How to safely offboard Google Workspace users?
User offboarding is one of the most critical admin tasks because of the Google Workspace security implications it entails. Think of potential angry leavers and data protection obligations.
Also, for larger organisations, user offboarding can be a pain as it involves more admin time and effort that can be better put towards more urgent tasks.
That’s why many admins come to us asking how to safely offboard Google Workspace users.
If you’re an admin looking for a better way to safely offboard leaving users and save time on repetitive offboarding tasks, then tune in, this post is for YOU.
STEP 1: REVOKE ACCESS
When you offboard Google Workspace users you first need to revoke their access to critical company resources and data in Google Workspace.
- Force sign out.
- Change account password.
- Change or delete the recovery phone or email (Otherwise leavers may still be able to access the account even after you’ve reset its password)
- Reset their mailbox password.
- Do a quick log review of the account’s activity to check for sharing via link actions or personal accounts.
(This will show you if the user changed files into a public link or added their personal email account to files as a collaborator to still access them after leaving the company)
- Wipe the account from all mobile, ChromeOS devices, or any other devices the leaving user has been using.
(That of course depends on your company’s device policy.)
Two-Step Verification (2FA)
- If the user has two-step verification enabled make sure to delete all 2FA codes.
- Delete the leaving user from all Google Workspace groups.
- Review and disable third-party apps or services linked to their Google account.
STEP 2: DELEGATE & TRANSFER
Afterwards ensure proper file transferring and delegation of particular areas to avoid business interruptions, that includes:
Drive is one of the most important areas to pay attention to to ensure Drive DLP, information security and avoid file recovery issues.
If the department you’re offboarding users from uses Shared Drives, you don’t need to worry much about file ownership as files are owned by the Drive (team) rather than the person who created them.
HOWEVER, with important MyDrive files you’ll want to:
- Transfer file ownership wisely to designated managers or users.
- Migrate bulk emails from one user to another.
- Set up email forwarding to another account.
- Create an auto-reply message directing all inquiries to the employee’s manager/ or another team member.
- Delegate account access to the user’s manager via the Gmail Settings Panel.
PRO TIP: To flag and catch emails sent to an alias without leaving the account active:
- Add the leaving users’ email as an alias to their manager. That way emails sent to the deleted user will go to their manager’s inbox.
- Rename the account, then create a group with the old name and set it to accept messages from any (or trusted) domains.
Ex. John@enc.com becomes Johnfirstname.lastname@example.org (user is actually suspended), meanwhile, the new group is named ‘John’.
This may be particularly important for client-facing roles that normally have important calls or Calendar events in the future.
- Copy Calendar events to a new user/ manager.
- Delete their Calendar events.
- Copy or transfer the leaving user’s contacts to another user so no important contacts are lost.
STEP 3: DELETE OR SUSPEND ACCOUNT
Now it’s time to decide whether you want to delete or suspend your user.
If you decide to:
Delete the account
This permanently removes everything from that user’s account, Email, Calendar events, etc.
It also removes every MyDrive file they’ve created, so make sure you’ve transferred everything you need before deleting the account.
Suspend the account
This allows you to retain the user’s files, emails, etc. while blocking new emails & calendar invites and disabling login access.
After you’ve sorted out everything and made sure no data loss or operational interruptions would occur (usually takes a few months) you can then delete the account.
Remember, when suspending accounts you’ll still be charged for their license.
STEP 4: SAVE YOUR OFFBOARDING ACTION-SETS
Time for the BEST PART!
After you’ve identified the action sets you’d like to take when offboarding users, save them as customized offboarding workflows for future use — You can use a Google Workspace automation tool to achieve that.
Every department can then have its own workflow to use again and again when offboarding users.
STEP 5: AUTOMATE YOUR OFFBOARDING WORKFLOWS
Automate your offboarding workflows to be triggered by an event (such as when a new user is added to a Group or Organization Unit (OU), or to be recurrent or scheduled.
This will help you offboard Google Workspace users across your organisation with ease, and cover the most important areas with a few clicks.
BULK USER OFFBOARDING
You can also perform bulk offboarding actions for multiple users that way — saving plenty of admin time (offboarding a group of interns or when shutting down an entire department).
User Offboarding automation saves admin time, effort, and BOOSTS security.
Tell us more about YOU! — What are the most challenging areas you face when onboarding, offboarding or modifying your Google Workspace users?
Write to us at email@example.com, we’ll be happy to help.
Stay in the loop
Sign up to our newsletter to get notified whenever a freshly baked blog post is out of our content oven.