This article is written for Google Workspace administrators.

Are you still manually off-board an employee in Admin Console when they leave the company? That process perhaps is a bit clunky. You need to pull various security plugs in the Admin Console, as Google does not provide an off-board standard and feature beyond some best practices.

Streamlining an off-board process is critical for your organization. IT professionals have the responsibility to ensure the data security for the organization, preventing data from illegitimately accessed by ex-employees after they leave.

This article will guide you to automate your employee off-board process using Foresight, a workflow automation building tool designed for Google Workspace.

Demo: Google Workspace Offboarding with Foresight Automation

This following video is an oversimplified offboarding workflow on Foresight. When the employee Ed Lobo is moved to organizational unit /Deprovision, Foresight automatically deletes his recovery phone, deletes the recovery email, resets the password, deletes all email aliases, and suspends him.

Instructions

In Foresight, an automation rule consists of one trigger and one or more actions. In plain English, when something happens, then do this, this and this. An off-boarding process can be described as, When the leaving employee is added to the organizational unit Deprovision, then delete the user's recovery phone, then delete the user's recovery email, then ..., then revoke all accesses of third party apps, and it's done!

Foresight is a flexible automation building tool with many pieces ready for you to construct your own workflow. The following is one workflow setup for you reference.

  1. Create an organizational unit called Deprovision in Admin Console. This organizational unit will be referenced in the trigger.
  2. Log into Foresight.
  3. Go to Rules.
  4. Click the new rule button button to create an automation rule.
  5. In the Select a trigger page, select User's organizational unit changed trigger.
  6. In the Edit trigger page, configure the fields as described in the article section User's organizational unit changed.
  7. Click NEXT.
  8. In the Select an action page, select Update recovery phone.
  9. In the Edit actions > Update recovery phone page, configure the fields as described in the article section Delete recovery phone.
  10. Click ADD NEXT ACTION. This adds a subsequent action into the chain.
  11. Repeat steps 8-10 for other off-boarding actions listed below.
  12. Once all the actions are added, click REVIEW.
  13. Give the automation rule a name, e.g. User offboard workflow.
  14. Click CREATE.
  15. Your automation workflow may look like
    User offboarding workflow

The trigger to off-board a user

To trigger the user deprovisioning workflow, choose one of the following recommended triggers. You can find more triggers in Foresight Trigger List.

User's organizational unit changed

An off-board process can also be initiated by moving the employee account to a specific organizational unit (OU). For example, if a user is moved to the OU named Your domain > Deprovision, the user will be automatically off-boarded.

Steps in Foresight

  1. In the Select a trigger step, select User’s organizational unit changed trigger.
  2. In the Edit trigger step,
    edit user's organizational unit changed trigger
    • Sign in with Google
    • In the New organizational unit field, select the new OU you use for deprovisioned users. The OU is displayed in the form of Organizational Unit Path.
Group member added

An off-board process can be initiated by adding the employee account into a specific group. For example, if a user is added to the Group named Deprovision, the user will be automatically off-boarded.

Steps in Foresight

  1. In the Select a trigger step, select Group member added trigger.
  2. In the Edit trigger step,
    Group member added configuration for off-board
    • Sign in with Google
    • In the Group field, select the group you use for deprovisioned users.

Additional notes

If you also integrate the Remove user from all groups action after this trigger in the offboarding workflow, the user will be removed again from the group you just added the user as member of.

Action list to offboard a user

The actions below follow no strict order. Pick actions that matter to your Google Workspace administrations. Having that said, the Suspend user and Delete user actions are recommended to put in the end of the offboard workflow, because some actions assume an active user and would fail and break the workflow if the user has already been suspended.

Delete recovery phone

A recovery phone number enables your ex-employee to recover their old account, even you have reset their password. Remove the recovery phone so they can’t use the password recovery feature. In Admin Console, this setting is in Users > [user’s name] > Security > Recovery information > Phone.

