This article is written for G Suite Administrators.

In your massive corporate user list, it's not uncommon to find "zombie" user accounts once a while. You may not remember who they are and why they aren't active. These inactive user accounts exposes your IT administration in risk.

Definition of Inactive User
An Inactive User in this article is a user who didn't sign in for a set amount of time, e.g. 30 days. It's a concept from this article, not from Google. Not to confuse with Admin Console's user status, which is one of 3 states, Active, Suspended and Archived.
Inactive Users in G Suite
Inactive Users in G Suite

Google automatically signed any G Suite user out of Google service after two weeks, aka control session length, that more or less protects your organization's data. In G Suite Business, Enterprise, Education and Cloud Identity Premium tiers, the control session length is configurable from 1 hr to 30 days or never expires, see Set session length for Google services.

Google session control in Admin Console > Security
Google session control in Admin Console > Security

Having that said, this article's main focus is beyond the session control.

On one hand, these inactive users is a security concern. Although the sessions expire, those inactive users are still accessible with correct login credentials. If the user left the company and the account associated was not terminated, the corporate data is at risk.

On the other hand, taking care of these inactive user accounts is manual and time consuming. You have no time to track and clear these zombie accounts. Deleting hundreds or thousands inactive accounts manually is not fun.

Foresight, an automation building tool for G Suite, has the capability to address this IT security issue.

Demo

In this demo, we create an automation rule that watches inactive users whose last login time is exact 30 days ago. For example, if today is 2020/09/01 then any users who most recently signed in at 2020/08/02 will be suspended. The rule also appends an Email action so you receive an email notification for such change.

Instructions

The automation rule is easy to build. Follow these steps,

  1. Sign into Foresight.
  2. Go to Rules.
  3. Click new rule button button at the bottom right to initiate a new automation rule.
  4. In the Select a trigger page, click the User turned inactive trigger.
    User turned inactive trigger in Foresight
  5. Click REQUEST ACCOUNT ACCESS button to grant Foresight permission to connect with your Google service. You also need to be an admin role that have privileges to manage users.
  6. In Inactivity timeout field, input the days after which users are regarded as inactive. 30 days? 60 days? 6 months? It's up to you.
  7. Click NEXT.
  8. In the Select an action page, click the Suspend user action.
    Suspend user action in Foresight
  9. Click REQUEST ACCOUNT ACCESS button to grant another permission for this action.
  10. In the Primary email field, type {{ to populate the variable menu. Select User Primary Email variable. This variable is the primary email of inactive user passed from the User turned inactive trigger.
  11. (Optional) Add an Email action to notify yourself for such user status change.
    1. Click ADD NEXT ACTION in the Suspend user action
    2. Choose Email action
    3. Specify your own email or any parties who shall be informed.
    4. Fill in the email content.
  12. Click REVIEW.
  13. Input a name for this automation rule.
  14. Click CREATE.
  15. You are all set. The rule looks like
    Suspend inactive user rule in Foresight
  16. Foresight is actively watching your user directory and automatically suspends inactive users for you.

Important notes

  • You may not immediately see any notifications from Foresight because there were no one who signed in exactly 30 days ago. But someone signed in 29 days ago will trigger the rule tomorrow if s/he still does not sign in by then.
  • Those users who already passed the inactivity timeout before you set up the rule will never trigger the rule. In another words, if you set the timeout as 30 days, users who last signed in at 31 days ago or 45 days ago would never knock the door.
  • Ensure inactivity timeout is longer than session length. That a user signed in 1 month ago does not mean s/he was not using Google services, if you set the session length as never expire.

Automatically delete inactive users

If you intend to delete inactive users instead, replace the Suspend user action with a Delete user action. The configuration remains the same.
Delete user action in Foresight

What's more?

This is one of many time-saving techniques Foresight help you with. You may also like Suspend G Suite users by schedule, Delete G Suite users by schedule or Automated Welcome Email to G Suite New Users.