Introduction

This article is written for Google Workspace administrators, we will explore how to automate offboarding workflows in Google Workspace. When it comes to managing employee departures, offboarding workflows play a crucial role in ensuring a smooth transition and maintaining data security. However, manually handling the offboarding process can be time-consuming, error-prone, and cumbersome. This is where automation comes into play. By automating your Google Workspace offboarding workflow, you can streamline the process, reduce human error, and improve overall efficiency.

Common Challenges in Offboarding Workflows

Before diving into the steps to automate your Google Workspace offboarding workflow, it's important to understand the common challenges organizations face in this process:

  • One of the key challenges is the manual nature of the offboarding process, which can be time-consuming and prone to errors. Manually revoking access to various applications and updating user information across multiple systems can be a tedious and error-prone task
  • Another challenge is the lack of a standardized offboarding process. Different departments or teams may have their way of handling offboarding, leading to inconsistencies and confusion. This lack of standardization can result in missed steps or incomplete offboarding, leaving potential security gaps.
  • Additionally, the offboarding process often involves multiple stakeholders, such as HR, IT, and managers. Coordinating and communicating between these different teams can be challenging, causing delays and miscommunication. Automation can help address these challenges by providing a centralized and standardized offboarding workflow that can be easily managed and tracked by all stakeholders.

Tools and Software for Automating Offboarding Processes

We are excited to share with you a groundbreaking solution that will revolutionize the offboarding process for companies.

Introducing the Foresight tool for Automating Offboarding Processes, a game-changing technology designed to streamline and automate the entire offboarding journey. With the Foresight tool, companies can automate and optimize their offboarding procedures, saving valuable time and resources. By leveraging advanced technologies this tool can analyze a wide range of data points and intelligently guide the offboarding process.

This article will guide you to automate your employee off-board process using Foresight, a workflow automation building tool designed for Google Workspace.

Demo: Google Workspace Offboarding with Foresight Automation

This following video is an oversimplified offboarding workflow on Foresight. When the employee Ed Lobo is moved to organizational unit /Deprovision, Foresight automatically deletes his recovery phone, deletes the recovery email, resets the password, deletes all email aliases, and suspends him.

Instructions

In Foresight, an automation rule consists of one trigger and one or more actions. In plain English, when something happens, then do this, this and this. An off-boarding process can be described as, When the leaving employee is added to the organizational unit Deprovision, then delete the user's recovery phone, then delete the user's recovery email, then ..., then revoke all accesses of third party apps, and it's done!

Foresight is a flexible automation building tool with many pieces ready for you to construct your own workflow. The following is one workflow setup for you reference.

  1. Create an organizational unit called Deprovision in Admin Console. This organizational unit will be referenced in the trigger.
  2. Log in to your Foresight account with your Google Admin account. 
  3. Go to the Rules page and click the New Rulenew rule buttonbutton.
  4. In the Select a trigger screen, select User's organizational unit changed trigger.In the Select a trigger page, select User's organizational unit changed trigger.
  5. In the Edit trigger page, configure the fields as described in the article section User's organizational unit changed, click NextSelect and Edit organizational unit changed trigger
  6. In the Select an action page, select Update recovery phone action.Select Update recovery phone Action with Foresight Automation tool
  7. In the Edit actions > Update recovery phone page, configure the fields as described in the article section Delete recovery phone.In the Edit actions screen Update recovery phone fields
  8. Click ADD NEXT ACTION. This adds a subsequent action into the chain.
  9. Repeat steps 8-10 for other off-boarding actions listed below.
  10. Once all the actions are added, click REVIEW.
  11. Give the automation rule a name, e.g. User offboard workflow.
  12. Click CREATE.
  13. Your automation workflow may look like
    User offboarding workflow

The trigger to off-board a user

To trigger the user deprovisioning workflow, choose one of the following recommended triggers. You can find more triggers in Foresight Trigger List.

User's organizational unit changed

An off-board process can also be initiated by moving the employee account to a specific organizational unit (OU). For example, if a user is moved to the OU named Your domain > Deprovision, the user will be automatically off-boarded.