Steps in Foresight

  1. In the Select an action step, select Update recovery phone action.
  2. In the Edit actions > Update recovery phone page,
    Edit Update recovery phone action
    • Sign in with Google
    • In the User primary email field, select the User Primary Email variable from the drop down list.
    • Leave the Phone number field empty.
Delete recovery email

Like the recovery phone number, a recovery email serves the same purpose of recovering a user account when the user forgets the password or was locked out.

To prevent your ex-employees from unauthorized access after they leave your organization, you need to remove their recovery email from your Google Workspace domain. In Admin Console, this setting is in Users > [user’s name] > Security > Recovery information > Email.

Steps in Foresight

  1. In the Select an action step, select Update recovery email action.
  2. In the Edit actions > Update recovery email step,
    Edit Update recovery email action
    • Sign in with Google
    • In the User primary email field, select the User Primary Email variable in the drop down list.
    • Leave the Recovery email field empty.
Revoke third-party application accesses

Your employees may have used their Google Workspace accounts for logging in third-party applications (for example, Google Workspace Marketplace apps). If so, these applications continue to hold the access key to your organizational data unless your user or you explicitly revokes the access. In Admin Console, this setting is in Users > [user’s name] > Security > Connected applications. Learn more about View and remove access to third-party applications.

Removing the access to an app doesn’t prevent your ex-employee to reauthorize it if they still can log into their Google account.

Steps in Foresight

  1. In the Select an action step, select Delete user tokens action.
  2. In the Edit actions > Delete user tokens step,
    Edit Delete user tokens action
    • Sign in with Google
    • In the User primary email field, select the User Primary Email variable in the drop down list.
    • Check the Delete all checkbox. This will automate revoking all accesses to all connected applications for the given user.
Reset user password

Resetting your leaving employee’s password can greatly reduce the risk of malicious access to their old account. Changing a user’s password also revokes the accesses for third-party applications. Thus, this is an important task in the user off-boarding process. In Admin Console, resetting a user’s password is done by Users > [Hover on a user] > Reset password. Learn more about Reset a user’s password.

Steps in Foresight

  1. In the Select an action step, select Reset user password action.
  2. In the Edit actions > Reset user password step
    Edit Reset user password action
    • Sign in with Google
    • In the User primary email field, select the User Primary Email variable in the drop down list.
    • In the New password field, input a new password for your leaving employee’s account. Notes: The password is hashed with a strong algorithm before sending to Google. Once you save the automation rule, this password is never returned to you, so keep the password in secret.
    • For the Require a password change at the next sign-in checkbox, it’s up to you.
Reset user sign-in cookies

A reset of user sign-in cookies forces users to be logged out from all devices and browsers. This mitigates the risks of unauthorized accesses from devices of leaving employees. That said, this is not a security solution for your ex-employees because they can still gain access to their user account by logging again using the old password.

To have the action complete successfully, the target user must be active.

Steps in Foresight

  1. In the Select an action step, select Reset user sign-in cookies action.
  2. In the Edit actions > Reset user sign-in cookies step,
    Reset user sign-in cookies action configuration
    • Sign in with Google
    • In the Primary email field, select the User Primary Email variable in the drop down list.
Revoke 2-Step Verification (2SV) backup codes

2SV puts an extra protection against unauthorized access when the username and password were stolen. Backup codes are one of 2SV methods. If a leaving employee still hold their password and the backup codes, it’s possible for them to sneak in their old account. The old backup codes need to be revoked when they leave the organization. In Admin Console, the closest setting is in Users > [user’s name] > Security > 2-step verification. Learn more about Use backup codes for account recovery.

Steps in Foresight

  1. In the Select an action step, select Invalidate backup codes action.
  2. In the Edit actions > Invalidate backup codes page,
    Edit Invalidate backup codes action
    • Sign in with Google
    • In the User primary email field, select the User Primary Email variable in the drop-down list.
Revoke App Passwords

An App Password is a 16-digit passcode used for less secure apps to access your Google account when the Sign in with Google is not an option in those apps. This is an uncommon security setting in modern apps. If so, in Admin Console, the setting is in Users > [user’s name] > Security > Application-specific password. Learn more about Sign in with App Passwords.

