Suitebriar Blog

Google Workspace Admin Guide: Building your offboarding process

Written by Steve Newman | Mar 21, 2023 3:44:30 PM

Offboarding users from your organization can be a strenuous and tedious process. Establishing a process, whether a checklist or a full-blown application that automates the workflow, is recommended to ensure the security of your data and domain. 

Here at Suitebriar, we leverage Asana, our work management solution, to manage the many steps associated with offboarding a user. When a member leaves the organization, we kick off an Asana project with all the tasks assigned to different departments and team members. This project has a specific section dedicated to Google Workspace deprovisioning. 

There are many different factors when building your offboarding process.  We will be focusing on Google Workspace with Google as the identity provider.  Your organization may have applications outside of Workspace that need separate offboarding procedures. If Google is not the identity provider, you must take additional steps with the provider.  

In the guide below, we provide our recommendations for how to build or update your organization's tailored process. The core question when offboarding a user is what needs to happen to the data associated with the account. This is contingent upon your organization's regulatory requirements & data policy.

Also, remember every user is different. You will create your approach for the average user, and typically, there is a level at an organization where you start to treat people outside the norm. If you automate any part of the process, make sure to factor in steps to take when an executive,  or whatever your classification is, leaves the company.

Section One: Securing an Account & Considerations for Mail Flow

Answering the three questions below will help you determine how to move forward.

  1. Will you suspend, archive, or just delete accounts?
  2. Do you need to enable auto-reply or forward messages?
  3. Is delegation to the mailbox required?

Securing an Account

There are two ways to secure an account. The first option is to suspend a user, and the second is to change the user name & password. Below we map out why you may choose one option over the other and how to restrict access securely.

Suspending a user

The first step is restricting access to Workspace. Regardless of the reason for the employee’s exit, the typical first step is to suspend the user.  Users can be suspended individually or in bulk. When suspending a user, there are a few things to consider. For example, mailbox delegates cannot access the mailbox of a suspended user, and messages sent to a suspended user will bounce.

You also cannot apply content compliance rules to suspended accounts. Instead, you need to create an address mapping. You can map the email address to a group or user. Internally at Suitebriar, we set up a temporary auto-reply message notifying the sender of who to contact instead of the suspended user. After a month, we remove the mapping.  

Some organizations may not want an auto-reply message, instead opting to have the message delivered to a different address, either a user or a group.  If you want to enable auto-reply, it is available for groups and users.  However, if mapping to a user, you must create an email template and use a filter to only auto-reply to messages sent to the former employee’s email.

Suspending a user may not be the best choice if the account is the owner of a non-core Google service such as Adwords, and the organization needs to maintain access while new ownership is established. Mailbox delegation is another requirement that prevents you from suspending the user.   

Updating the user name & password

If suspending a user isn’t an option based on your requirements. You do have another option to restrict access. Simply changing the user's password is not suggested. We recommend changing the username as well and immediately resetting the sign-in cookies.  If you just change the password and the user name, the user could still have access until their current session expires and they must re-authenticate.   We also suggest enabling 2-step verification tied to an administrator and generating a new set of backup codes to prevent access.  

Securing Devices

After the account is secure, the next step is to secure devices.  Your company's device policy impacts how you do this.  If your organization utilizes a BYOD policy, you will not wipe the phone. You, instead, will remove the profile from the phone.  For Windows devices, we recommend managing devices with enhanced Windows security which gives you advanced capabilities like device wiping.  Securing devices is simple if you use ChromeOS. With one click, a device can be disabled via the admin panel. According to your device strategy, you can easily remove, disable, delete, wipe, etc.

Section Two: Directory Hygiene 

Answering the three questions below will help you determine how to move forward.

  1. Is the user the only manager on a Google Group?
  2. Have you created an Organizational Unit specific to “former employees”?
  3. Are multiple Organizational Units required? 

Removing a user from  the Directory

Once access is secured, there are some housekeeping items with the account that should be resolved.  We’ve already discussed mail flow, so we’ll jump to the next step, removing the user from the Directory,  where your organization stores the contacts & profiles that are shared across its team.  Removal from the Directory also removes the account/user from auto-complete. When other users send an email or share a file, the former employee will no longer appear as an option.

Removing the user from Directory sharing will not automatically remove the user from Google groups. We will also need to remove the user from all the Groups they are members of. Regardless of your mail routing decision, removing the former employee from groups can stop potential mail delivery issues. If they are the only manager of a Group, you will need to assign a new manager to the group or manage it by an admin.

Setting up Organizational Units (OU)s

If you don’t have OUs (organizational units) created, we suggest adding one for former employees. Dedicated OUs for former employees could be for specific OU settings or be used to segment these users simply. You may also choose to have separate OUs for suspended accounts and one for accounts that were kept active. Multiple OUs could also be created to enable separate settings; for example, delegation could be turned on for one OU and disabled for another.

Okay, now we’re in a great spot! We’ve restricted access to the account and cleaned up the devices. We’ve configured our address mapping and auto-replies. Now we’re in a holding pattern. We should wait 30 days before moving forward with the offboarding process in case circumstances change.  After the end of the holding period, we will archive or delete the user, depending on your organization's data retention policy.

Section Three: Managing User Data

Answering the three questions below will help you determine how to move forward.

  1. Are there any regulatory or contractual data requirements?
  2. Do other users need access to the data?
  3. Have you developed an internal retention policy?