Steps in Foresight

  1. In the Select a trigger step, select User’s organizational unit changed trigger.
  2. In the Edit trigger step,
    edit user's organizational unit changed trigger
  3. In the New organizational unit field, select the new OU you use for deprovisioned users. The OU is displayed in the form of Organizational Unit Path.
Group member added

An off-board process can be initiated by adding the employee account into a specific group. For example, if a user is added to the Group named Deprovision, the user will be automatically off-boarded.

Steps in Foresight

  1. In the Select a trigger step, select Group member added trigger.
  2. In the Edit trigger step,
    Group member added configuration for off-board
  3. In the Group field, select the group you use for deprovisioned users.

Additional notes

If you also integrate the Remove user from all groups action after this trigger in the offboarding workflow, the user will be removed again from the group you just added the user as member of.

Action list to offboard a user

The actions below follow no strict order. Pick actions that matter to your Google Workspace administrations. Having that said, the Suspend user and Delete user actions are recommended to put in the end of the offboard workflow, because some actions assume an active user and would fail and break the workflow if the user has already been suspended.

Delete recovery phone
  • Delete recovery phone

A recovery phone number enables your ex-employee to recover their old account, even you have reset their password. Remove the recovery phone so they can’t use the password recovery feature. In Admin Console, this setting is in Users > [user’s name] > Security > Recovery information > Phone.

Steps in Foresight

  1. In the Select an action step, select Update recovery phone action.Select Update recovery phone action with Foresight Automation tool
  2. In the Edit actions > Update recovery phone page.In the Edit actions screen Update recovery phone fields
  3. In the User primary email field, select the User Primary Email variable from the drop down list.
  4. Leave the Phone number field empty.
Delete recovery email
  • Delete recovery email

Like the recovery phone number, a recovery email serves the same purpose of recovering a user account when the user forgets the password or was locked out.

To prevent your ex-employees from unauthorized access after they leave your organization, you need to remove their recovery email from your Google Workspace domain. In Admin Console, this setting is in Users > [user’s name] > Security > Recovery information > Email.

Steps in Foresight

  1. In the Select an action step, select Update recovery email action.Select an action Update recovery email action
  2. In the Edit actions > Update recovery email step.FIll the details in the Update recovery email actions edit screen
  3. In the User primary email field, select the User Primary Email variable in the drop down list.
  4. Leave the Recovery email field empty.


Revoke third-party application accesses
  • Revoke third-party application accesses

Your employees may have used their Google Workspace accounts for logging in third-party applications (for example, Google Workspace Marketplace apps). If so, these applications continue to hold the access key to your organizational data unless your user or you explicitly revokes the access. In Admin Console, this setting is in Users > [user’s name] > Security > Connected applications. Learn more about View and remove access to third-party applications.

Removing the access to an app doesn’t prevent your ex-employee to reauthorize it if they still can log into their Google account.

Steps in Foresight

  1. In the Select an action step, select the Delete user tokens action.Select an action Delete user tokens action
  2. In the Edit actions > Delete user tokens step.Edit the detail in the Delete user tokens action screen
  3. In the User primary email field, select the User Primary Email variable in the drop down list.
  4. Check the Delete all checkbox. This will automate revoking all accesses to all connected applications for the given user.
Reset user password
  • Reset user password

Resetting your leaving employee’s password can greatly reduce the risk of malicious access to their old account. Changing a user’s password also revokes the accesses for third-party applications. Thus, this is an important task in the user off-boarding process. In Admin Console, resetting a user’s password is done by Users > [Hover on a user] > Reset password. Learn more about Reset a user’s password.

Steps in Foresight

  1. In the Select an action step, select Reset user password action.Select Reset user password action with Foresight
  2. In the Edit actions > Reset user password stepIn Reset user password action edit scree fill the required details
  3. In the User primary email field, select the User Primary Email variable in the drop down list.
  4. In the New password field, input a new password for your leaving employee’s account. Note: The password is hashed with a strong algorithm before sending to Google. Once you save the automation rule, this password is never returned to you, so keep the password in secret.
  5. For the Require a password change at the next sign-in selected true, it’s up to you.
Reset user sign-in cookies
  • Reset user sign-in cookies

A reset of user sign-in cookies forces users to be logged out from all devices and browsers. This mitigates the risks of unauthorized accesses from devices of leaving employees. That said, this is not a security solution for your ex-employees because they can still gain access to their user account by logging again using the old password.