Steps in Foresight

  1. In the Select an action step, select Delete app passwords action.
  2. In the Edit actions > Delete app passwords page,
    Edit Delete app passwords action
    • Sign in with Google
    • In the User primary email field, select the User Primary Email variable in the drop down list.
    • Check the Delete all checkbox. This will automate revoking all app passwords for the given user.
Delete all user email aliases

Email aliases are a helpful way to receive emails sent to multiple email addresses in one Gmail account. If an employee leaves, these email aliases shall go away and/or be transferred to other employees. In Admin Console, this setting is in Users > [user’s name] > User information > Email aliases. Learn more about Google Workspace email aliases.

Steps in Foresight

  1. In the Select an action step, select Delete user email alias action.
  2. In the Edit actions > Delete user email alias page,
    Edit Delete user email alias action
    • Sign in with Google
    • In the Primary email field, select the User Primary Email variable in the drop down list.
    • Check the Delete all checkbox. This will automate deleting all user email aliases.
Revoke Super Admin role

If your leaving employee is also a Super Admin, you should withdraw their super admin privileges for data security.

The Update super admin status action either assigns a Super Admin role to a user or revoke the user’s Super Admin role. For offboarding workflows, we will use it to revoke the admin role.

Steps in Foresight

  1. In the Select an action step, select Update super admin status action.
  2. In the Edit actions > Update super admin status tab,
    Update super admin status action
    • Sign in with Google
    • In the Primary email field, select the User Primary Email variable in the drop-down list.
    • Switch off to Revoke Super Admin.
Hide user in the directory

When a user leaves the organization, their contact information shall be hidden in the organizational directory, so that other users will notice the personnel change. Once a user is hidden in Directory, their profile information no longer appears in email auto-completion, contacts manager or cloud search results. Learn more about Hide a user from the Directory.

Steps in Foresight

  1. In the Select an action step, select Update user directory sharing action.
  2. In the Edit actions > Update user directory sharing tab,
    Update user directory sharing action in Foresight
    • Sign in with Google
    • In the Primary email field, select the User Primary Email variable in the drop down list.
    • Switch off to Hide user in the directory.
Remove user from all groups

It’s necessary to withdraw the ex-employee’s memberships from all Google Groups so that the group shared resources can shield from illegitimate access by the user, e.g. shared drives and files.

It’s manually doable to remove the user from all groups in Admin Console. See View a user’s group memberships. Alternatively, it can be fully automated with Foresight as part of the offboarding workflow.

Steps in Foresight

  1. In the Select an action step, select Remove user from all groups action.
  2. In the Edit actions > Remove user from all groups tab,
    Remve user from all groups action in Foresight
    • Sign in with Google
    • In the Primary email field, select the User Primary Email variable in the drop down list.

Additional notes

The Remove user from all groups action will revoke the user’s memberships regardless of user’s role in a group. Therefore, it’s possible the group will lost the owner if the user was the only owner. You may need to review the groups after the automation.

If you chose the Group member added trigger as the entry point of offboarding workflow, the user will be removed again from the group you just added the user as member of.

Create data transfer request

An employee had stored GBs of work data in their Drive, with some key information privately owned. They are all properties of the company. It’s wise to transfer the Drive data ownership to the manager before the account is deleted.

Use the Create data transfer request action to initiate a long-run process to transfer Drive data, Calendar, Brand Accounts and Data Studio data to another active user, e.g. the direct manager of a leaving employee. The action is close to the Transfer user’s data option page in Google Workspace Admin Console when you delete a user.

Steps in Foresight

  1. In the Select an action step, select Create data transfer request action.
  2. In the Edit actions > Create data transfer request tab,
    Create data transfer request action in Foresight
    • Sign in with Google
    • In the From user field, select the User Primary Email variable in the drop down list.
    • In the To user field, input the new owner’s email address. To set the direct manager, add a Get user info action before this Create data transfer request action and select the Manager Email variable in the drop down list.
    • In the Select data to transfer field, check the application data to be transferred.

