Suspending inactive users is an important step in maintaining the security, compliance, and cost-effectiveness of your Google Workspace environment. In your massive corporate user list, it's not uncommon to find "zombie" user accounts once a while. You may not remember who they are and why they aren't active. These inactive user accounts exposes your IT administration in risk.
Google automatically signed any Google Workspace user out of Google service after two weeks, aka control session length, that more or less protects your organization's data. In Google Workspace Business, Enterprise, Education and Cloud Identity Premium tiers, the control session length is configurable from 1 hr to 30 days or never expires, see Set session length for Google services.
Having that said, this article's main focus is beyond the session control.
On one hand, these inactive users is a security concern. Although the sessions expire, those inactive users are still accessible with correct login credentials. If the user left the company and the account associated was not terminated, the corporate data is at risk.
On the other hand, taking care of these inactive user accounts is manual and time consuming. You have no time to track and clear these zombie accounts. Deleting hundreds or thousands inactive accounts manually is not fun.
Foresight, an automation building tool for Google Workspace, has the capability to address this IT security issue.Demo
In this demo, we create an automation rule that watches inactive users whose last login time is exact 30 days ago. For example, if today is 2020/09/01 then any users who most recently signed in at 2020/08/02 will be suspended. The rule also appends an Email action so you receive an email notification for such change.
Instructions
The automation rule is easy to build. Follow these steps,
- Sign into Foresight.
- Go to Rules.
- Click
button at the bottom right to initiate a new automation rule.
- In the Select a trigger page, click the User turned inactive trigger.
- Click Sign in with Google button to grant Foresight permission to connect with your Google service. You also need to be an admin role that have privileges to manage users.
- In Inactivity timeout field, input the days after which users are regarded as inactive. 30 days? 60 days? 6 months? It's up to you.
- Click NEXT.
- In the Select an action page, click the Suspend user action.
- Click Sign in with Google button to grant another permission for this action.
- In the Primary email field, type {{ to populate the variable menu. Select User Primary Email variable. This variable is the primary email of inactive user passed from the User turned inactive trigger.
- (Optional) Add an Email action to notify yourself for such user status change.
- Click ADD NEXT ACTION in the Suspend user action
- Choose Email action
- Specify your own email or any parties who shall be informed.
- Fill in the email content.
- Click REVIEW.
- Input a name for this automation rule.
- Click CREATE.
- You are all set. The rule looks like
- Foresight is actively watching your user directory and automatically suspends inactive users for you.
Notes
- You may not immediately see any notifications from Foresight because there were no one who signed in exactly 30 days ago. But someone signed in 29 days ago will trigger the rule tomorrow if s/he still does not sign in by then.
- Those users who already passed the inactivity timeout before you set up the rule will never trigger the rule. In another words, if you set the timeout as 30 days, users who last signed in at 31 days ago or 45 days ago would never knock the door.
- Ensure inactivity timeout is longer than session length. That a user signed in 1 month ago does not mean s/he was not using Google services, if you set the session length as never expire.
- Another use case: Automatically delete inactive users. If you intend to delete inactive users instead, replace the Suspend user action with a Delete user action. The configuration remains the same.
- Suspend existing inactive users whose last sign-in time is more than X days. Since Foresight version 4.1.0, we added an Also include existing inactive users (not recommended) option in User turned inactive to accommodate this. The downsize is those existing inactive users will be reported and trigger every day if they are not suspended or deleted.
What's more?
This is one of many time-saving techniques Foresight help you with. You may also like Suspend Google Workspace users by Schedule, Delete Google Workspace users by schedule or Automated Welcome Email to Google Workspace New Users.