This article is written for Google Workspace administrators, we will explore how to automate offboarding workflows in Google Workspace. When it comes to managing employee departures, offboarding workflows play a crucial role in ensuring a smooth transition and maintaining data security. However, manually handling the offboarding process can be time-consuming, error-prone, and cumbersome. This is where automation comes into play. By automating your Google Workspace offboarding workflow, you can streamline the process, reduce human error, and improve overall efficiency.

Benefits of how to automate offboarding workflows in Google Workspace 

  • Firstly, it saves valuable time and resources by eliminating the need for manual intervention at every step. With automation, tasks such as revoking access to applications, transferring files, and updating user information can be performed automatically, reducing the burden on IT teams. This allows them to focus on more strategic initiatives rather than getting caught up in mundane administrative tasks.
  • Secondly, automation ensures consistency and accuracy in the offboarding process. Human error can lead to overlooked steps or incomplete actions, potentially compromising data security. By automating the workflow, you can ensure that every offboarding task is carried out consistently and accurately, minimizing the risk of security breaches or data leaks.

Common Challenges in Offboarding Workflows

Before diving into the steps to automate your Google Workspace offboarding workflow, it's important to understand the common challenges organizations face in this process. One of the key challenges is the manual nature of the offboarding process, which can be time-consuming and prone to errors. Manually revoking access to various applications and updating user information across multiple systems can be a tedious and error-prone task

Another challenge is the lack of a standardized offboarding process. Different departments or teams may have their way of handling offboarding, leading to inconsistencies and confusion. This lack of standardization can result in missed steps or incomplete offboarding, leaving potential security gaps.

Additionally, the offboarding process often involves multiple stakeholders, such as HR, IT, and managers. Coordinating and communicating between these different teams can be challenging, causing delays and miscommunication. Automation can help address these challenges by providing a centralized and standardized offboarding workflow that can be easily managed and tracked by all stakeholders.

Key Steps to Automate Your Google Workspace Offboarding Workflow

To automate your Google Workspace offboarding workflow effectively, follow these key steps:

  • Assess and map your current offboarding process: Start by understanding your existing offboarding process and identifying areas that can be automated. Document the current workflow, including all the tasks and stakeholders involved.
  • Identify the tasks suitable for automation: Analyze each task in the offboarding process and determine which tasks can be automated. Tasks such as disabling user accounts, transferring files, and revoking access to applications are good candidates for automation..
  • Design and implement the automated workflow: Once you have selected the automation tools, design the automated offboarding workflow. Define the sequence of tasks, the triggering events, and the conditions for each task to be executed.
  • Test and refine the automated workflow: Before fully implementing the automated workflow, thoroughly test it to ensure it functions as intended. Identify any issues or bottlenecks and refine the workflow accordingly.
  • Train and educate stakeholders: Provide training and education to all stakeholders involved in the offboarding process. Ensure they understand the new automated workflow, their roles and responsibilities, and how to use the automation tools effectively.
  • Monitor and evaluate the automated workflow: Regularly monitor and evaluate the automated offboarding workflow to identify any areas for improvement. Collect feedback from stakeholders and make necessary adjustments to optimize the workflow.

By following these steps, you can effectively automate your Google Workspace offboarding workflow and reap the benefits of improved efficiency and data security.

Tools and Software for Automating Offboarding Processes

We are excited to share with you a groundbreaking solution that will revolutionize the offboarding process for companies.

Introducing the Foresight tool for Automating Offboarding Processes, a game-changing technology designed to streamline and automate the entire offboarding journey.

With the Foresight tool, companies can automate and optimize their offboarding procedures, saving valuable time and resources. By leveraging advanced technologies this tool can analyze a wide range of data points and intelligently guide the offboarding process.

Best Practices for Successful Automation of Offboarding Workflows

To ensure the successful automation of your Google Workspace offboarding workflow, consider the following best practices:

  • Standardize your offboarding process: Establish a standardized offboarding process that is followed consistently across the organization. This will help streamline the automation process and ensure that all necessary steps are covered.
  • Collaborate with all stakeholders: Involve all stakeholders, including HR, IT, and managers, in the design and implementation of the automated workflow. Collaboration and communication between different teams are essential for a successful offboarding automation initiative.
  • Regularly update and maintain user information: Keep user information up to date to ensure accurate automation. Regularly review and update user profiles, roles, and access privileges to reflect any changes in the organization.
  • Test and validate the automated workflow: Thoroughly test the automated workflow before deploying it to ensure it functions as intended. Validate the workflow with different scenarios and make necessary adjustments to optimize its performance.