To have the action complete successfully, the target user must be active.

Steps in Foresight

  1. In the Select an action step, select Reset user sign-in cookies action.Select an action Reset user sign-in cookies action
  2. In the Edit actions > Reset user sign-in cookies step.
  3. In the Primary email field, select the User Primary Email variable in the drop down list.Fill the Reset user sign-in action required fields
Revoke 2-Step Verification (2SV) backup codes
  • Revoke 2-Step Verification (2SV) backup codes

2SV puts an extra protection against unauthorized access when the username and password were stolen. Backup codes are one of 2SV methods. If a leaving employee still hold their password and the backup codes, it’s possible for them to sneak in their old account. When they leave the organization, revoke the old backup codes. In Admin Console, the closest setting is in Users > [user’s name] > Security > 2-step verification. Learn more about Use backup codes for account recovery.

Steps in Foresight

  1. In the Select an action step, select Invalidate backup codes action.Select an action Invalidate backup codes actio
  2. In the Edit actions > Invalidate backup codes screen.Fill the required field of Invalidate backup codes action edit screen
  3. In the User primary email field, select the User Primary Email variable in the drop-down list.
Revoke App Passwords
  • Revoke App Passwords

An App Password is a 16-digit passcode used for less secure apps to access your Google account when the Sign in with Google is not an option in those apps. This is an uncommon security setting in modern apps. If so, in Admin Console, the setting is in Users > [user’s name] > Security > Application-specific password. Learn more about Sign in with App Passwords.

Steps in Foresight

  1. In the Select an action step, select Delete app passwords action.Select an action Delete app Password with Foresight
  2. In the Edit actions > Delete app passwords screen.
  3. Sign in with Google.Fill the required fields in Delete app passwords actionedit screen
  4. In the User primary email field, select the User Primary Email variable in the drop down list.
  5. Check the Delete all checkbox. This will automate revoking all app passwords for the given user.
delete-all-user-email-aliases
  • Delete all user email aliases

Email aliases are a helpful way to receive emails sent to multiple email addresses in one Gmail account. If an employee leaves, remove or transfer these email aliases to other employees. In Admin Console, this setting is in Users > [user’s name] > User information > Email aliases. Learn more about Google Workspace email aliases.

Steps in Foresight

  1. In the Select an action step, select Delete user email alias action.Select Delete user email aliases action
  2. In the Edit actions > Delete user email alias screen.Fill the required fields in the Delete user email aliases screen
  3. In the Primary email field, select the User Primary Email variable in the drop down list.
  4. Check the Delete all checkbox. This will automate deleting all user email aliases.
Revoke Super Admin role
  • Revoke Super Admin role

If your leaving employee is also a Super Admin, you should withdraw their super admin privileges for data security.

The Update super admin status action either assigns a Super Admin role to a user or revoke the user’s Super Admin role. For offboarding workflows, we will use it to revoke the admin role.

Steps in Foresight

  1. In the Select an action step, select Update super admin status action.Select an action Update super admin status action with Foresight
  2. In the Edit actions > Update super admin status tab.Fill the required details in the edit action screen of Update super admin status action with Foresight
  3. In the Primary email field, select the User Primary Email variable in the drop-down list.
  4. Turn false to Assign Super Admin.
Hide user in the directory
  • Hide user in the directory

When a user leaves the organization, their contact information shall be hidden in the organizational directory, so that other users will notice the personnel change. Once a user is hidden in Directory, their profile information no longer appears in email auto-completion, contacts manager or cloud search results. Learn more about Hide a user from the Directory.

Steps in Foresight

  1. In the Select an action step, select Update user directory sharing action.Select an action Update user directory sharing action
  2. In the Edit actions > Update user directory sharing tab.Edit the Update user directiory sharing action screen as required
  3. In the Primary email field, select the User Primary Email variable in the drop down list.
  4. Turn false to Share user in the directory.
Remove user from all groups
  • Remove user from all groups

It’s necessary to withdraw the ex-employee’s memberships from all Google Groups so that the group shared resources can shield from illegitimate access by the user, e.g. shared drives and files. It’s manually doable to remove the user from all groups in Admin Console. See View a user’s group memberships. Alternatively, it can be fully automated with Foresight as part of the offboarding workflow.

