

Revoke App Passwords

An App Password is a 16-digit passcode used for less secure apps to access your Google account when the Sign in with Google is not an option in those apps. This is an uncommon security setting in modern apps. If so, in Admin Console, the setting is in Users > [user’s name] > Security > Application-specific password. Learn more about Sign in with App Passwords.

Steps in Foresight

In the Select an action step, select Delete app passwords action.
In the Edit actions > Delete app passwords page,
- Sign in with Google
- In the User primary email field, select the User Primary Email variable in the drop down list.
- Check the Delete all checkbox. This will automate revoking all app passwords for the given user.

Delete all user email aliases

Email aliases are a helpful way to receive emails sent to multiple email addresses in one Gmail account. If an employee leaves, these email aliases shall go away and/or be transferred to other employees. In Admin Console, this setting is in Users > [user’s name] > User information > Email aliases. Learn more about Google Workspace email aliases.

Steps in Foresight

In the Select an action step, select Delete user email alias action.
In the Edit actions > Delete user email alias page,
- Sign in with Google
- In the Primary email field, select the User Primary Email variable in the drop down list.
- Check the Delete all checkbox. This will automate deleting all user email aliases.

Revoke Super Admin role

If your leaving employee is also a Super Admin, you should withdraw their super admin privileges for data security.

The Update super admin status action either assigns a Super Admin role to a user or revoke the user’s Super Admin role. For offboarding workflows, we will use it to revoke the admin role.

Steps in Foresight

In the Select an action step, select Update super admin status action.
In the Edit actions > Update super admin status tab,
- Sign in with Google
- In the Primary email field, select the User Primary Email variable in the drop-down list.
- Switch off to Revoke Super Admin.

Hide user in the directory

When a user leaves the organization, their contact information shall be hidden in the organizational directory, so that other users will notice the personnel change. Once a user is hidden in Directory, their profile information no longer appears in email auto-completion, contacts manager or cloud search results. Learn more about Hide a user from the Directory.

Steps in Foresight

In the Select an action step, select Update user directory sharing action.
In the Edit actions > Update user directory sharing tab,
- Sign in with Google
- In the Primary email field, select the User Primary Email variable in the drop down list.
- Switch off to Hide user in the directory.

Remove user from all groups

It’s necessary to withdraw the ex-employee’s memberships from all Google Groups so that the group shared resources can shield from illegitimate access by the user, e.g. shared drives and files.

It’s manually doable to remove the user from all groups in Admin Console. See View a user’s group memberships. Alternatively, it can be fully automated with Foresight as part of the offboarding workflow.

Steps in Foresight

In the Select an action step, select Remove user from all groups action.
In the Edit actions > Remove user from all groups tab,
- Sign in with Google
- In the Primary email field, select the User Primary Email variable in the drop down list.

Additional notes

The Remove user from all groups action will revoke the user’s memberships regardless of user’s role in a group. Therefore, it’s possible the group will lost the owner if the user was the only owner. You may need to review the groups after the automation.

If you chose the Group member added trigger as the entry point of offboarding workflow, the user will be removed again from the group you just added the user as member of.

Create data transfer request

An employee had stored GBs of work data in their Drive, with some key information privately owned. They are all properties of the company. It’s wise to transfer the Drive data ownership to the manager before the account is deleted.

Use the Create data transfer request action to initiate a long-run process to transfer Drive data, Calendar, Brand Accounts and Data Studio data to another active user, e.g. the direct manager of a leaving employee. The action is close to the Transfer user’s data option page in Google Workspace Admin Console when you delete a user.

Steps in Foresight

In the Select an action step, select Create data transfer request action.
In the Edit actions > Create data transfer request tab,
- Sign in with Google
- In the From user field, select the User Primary Email variable in the drop down list.
- In the To user field, input the new owner’s email address. To set the direct manager, add a Get user info action before this Create data transfer request action and select the Manager Email variable in the drop down list.
- In the Select data to transfer field, check the application data to be transferred.

Additional notes

The Create data transfer request action only kicks off a long run process to transfer data from the old owner to a new owner. The time to complete the process depends on the size of the to-be-transferred data.

Archive user

After you revoke a leaving employee’s all accesses to their Google account, it’s time to archive user account. Unlike deleting a user, archiving a user does not clear the user data. However, archiving users require Archived User (AU) licenses. The license fee is cheaper than active user accounts. Learn more about archiving users in Google Admin.

Steps in Foresight

In the Select an action step, select Archive user action.
In the Edit actions > Archive user page,
- Sign in with Google
- In the Primary email field, type {{ and select the User Primary Email variable in the drop down list.

Suspend user

After you revoke a leaving employee’s all accesses to their Google account as well as back up their data, it’s time to suspend the account officially. Suspending a user is temporary and reversible to active state, so it’s possible the user account is reactivated at some point. Data remains for a suspended user. Learn more about Suspend a user temporarily.