By following these best practices, you can maximize the benefits of automating your Google Workspace offboarding workflow and ensure a smooth and efficient offboarding process.

This article will guide you to automate your employee off-board process using Foresight, a workflow automation building tool designed for Google Workspace.

Demo: Google Workspace Offboarding with Foresight Automation

This following video is an oversimplified offboarding workflow on Foresight. When the employee Ed Lobo is moved to organizational unit /Deprovision, Foresight automatically deletes his recovery phone, deletes the recovery email, resets the password, deletes all email aliases, and suspends him.

Instructions

In Foresight, an automation rule consists of one trigger and one or more actions. In plain English, when something happens, then do this, this and this. An off-boarding process can be described as, When the leaving employee is added to the organizational unit Deprovision, then delete the user's recovery phone, then delete the user's recovery email, then ..., then revoke all accesses of third party apps, and it's done!

Foresight is a flexible automation building tool with many pieces ready for you to construct your own workflow. The following is one workflow setup for you reference.

  1. Create an organizational unit called Deprovision in Admin Console. This organizational unit will be referenced in the trigger.
  2. Log into Foresight.
  3. Go to Rules.
  4. Click the new rule button button to create an automation rule.
  5. In the Select a trigger page, select User's organizational unit changed trigger.
  6. In the Edit trigger page, configure the fields as described in the article section User's organizational unit changed.
  7. Click NEXT.
  8. In the Select an action page, select Update recovery phone.
  9. In the Edit actions > Update recovery phone page, configure the fields as described in the article section Delete recovery phone.
  10. Click ADD NEXT ACTION. This adds a subsequent action into the chain.
  11. Repeat steps 8-10 for other off-boarding actions listed below.
  12. Once all the actions are added, click REVIEW.
  13. Give the automation rule a name, e.g. User offboard workflow.
  14. Click CREATE.
  15. Your automation workflow may look like
    User offboarding workflow

The trigger to off-board a user

To trigger the user deprovisioning workflow, choose one of the following recommended triggers. You can find more triggers in Foresight Trigger List.

User's organizational unit changed

An off-board process can also be initiated by moving the employee account to a specific organizational unit (OU). For example, if a user is moved to the OU named Your domain > Deprovision, the user will be automatically off-boarded.

Steps in Foresight

  1. In the Select a trigger step, select User’s organizational unit changed trigger.
  2. In the Edit trigger step,
    edit user's organizational unit changed trigger
    • Sign in with Google
    • In the New organizational unit field, select the new OU you use for deprovisioned users. The OU is displayed in the form of Organizational Unit Path.
Group member added

An off-board process can be initiated by adding the employee account into a specific group. For example, if a user is added to the Group named Deprovision, the user will be automatically off-boarded.

Steps in Foresight

  1. In the Select a trigger step, select Group member added trigger.
  2. In the Edit trigger step,
    Group member added configuration for off-board
    • Sign in with Google
    • In the Group field, select the group you use for deprovisioned users.

Additional notes

If you also integrate the Remove user from all groups action after this trigger in the offboarding workflow, the user will be removed again from the group you just added the user as member of.

Action list to offboard a user

The actions below follow no strict order. Pick actions that matter to your Google Workspace administrations. Having that said, the Suspend user and Delete user actions are recommended to put in the end of the offboard workflow, because some actions assume an active user and would fail and break the workflow if the user has already been suspended.

  • Delete recovery phone

A recovery phone number enables your ex-employee to recover their old account, even you have reset their password. Remove the recovery phone so they can't use the password recovery feature. In Admin Console, this setting is in Users > [user's name] > Security > Recovery information > Phone.

Steps in Foresight

  1. In the Select an action step, select Update recovery phone action.
  2. In the Edit actions > Update recovery phone page,
    Edit Update recovery phone action
  3. Sign in with Google
  4. In the User primary email field, select the User Primary Email variable from the drop down list.
  5. Leave the Phone number field empty.
  • Delete recovery email

Like the recovery phone number, a recovery email serves the same purpose of recovering a user account when the user forgets the password or was locked out.

To prevent your ex-employees from unauthorized access after they leave your organization, you need to remove their recovery email from your Google Workspace domain. In Admin Console, this setting is in Users > [user's name] > Security > Recovery information > Email.