Steps in Foresight

  1. In the Select an action step, select Remove user from all groups action.Select an action Remove user from all groups action in Foresight
  2. In the Edit actions > Remove user from all groups tab.Fill the required field in Remove user from all group action's edit screen
  3. In the Primary email field, select the User Primary Email variable in the drop down list.

Additional notes

The Remove user from all groups action will revoke the user’s memberships regardless of user’s role in a group. Therefore, it’s possible the group will lost the owner if the user was the only owner. You may need to review the groups after the automation.

If you chose the Group member added trigger as the entry point of offboarding workflow, the user will be removed again from the group you just added the user as member of.

Create data transfer request
Create data transfer request
  • Create data transfer request

An employee had stored GBs of work data in their Drive, with some key information privately owned. They are all properties of the company. It’s wise to transfer the Drive data ownership to the manager before the account is deleted.

Use the Create data transfer request action to initiate a long-run process to transfer Drive data, Calendar, Brand Accounts and Data Studio data to another active user, e.g. the direct manager of a leaving employee. The action is close to the Transfer user’s data option page in Google Workspace Admin Console when you delete a user.

Steps in Foresight

  1. In the Select an action step, select Create data transfer request action.Select an action Create data transfer request action in Foresight
  2. In the Edit actions > Create data transfer request tab.Edit the screen of the Create data transfer action in Foresight
  3. In the From user field, select the User Primary Email variable in the drop down list.
  4. In the To user field, input the new owner’s email address. To set the direct manager, add a Get user info action before this Create data transfer request action and select the Manager Email variable in the drop down list.
  5. In the Select data to transfer field, check the application data to be transferred.

Additional notes

The Create data transfer request action only kicks off a long run process to transfer data from the old owner to a new owner. The time to complete the process depends on the size of the to-be-transferred data.

Archive user
  • Archive user

After you revoke a leaving employee’s all accesses to their Google account, it’s time to archive user account. Unlike deleting a user, archiving a user does not clear the user data. However, archiving users require Archived User (AU) licenses. The license fee is cheaper than active user accounts. Learn more about archiving users in Google Admin.

Steps in Foresight

  1. In the Select an action step, carefully select the Archive user action.Select an action Archive User action in Foresight
  2. In the Edit actions > Archive user screen.Include the required field in Suspend Edit screen in Foresight
  3. In the Primary email field, select the User Primary Email variable in the drop down list.
Suspend user
  • Suspend user

After you revoke a leaving employee’s all accesses to their Google account as well as back up their data, it’s time to suspend the account officially. Suspending a user is temporary and reversible to active state, so it’s possible the user account is reactivated at some point. Data remains for a suspended user. Learn more about Suspend a user temporarily.

Steps in Foresight

  1. In the Select an action step, select the Suspend user action to effectively manage user data.Select an action Suspend user action in Foresight
  2. In the Edit actions > Suspend user screen.Add required detail in Suspend User action Edit screen in Foresight
  3. In the Primary email field, select the User Primary Email variable in the drop down list.
Delete user
  • Delete user

Deleting the user account is often the last stop of the offboarding workflow. Once you delete a user, Google will initiate the user data removal process. So use this Deletion user action in Foresight with caution. In Admin Console, this setting is in Users > [hover on a user] > Delete user. Learn more about Delete a user from your organization.

Steps in Foresight

  1. In the Select an action step, simply choose the Delete user action.Select Delete a user action in Foresight
  2. In the Edit actions > Delete user screen.Edit the Screen of Delete user fields in Foresight
  3. In the Primary email field, select the User Primary Email variable in the drop down list.
Notify stakeholders
  • Notify stakeholders

It’s also important to notify yourself and/or stakeholders (e.g. the employee’s manager) as a part of the employee offboarding process. For example, at the beginning of the offboarding process, alert yourself that an employee offboarding process started and at the end of the process, alert yourself and the employee’s manager that the employee is successfully offboarded.

Notifications are sent by emails. So in Foresight, select the Email action.Select Email Action in Foresight

  1. Select the Manager email variable, from a Get user info action which can be obtain in the To field. And it’s up to you to type which emails to be notified.
  2. Fill your content in the Subject and Email body. Fill the Email actions Edit screen with required information

An offboarding workflow with email notifications visualization as follows.