Additional notes

The Create data transfer request action only kicks off a long run process to transfer data from the old owner to a new owner. The time to complete the process depends on the size of the to-be-transferred data.

Archive user

After you revoke a leaving employee’s all accesses to their Google account, it’s time to archive user account. Unlike deleting a user, archiving a user does not clear the user data. However, archiving users require Archived User (AU) licenses. The license fee is cheaper than active user accounts. Learn more about archiving users in Google Admin.

Steps in Foresight

  • In the Select an action step, select Archive user action.
  • In the Edit actions > Archive user page,
    Foresight archive user action
    • Sign in with Google
    • In the Primary email field, type {{ and select the User Primary Email variable in the drop down list.
Suspend user

After you revoke a leaving employee’s all accesses to their Google account as well as back up their data, it’s time to suspend the account officially. Suspending a user is temporary and reversible to active state, so it’s possible the user account is reactivated at some point. Data remains for a suspended user. Learn more about Suspend a user temporarily.

Steps in Foresight

  1. In the Select an action step, select Suspend user action.
  2. In the Edit actions > Suspend user page,
    Edit Suspend user action
    • Sign in with Google
    • In the Primary email field, type {{ and select the User Primary Email variable in the drop down list.
Delete user

Deleting the user account is often the last stop of the offboarding workflow. Once you delete a user, Google will initiate the user data removal process. So use this Deletion user action in Foresight with caution. In Admin Console, this setting is in Users > [hover on a user] > Delete user. Learn more about Delete a user from your organization.

Steps in Foresight

  1. In the Select an action step, select Delete user action.
  2. In the Edit actions > Delete user page,
    Edit Delete user action in Foresight
    • Sign in with Google
    • In the Primary email field, type {{ and select the User Primary Email variable in the drop down list.
Notify stakeholders

It’s also important to notify yourself and/or stakeholders (e.g. the employee’s manager) as a part of the employee offboarding process. For example, at the beginning of the offboarding process, alert yourself that an employee offboarding process started and at the end of the process, alert yourself and the employee’s manager that the employee is successfully offboarded.

Notifications are sent by emails. In Foresight, use the Email action.
Email action in employee offboard process

  1. Sign in with Google
  2. In the To field, type {{ and select the Manager email variable, which can be obtained from a Get user info action. And it’s up to you to type which emails to be notified.
  3. Fill your content in the Subject and Email body.

An offboarding workflow with email notifications can be visualized as follows.

Email notifications before and after the offboarding tasks
Email notifications before and after the offboarding tasks

Schedule offboarding user

From time to time, some employees or contractors are given a designated date to leave the organization. It's possible to schedule a future offboarding workflow in Foresight so that you don't have to remember it.

Create a separate automation rule aside from the offboarding rule. The following setup example is based on the offboarding trigger of User's organizational unit changed.

  1. Log into Foresight.
  2. Go to Rules.
  3. Click the new rule button button to create a new rule.
  4. In the Select a trigger page, select Time trigger.
  5. In the Edit trigger page, choose a future time in the Trigger time field. This is the time to trigger the offboarding process.
  6. Click NEXT.
  7. In the Select an action page, select Move user to organizational unit action.
  8. In the Edit actions > Move user to organizational unit page,
    1. Sign in with Google
    2. In the User primary email field, type the primary email of the user to leave in the future.
    3. In the New organizational unit field, select the OU that's used for triggering offboarding. In this article, we select /Deprovision.
  9. Click REVIEW.
  10. Name the rule (e.g. Offboard Frank Munoz at May 1).
  11. Click CREATE.
  12. The rule is visualized like this
    Schedule moving user to OU rule

Test both rules to see whether the bridge works.

Future work

Foresight will not stop here but keep evolving to support more user deprovisioning tasks, which may include but not limit to

  • Transfer out the ownership of groups
  • Wipe user's managed mobile devices

This article will be updated as new features are integrated in Foresight.

If you have ideas, please leave your comments in the Foresight community. You may also like