Steps in Foresight

  1. In the Select an action step, select Update recovery email action.
  2. In the Edit actions > Update recovery email step,
    Edit Update recovery email action
  3. Sign in with Google
  4. In the User primary email field, select the User Primary Email variable in the drop down list.
  5. Leave the Recovery email field empty.
  • Revoke third-party application accesses

Your employees may have used their Google Workspace accounts for logging in third-party applications (for example, Google Workspace Marketplace apps). If so, these applications continue to hold the access key to your organizational data unless your user or you explicitly revokes the access. In Admin Console, this setting is in Users > [user's name] > Security > Connected applications. Learn more about View and remove access to third-party applications.

Removing the access to an app doesn't prevent your ex-employee to reauthorize it if they still can log into their Google account.

Steps in Foresight

  1. In the Select an action step, select Delete user tokens action.
  2. In the Edit actions > Delete user tokens step,
    Edit Delete user tokens action
  3. Sign in with Google
  4. In the User primary email field, select the User Primary Email variable in the drop down list.
  5. Check the Delete all checkbox. This will automate revoking all accesses to all connected applications for the given user.
  • Reset user password

Resetting your leaving employee's password can greatly reduce the risk of malicious access to their old account. Changing a user's password also revokes the accesses for third-party applications. Thus, this is an important task in the user off-boarding process. In Admin Console, resetting a user's password is done by Users > [Hover on a user] > Reset password. Learn more about Reset a user's password.

Steps in Foresight

  1. In the Select an action step, select Reset user password action.
  2. In the Edit actions > Reset user password step
    Edit Reset user password action
  3. Sign in with Google
  4. In the User primary email field, select the User Primary Email variable in the drop down list.
  5. In the New password field, input a new password for your leaving employee's account. Notes: The password is hashed with a strong algorithm before sending to Google. Once you save the automation rule, this password is never returned to you, so keep the password in secret.
  6. For the Require a password change at the next sign-in checkbox, it's up to you.
  • Reset user sign-in cookies

A reset of user sign-in cookies forces users to be logged out from all devices and browsers. This mitigates the risks of unauthorized accesses from devices of leaving employees. That said, this is not a security solution for your ex-employees because they can still gain access to their user account by logging again using the old password.

To have the action complete successfully, the target user must be active.

Steps in Foresight

  1. In the Select an action step, select Reset user sign-in cookies action.
  2. In the Edit actions > Reset user sign-in cookies step,
    Reset user sign-in cookies action configuration
  3. Sign in with Google
  4. In the Primary email field, select the User Primary Email variable in the drop down list.
  • Revoke 2-Step Verification (2SV) backup codes

2SV puts an extra protection against unauthorized access when the username and password were stolen. Backup codes are one of 2SV methods. If a leaving employee still hold their password and the backup codes, it's possible for them to sneak in their old account. The old backup codes need to be revoked when they leave the organization. In Admin Console, the closest setting is in Users > [user's name] > Security > 2-step verification. Learn more about Use backup codes for account recovery.

Steps in Foresight

  1. In the Select an action step, select Invalidate backup codes action.
  2. In the Edit actions > Invalidate backup codes page,
    Edit Invalidate backup codes action
  3. Sign in with Google
  4. In the User primary email field, select the User Primary Email variable in the drop-down list.
  • Revoke App Passwords

An App Password is a 16-digit passcode used for less secure apps to access your Google account when the Sign in with Google is not an option in those apps. This is an uncommon security setting in modern apps. If so, in Admin Console, the setting is in Users > [user's name] > Security > Application-specific password. Learn more about Sign in with App Passwords.

Steps in Foresight

  1. In the Select an action step, select Delete app passwords action.
  2. In the Edit actions > Delete app passwords page,
    Edit Delete app passwords action
  3. Sign in with Google
  4. In the User primary email field, select the User Primary Email variable in the drop down list.
  5. Check the Delete all checkbox. This will automate revoking all app passwords for the given user.
  • Delete all user email aliases

Email aliases are a helpful way to receive emails sent to multiple email addresses in one Gmail account. If an employee leaves, these email aliases shall go away and/or be transferred to other employees. In Admin Console, this setting is in Users > [user's name] > User information > Email aliases. Learn more about Google Workspace email aliases.

Steps in Foresight

  1. In the Select an action step, select Delete user email alias action.
  2. In the Edit actions > Delete user email alias page,
    Edit Delete user email alias action
  3. Sign in with Google
  4. In the Primary email field, select the User Primary Email variable in the drop down list.
  5. Check the Delete all checkbox. This will automate deleting all user email aliases.
  • Revoke Super Admin role

If your leaving employee is also a Super Admin, you should withdraw their super admin privileges for data security.

The Update super admin status action either assigns a Super Admin role to a user or revoke the user's Super Admin role. For offboarding workflows, we will use it to revoke the admin role.

