According to recent employee offboarding research, 70% of IT professionals say they’ve experienced the negative effects of incomplete IT offboarding, whether it’s a security incident tied to an account that wasn’t deprovisioned, a surprise bill for resources that are no longer being used, or a missed handover of a critical resource or account. This is despite an average of five hours spent per departing employee on activities like finding and deprovisioning SaaS accounts. As the SaaS footprint within most organizations continues to grow, it becomes exponentially more difficult (and time-consuming) to ensure that all access is deprovisioned or handed over when an employee leaves the organization.

How Nudge Security can help

Nudge Security is a SaaS management platform for modern IT governance and security. It discovers every cloud and SaaS account ever created by anyone in your organization, including generative AI apps, giving you a single source of truth for departing user accounts and OAuth grants that need to be deprovisioned, revoked, or transferred.

And a built-in playbook guides you through a comprehensive IT offboarding checklist aligned with Google and Microsoft best practices. The playbook can help you save up to 90 percent of the time and effort associated with SaaS offboarding by automating time-consuming, easy-to-miss tasks, such as revoking OAuth grants and resetting passwords for accounts outside of single sign-on (SSO).

Let’s take a look at how Nudge Security helps you every step of the way, so you can ensure complete SaaS account offboarding.

1. Revoke access to Google Workspace or Microsoft 365

Once you’ve selected the employee you want to remove, you’ll first need to verify the status of their Google or Microsoft account.

Initially, you’ll want to keep the employee’s Google or Microsoft account active while you perform other offboarding tasks. However, you’ll want to ensure that the user loses access to the account by resetting their password and disabling any recovery methods they may have set up. Nudge Security helps you verify the status of each of these steps so you can check if access has been revoked.

2. Transfer ownership of critical resources.

Before you begin deleting your departing employees’ accounts, you should identify and transfer critical resources such as AWS root user accounts, company domains, social media accounts, and more.

Nudge Security automatically identifies critical resources owned by your departing employee and guides you through the process of transferring ownership to other team members. For each resource, Nudge Security provides detailed instructions with helpful links and a summary of other app users who can take over responsibility for each resource. As you review the list, you can confirm that you have transferred ownership or record your decision to ignore a particular resource that does not need to be transferred.

3. Check and update app-to-app integrations.

OAuth grants are often used to enable app-to-app integrations and automation. If a departing employee’s OAuth grants are revoked without review, it can disrupt day-to-day operations.

Nudge Security shows you all app-to-app OAuth grants and scopes for the departing employee, so you can assess the potential business impact of each integration and determine whether it should be recreated with a different account. You also see who the other users of that application are, so you can involve them if necessary. This step of the offboarding process helps ensure that automated business processes continue to work as expected after the employee leaves the organization.

4. Revoke SSO-managed accounts.

This step is simple. With a single click (and without leaving the Nudge Security dashboard), you can revoke access to all accounts managed by your single sign-on (SSO) provider, such as Azure AD or Okta. Later, the playbook will walk you through cleaning up the contents of those accounts as well.

5. Revoke access to apps authenticated via OAuth.

OAuth grants make it easy for employees to create new accounts by simply choosing to authenticate with Google Workspace or Microsoft 365. Nudge Security makes it just as easy for security and IT teams to identify and revoke OAuth grants from departing users directly from Nudge Security. Now that you’ve already reviewed and recreated all scopes related to app-to-app integrations, you can revoke any remaining app access granted via OAuth.

6. Revoke access to unmanaged accounts.

OAuth grants and SSO managed accounts only provide a partial view of your departing employee’s access. Continued SaaS sprawl can leave doors open for unauthorized access to sensitive resources and data after an employee leaves your organization. Fortunately, Nudge Security also identifies unmanaged accounts your employee may have created with their work email outside of standard IT or procurement processes.

Not only does Nudge Security show you the list of unmanaged apps, but you can also trigger automated password resets from within the platform to prevent further access by the departing employee. Without this automation, doing this manually could take hours, if you even know the accounts exist.

‍7. Clean up revoked accounts.

Once a user’s access has been revoked, it is important to clean up their accounts to avoid losing company data or continuing to pay for unused licenses.

With Nudge Security, you can send an automated “nudge” to the technical or business owner of any SaaS application with instructions to delete or move confidential data, reassign licenses, and reassign resource ownership to another user.

‍8. Document offboarding activities with a built-in report.

Nudge Security records all of the offboarding steps you’ve taken, so you can always go back and check what was completed for each employee. Once you’ve finished offboarding a departing employee’s SaaS and cloud accounts, you can generate a .pdf report of the activities you’ve completed and share it with internal users or auditors.

Let employees transition seamlessly with Nudge Security

Nudge Security enables you to efficiently and completely phase out departing users, protecting your assets and preventing business disruptions without wasting valuable time on tedious, repetitive tasks.

Start your 14-day free trial now.