Steps in Foresight

In the Select an action step, select Suspend user action.
In the Edit actions > Suspend user page,
- Sign in with Google
- In the Primary email field, type {{ and select the User Primary Email variable in the drop down list.

Delete user

Deleting the user account is often the last stop of the offboarding workflow. Once you delete a user, Google will initiate the user data removal process. So use this Deletion user action in Foresight with caution. In Admin Console, this setting is in Users > [hover on a user] > Delete user. Learn more about Delete a user from your organization.

Steps in Foresight

In the Select an action step, select Delete user action.
In the Edit actions > Delete user page,
- Sign in with Google
- In the Primary email field, type {{ and select the User Primary Email variable in the drop down list.

Notify stakeholders

It’s also important to notify yourself and/or stakeholders (e.g. the employee’s manager) as a part of the employee offboarding process. For example, at the beginning of the offboarding process, alert yourself that an employee offboarding process started and at the end of the process, alert yourself and the employee’s manager that the employee is successfully offboarded.

Notifications are sent by emails. In Foresight, use the Email action.

Sign in with Google
In the To field, type {{ and select the Manager email variable, which can be obtained from a Get user info action. And it’s up to you to type which emails to be notified.
Fill your content in the Subject and Email body.

An offboarding workflow with email notifications can be visualized as follows.

Email notifications before and after the offboarding tasks

Schedule offboarding user

From time to time, some employees or contractors are given a designated date to leave the organization. It's possible to schedule a future offboarding workflow in Foresight so that you don't have to remember it.

Create a separate automation rule aside from the offboarding rule. The following setup example is based on the offboarding trigger of User's organizational unit changed.

Log into Foresight.
Go to Rules.
Click the button to create a new rule.
In the Select a trigger page, select Time trigger.
In the Edit trigger page, choose a future time in the Trigger time field. This is the time to trigger the offboarding process.
Click NEXT.
In the Select an action page, select Move user to organizational unit action.
In the Edit actions > Move user to organizational unit page,
1. Sign in with Google
2. In the User primary email field, type the primary email of the user to leave in the future.
3. In the New organizational unit field, select the OU that's used for triggering offboarding. In this article, we select /Deprovision.
Click REVIEW.
Name the rule (e.g. Offboard Frank Munoz at May 1).
Click CREATE.
The rule is visualized like this

Test both rules to see whether the bridge works.

Future work

Foresight will not stop here but keep evolving to support more user deprovisioning tasks, which may include but not limit to

Transfer out the ownership of groups
Wipe user's managed mobile devices

This article will be updated as new features are integrated in Foresight.

If you have ideas, please leave your comments in the Foresight community. You may also like

Automatically Suspend Inactive Users in Google Workspace

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site’s analytics report. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors. This cookie is installed the first time a visitor enters the website through a browser. When the visitor comes back to the website through the same browser, the cookie will consider them to be the same visitor. Only in the event that the visitor changes browser, will they be deemed to be a different visitor.
_gat_gtag-###	1 minute	This cookie is installed by Google Analytics. It is used to analyze visitor browsing habits, flow, source and other information.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected includes the number of visitors, the source where they have come from, and the pages visited in an anonymous form.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
__Secure-1PAPISID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising
__Secure-1PSID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
__Secure-3PAPISID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
__Secure-3PSID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
_gcl_au	3 months	This cookie is set by Google Analytics to take information in advert clicks and store it in a 1st party cookie so that conversions can be attributed outside of the landing page.
1P_JAR	1 month	This cookie is installed by Google Ads. This cookie is used to collect site statistics and track conversion rates.
APISID	2 years	This cookie is used by Google to store user preferences and information while viewing Youtube videos on this site.
HSID	2 years	This cookie contains digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time. Google uses security cookies to authenticate users, prevent fraudulent use of login credentials, and protect user data from unauthorized parties.
LOGIN_INFO	2 years	This cookie is used by YouTube (Google) for storing user preferences and other unspecified purposes.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
PREF	2 years	This cookie is used by YouTube (Google) for storing user preferences and other unspecified purposes.
SID	2 years	This cookie contains digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time. Google uses security cookies to authenticate users, prevent fraudulent use of login credentials, and protect user data from unauthorized parties.
SIDCC	1 year	This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website.
SSID	2 years	This cookie is used to save the user's preferences and other information.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	6 months	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	This cookie is used by YouTube to remember user input and associate a user’s actions. This cookie lasts for as long as the user keeps their browser open.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Automate Google Workspace Offboarding Workflow

Demo: Google Workspace Offboarding with Foresight Automation

Instructions

The trigger to off-board a user

Action list to offboard a user

Schedule offboarding user

Future work

Products & Services

Company

Contact

Follow us