Steps in Foresight

  1. In the Select an action step, select Update super admin status action.
  2. In the Edit actions > Update super admin status tab,
    Update super admin status action
  3. Sign in with Google
  4. In the Primary email field, select the User Primary Email variable in the drop-down list.
  5. Switch off to Revoke Super Admin.
  • Hide user in the directory

When a user leaves the organization, their contact information shall be hidden in the organizational directory, so that other users will notice the personnel change. Once a user is hidden in Directory, their profile information no longer appears in email auto-completion, contacts manager or cloud search results. Learn more about Hide a user from the Directory.

Steps in Foresight

  1. In the Select an action step, select Update user directory sharing action.
  2. In the Edit actions > Update user directory sharing tab,
    Update user directory sharing action in Foresight
  3. Sign in with Google
  4. In the Primary email field, select the User Primary Email variable in the drop down list.
  5. Switch off to Hide user in the directory.
  • Remove user from all groups

It's necessary to withdraw the ex-employee's memberships from all Google Groups so that the group shared resources can shield from illegitimate access by the user, e.g. shared drives and files.

It's manually doable to remove the user from all groups in Admin Console. See View a user's group memberships. Alternatively, it can be fully automated with Foresight as part of the offboarding workflow.

Steps in Foresight

  1. In the Select an action step, select Remove user from all groups action.
  2. In the Edit actions > Remove user from all groups tab,
    Remve user from all groups action in Foresight
  3. Sign in with Google
  4. In the Primary email field, select the User Primary Email variable in the drop down list.

Additional notes

The Remove user from all groups action will revoke the user's memberships regardless of user's role in a group. Therefore, it's possible the group will lost the owner if the user was the only owner. You may need to review the groups after the automation.

If you chose the Group member added trigger as the entry point of offboarding workflow, the user will be removed again from the group you just added the user as member of.

  • Create data transfer request

An employee had stored GBs of work data in their Drive, with some key information privately owned. They are all properties of the company. It's wise to transfer the Drive data ownership to the manager before the account is deleted.

Use the Create data transfer request action to initiate a long-run process to transfer Drive data, Calendar, Brand Accounts and Data Studio data to another active user, e.g. the direct manager of a leaving employee. The action is close to the Transfer user's data option page in Google Workspace Admin Console when you delete a user.

Steps in Foresight

  1. In the Select an action step, select Create data transfer request action.
  2. In the Edit actions > Create data transfer request tab,
    Create data transfer request action in Foresight
  3. Sign in with Google
  4. In the From user field, select the User Primary Email variable in the drop down list.
  5. In the To user field, input the new owner's email address. To set the direct manager, add a Get user info action before this Create data transfer request action and select the Manager Email variable in the drop down list.
  6. In the Select data to transfer field, check the application data to be transferred.

Additional notes

The Create data transfer request action only kicks off a long run process to transfer data from the old owner to a new owner. The time to complete the process depends on the size of the to-be-transferred data.

  • Archive user

After you revoke a leaving employee's all accesses to their Google account, it's time to archive user account. Unlike deleting a user, archiving a user does not clear the user data. However, archiving users require Archived User (AU) licenses. The license fee is cheaper than active user accounts. Learn more about archiving users in Google Admin.

Steps in Foresight

  • In the Select an action step, select Archive user action.
  • In the Edit actions > Archive user page,
    Foresight archive user action
  • Sign in with Google
  • In the Primary email field, type {{ and select the User Primary Email variable in the drop down list.
  • Suspend user

After you revoke a leaving employee's all accesses to their Google account as well as back up their data, it's time to suspend the account officially. Suspending a user is temporary and reversible to active state, so it's possible the user account is reactivated at some point. Data remains for a suspended user. Learn more about Suspend a user temporarily.

Steps in Foresight

  1. In the Select an action step, select Suspend user action.
  2. In the Edit actions > Suspend user page,
    Edit Suspend user action
  3. Sign in with Google
  4. In the Primary email field, type {{ and select the User Primary Email variable in the drop down list.
  • Delete user

Deleting the user account is often the last stop of the offboarding workflow. Once you delete a user, Google will initiate the user data removal process. So use this Deletion user action in Foresight with caution. In Admin Console, this setting is in Users > [hover on a user] > Delete user. Learn more about Delete a user from your organization.