If your organization has specific regulations that require you to hold on to data after the user has left the organization, you can assign the user an Archived User (AU) license. Once you have met your regulatory obligations, you can decide whether to maintain the account and associated data longer or delete the data.  At some point, you will end up deleting the account.  

Deleting or Storing Account Data 

Before you delete the account, you must decide what to do with the data. If you are archiving the user, you likely don’t need to migrate the data until the archival period has ended. When archived, the user’s data from core and non-core services (ex: Drive & Calendar) are still available to other users. When the archive period is over, if you don’t need the data, delete it. 

Some organizations want to hold onto the data just in case. For example, you can export and store the data in Google Drive or Cloud Storage. If your organization is on Google Workspace Enterprise, you can leverage your unlimited storage and store the data in Drive. This way, if required, you can retrieve it.  If you want to export data from all Google services (Gmail, Calendar Drive – Blogger, Youtube, etc.), we suggest using the Google Takeout tool. 

Transferring Drive Data to Another User

Transferring data to another user is possible, and each service has different options. Google Drive is the service where data is most commonly migrated to/from.  Drive makes it easy to transfer ownership of all files to another user. For example, there is a transfer ownership option in the Drive settings of the control panel.  

To transfer ownership, simply enter the email address of the former employee and the user to whom you want to transfer the files. Select transfer files.  Typically files are transferred to their manager, moved to a shared drive, or exported.  

Occasionally, only a subset of files needs to have the ownership transferred.  In this instance, you could use the investigation tool or the APIs.  Transferring ownership may be optional, depending on how your organization utilizes Shared Drives. Accessing the user’s My Drive files is not critical if collaborative files are in Shared Drives. 

Next, we’ll discuss transferring mail & calendar data as they may have valuable data worth keeping. 

Transferring Mail Data

Exporting email data is more common than migrating it to another user. It is an option; however, it is more complex than Drive transfers, and you need to leverage APIs. Instead of migrating email data, our process at Suitebriar is to suspend the user for 30 days and then archive the user for two years.  After that time, there is no need to migrate the messages.  You might develop a similar strategy yet choose to export the data once the archival is over. This scenario would eliminate the need for an Archive License, and the data would be maintained.  

Transferring Calendar Data

Migrating calendar data is a rare practice.  The user's calendar events will stay in place while the account is suspended or archived. However, there are a few scenarios where communicating with the user’s manager will help you understand the impact of removing calendar data.   

For example, your organization may have a user on the marketing team who organizes many events with external users invited to calendar events. Deleting that user would remove their events from the calendar.  Removed events appear as canceled events for all of the invitees. We suggest changing the event organizer to avoid this issue.  You can also make another user or secondary calendar the organizer of events.  You can also do this in bulk using the APIs.

Managing Nontypical Users

If you are managing the access & data for a nontypical user, it is essential to be in communication with the existing user’s manager to verify if there are any unique circumstances. For example, the nontypical user may be utilizing a non-core Google service with data the organization will still need access to after the user leaves.  

Phew, we’ve done a lot so far! We archived the user, let the archival period end, and exported data. So now it’s time to delete the user. 

Section Four: Deleting Users & Adjusting Google Workspace Licensing 

Answering the three questions below will help you determine how to move forward.

  1. Will you need to reuse the user's workplace license?
  2. When is your renewal date if you are on an annual or multi-year subscription?
  3. Have you cleaned up your licenses for renewal?

If your answer to 1) is yes, you need to reuse the Google Workspace license; you need to consider if & how you need to access the former employee’s data. If you need to access the data and you don’t plan to export or transfer it to another user, we recommend purchasing an Archive License (AU). An AU license is a discounted Workspace license allowing organizations to retain former employee/user data.

Again, you only need to buy an Archive License if you are out of Workspace licenses and you need to reuse a license.  If you are on an annual or multi-year subscription plan with multiple licenses available, suspending the user has nearly the same effects as archiving but requires a full Workspace license. 

Deleting One User 

If you're on an annual or multi-year subscription, managing one license is easy. Upon deletion, the license becomes available for reuse. License counts automatically adjust if you're on a Flex plan. 

Deleting Users in Bulk

Deleting a large group of users can be complicated as each user may have unique requirements related to their data. In this scenario, you may archive all users and ignore other options and settings, simplifying the process. Alternatively, you may need to address the unique requirements of each user or group of users. In this case, it’s not as simple as checking a box or uploading a CSV.   

There will likely be API work, custom scripting, or even third-party tools that might be required. There are a lot of different moving parts.  Thankfully Suitebriar is here to help you navigate the Google Workspace offboarding process from start to finish.   We can help you get up and running with Asana. Create custom scripts for data export and transfer. We can also help navigate licensing with Google and third-party tools.  

Google Workspace Licensing

If the number of users leaving the organization is significant, you might not be reusing your licenses.  When a bulk amount of users leave the organization, typically, it’s a decision that involves decreasing the organization's size longer term, i.e. reducing license counts.  If you are on an annual plan, this will provide a surplus of licenses.  We suggested immediately discussing options with your Suitebriar Customer Success Manager.  When you are in the middle of a contract, there likely is not much you can do until renewal. However, it’s worth checking.  As renewal approaches, it’s crucial to clean up your licensing environment so that your active user count is equal to or less than your new contract amount.

As a Google Cloud Partner, our seasoned team can help you create or update your offboarding process inline with your organizational needs.   Contact us today for assistance.