Email notifications before and after the offboarding tasks
Email notifications before and after the offboarding tasks

Schedule offboarding user

Occasionally, the organization assigns a specific departure date to certain employees or contractors. It's possible to schedule a future offboarding workflow in Foresight so that you don't have to remember it.

Create a separate automation rule aside from the offboarding rule. The following setup example is based on the offboarding trigger of User's organizational unit changed.

  1. Log into Foresight.
  2. Go to Rules.
  3. Click the new rule button button to create a new rule.
  4. In the Select a trigger screen, select the Time trigger to schedule offboarding user .Select a Time trigger in Foresight
  5. In the Edit trigger page, choose a future time in the Trigger time field. This is the time to trigger the offboarding process. In the Edit trigger page, choose a future time in the Trigger time field
  6. Click NEXT.
  7. In the Select an action page, select Move user to organizational unit action.Select an action Move user to organizational unit in Foresight
  8. In the Edit actions > Move user to organizational unit page,
  9. In the User primary email field, type the primary email of the user to leave in the future.Edit the screen for Move user to organizational unit action
  10. Click REVIEW.
  11. Name the rule (e.g. Offboard Frank Munoz at February 22).
  12. Click CREATE. Create a rule for offboarding employee
  13. Rule visualization
    Schedule moving user to OU rule
  14. Select the OU used for triggering offboarding in the New organizational unit field. In this article, we select /Deprovision.

Test both rules to see whether the bridge works.

Measuring the Effectiveness of Your Automated Offboarding Workflow

Once you have automated your Google Workspace offboarding workflow, it's important to measure its effectiveness to identify areas for improvement. Here are a some key metrics you can track:

  • Time saved: Measure the time saved by automating the offboarding process compared to the manual process. This metric will help quantify the efficiency gained through automation.
  • Accuracy and completeness: Evaluate the accuracy and completeness of the offboarding tasks performed by automation. Monitor for any errors or missed steps and make adjustments as necessary.
  • User satisfaction: Collect feedback from users involved in the offboarding process to gauge their satisfaction with the automated workflow. Identify any pain points or areas for improvement based on their feedback.
  • Data security: Monitor data security metrics such as access privileges, user permissions, and data breaches to ensure the automated workflow is effectively safeguarding sensitive information.

By regularly measuring these metrics, you can continuously improve your automated offboarding workflow and ensure it aligns with your organization's goals and requirements.

Future Trends

The future of offboarding automation looks promising, with several trends emerging that will shape the way businesses streamline their employee departure processes. Let's delve into some of these trends:

1. Enhanced Employee Experience: Offboarding automation is no longer just about completing paperwork and closing accounts. It is about providing a seamless and positive experience for departing employees.

2. Integration with HR Systems: Offboarding automation will become an integral part of HR systems, enabling organizations to centralize and manage the offboarding process efficiently. By integrating with HR systems, companies can automate tasks such as revoking access rights, transferring knowledge, and initiating exit interviews.

3. Automation of Compliance: Offboarding involves several compliance-related tasks, such as ensuring the return of company property, terminating access to sensitive data, and complying with legal requirements. Automation will streamline these processes, reducing the risk of errors and ensuring compliance with regulations.

4. Seamless Knowledge Transfer: Offboarding automation will focus on facilitating knowledge transfer from departing employees to their successors. With the help of automation tools, organizations can capture and transfer critical knowledge, ensuring a seamless transition for both the departing employee and their replacement.

Conclusion

The Foresight tool for Automating Offboarding Processes offers a transformative solution for companies seeking to optimize their offboarding procedures. By automating manual tasks, ensuring compliance, and providing valuable insights, this tool empowers organizations to achieve greater efficiency, security, and employee satisfaction.

Foresight will not stop here but keep evolving to support more user deprovisioning tasks, which may include but not limit to

  • Transfer out the ownership of groups
  • Wipe user's managed mobile devices

This article will be updated as new features are integrated in Foresight.

Try a 14-day free trial with Foresight and manage your tasks. 

If you have ideas, please leave your comments in the Foresight community. You may also like