Steps in Foresight

  1. In the Select an action step, select Delete user action.
  2. In the Edit actions > Delete user page,
    Edit Delete user action in Foresight
  3. Sign in with Google
  4. In the Primary email field, type {{ and select the User Primary Email variable in the drop down list.
  • Notify stakeholders

It's also important to notify yourself and/or stakeholders (e.g. the employee's manager) as a part of the employee offboarding process. For example, at the beginning of the offboarding process, alert yourself that an employee offboarding process started and at the end of the process, alert yourself and the employee's manager that the employee is successfully offboarded.

Notifications are sent by emails. In Foresight, use the Email action.
Email action in employee offboard process

  1. Sign in with Google
  2. In the To field, type {{ and select the Manager email variable, which can be obtained from a Get user info action. And it's up to you to type which emails to be notified.
  3. Fill your content in the Subject and Email body.

An offboarding workflow with email notifications can be visualized as follows.

Email notifications before and after the offboarding tasks
Email notifications before and after the offboarding tasks

Schedule offboarding user

From time to time, some employees or contractors are given a designated date to leave the organization. It's possible to schedule a future offboarding workflow in Foresight so that you don't have to remember it.

Create a separate automation rule aside from the offboarding rule. The following setup example is based on the offboarding trigger of User's organizational unit changed.

  1. Log into Foresight.
  2. Go to Rules.
  3. Click the new rule button button to create a new rule.
  4. In the Select a trigger page, select Time trigger.
  5. In the Edit trigger page, choose a future time in the Trigger time field. This is the time to trigger the offboarding process.
  6. Click NEXT.
  7. In the Select an action page, select Move user to organizational unit action.
  8. In the Edit actions > Move user to organizational unit page,
    1. Sign in with Google
    2. In the User primary email field, type the primary email of the user to leave in the future.
    3. In the New organizational unit field, select the OU that's used for triggering offboarding. In this article, we select /Deprovision.
  9. Click REVIEW.
  10. Name the rule (e.g. Offboard Frank Munoz at May 1).
  11. Click CREATE.
  12. The rule is visualized like this
    Schedule moving user to OU rule

Test both rules to see whether the bridge works.

Measuring the Effectiveness of Your Automated Offboarding Workflow

Once you have automated your Google Workspace offboarding workflow, it's important to measure its effectiveness to identify areas for improvement. Here are a some key metrics you can track:

  • Time saved: Measure the time saved by automating the offboarding process compared to the manual process. This metric will help quantify the efficiency gained through automation.
  • Accuracy and completeness: Evaluate the accuracy and completeness of the offboarding tasks performed by automation. Monitor for any errors or missed steps and make adjustments as necessary.
  • User satisfaction: Collect feedback from users involved in the offboarding process to gauge their satisfaction with the automated workflow. Identify any pain points or areas for improvement based on their feedback.
  • Data security: Monitor data security metrics such as access privileges, user permissions, and data breaches to ensure the automated workflow is effectively safeguarding sensitive information.

By regularly measuring these metrics, you can continuously improve your automated offboarding workflow and ensure it aligns with your organization's goals and requirements.

Future Trends

The future of offboarding automation looks promising, with several trends emerging that will shape the way businesses streamline their employee departure processes. Let's delve into some of these trends:

1. Enhanced Employee Experience: Offboarding automation is no longer just about completing paperwork and closing accounts. It is about providing a seamless and positive experience for departing employees.

2. Integration with HR Systems: Offboarding automation will become an integral part of HR systems, enabling organizations to centralize and manage the offboarding process efficiently. By integrating with HR systems, companies can automate tasks such as revoking access rights, transferring knowledge, and initiating exit interviews.

3. Automation of Compliance: Offboarding involves several compliance-related tasks, such as ensuring the return of company property, terminating access to sensitive data, and complying with legal requirements. Automation will streamline these processes, reducing the risk of errors and ensuring compliance with regulations.

4. Seamless Knowledge Transfer: Offboarding automation will focus on facilitating knowledge transfer from departing employees to their successors. With the help of automation tools, organizations can capture and transfer critical knowledge, ensuring a seamless transition for both the departing employee and their replacement.

Conclusion

The Foresight tool for Automating Offboarding Processes offers a transformative solution for companies seeking to optimize their offboarding procedures. By automating manual tasks, ensuring compliance, and providing valuable insights, this tool empowers organizations to achieve greater efficiency, security, and employee satisfaction.

Foresight will not stop here but keep evolving to support more user deprovisioning tasks, which may include but not limit to

  • Transfer out the ownership of groups
  • Wipe user's managed mobile devices

This article will be updated as new features are integrated in Foresight.

If you have ideas, please leave your comments in the Foresight community. You may also like