Use Case: Deprovisioning an Okta User



Deprovisioning an Okta User

Okta is our source of truth for provisioning and deprovisioning users in our company. We need to automatically clear the user's sessions, reset their factors, and block the user’s access to all providers when they have been deactivated in Okta so that they no longer have the ability to log in or access company data.

To prevent a deprovisioned Okta user from logging into your Okta instance or accessing company data, use this Workflow below to automatically clear all sessions for the user, reset factors, and proceed with the Deprovisioning actions once the “User is Deactivated” Alert has exceeded its threshold.

In this use case, we are using a number of actions per provider as an example of what is available when using Okta as your source of truth for Deprovision, but there are many other Offboarding actions available in our Actions Library, filtered by ‘Offboarding’.


1. Okta User is Deactivated Alert

The desired threshold of the ‘User is Deactivated’ Okta system Alert will need to be configured in the Alerts Manager section of the platform prior to creating your Workflow. In our example below, we have the alert enabled with a threshold set to 0.  

  • Please note: Deactivating a user in Okta puts them in a Deprovisioned state and they will be unassigned from all applications which may destroy their data such as email or files. This action cannot be recovered.


2. Clear All Sessions

Use the “Clear All Sessions” action in your Workflow to log this user out of any active sessions. This will ensure that deactivated users are logged out of Okta right away. Since they are deactivated, the user will not be able to log back into Okta after their session is cleared.


3. Reset Factors

Select the “Reset Factors” action to target the deactivated Okta user, reset their factors, and unenroll them from all MFA factor enrollments. Note that this action applies to all factors configured for an end user and they will have to set up their factors again. You cannot select specific factors to reset.


4. Move Owned Box Items

To proceed with Deprovisioning, use the “Move Owned Items” action in your Workflow to target the user and move their owned items into a folder in another user’s account. For our example, we are moving the user’s Box items to the company admin, Ron Swandon’s account.


5. Suspend Dropbox Member

The “Suspend Dropbox Member” action will target the user, suspend them from the team in Dropbox, and for our use case, we selected the option to delete content from their devices the next time they attempt to go online.


6. Transfer Google Primary Calendar Events

Next, add the “Transfer Primary Calendar Events” to the Workflow to transfer ownership all primary calendar events for the targeted user to another user in your organization. In our use case, we are transferring the calendar events to the user’s manager and releasing their Calendar Resources.

  • Releasing the resources booked by the targeted user and make the resources available for use by other users in your organization.


7. Transfer All Google Drive Files

The “Transfer All Drive Files” action will target the user and transfer the ownership of all Drive files to another user in your company. For our use case, we are transferring the files to the user’s manager. There is also an option to transfer only their Private or Shared Drive files.


8. Suspend Google User

Add the “Suspend User” action to your Workflow to suspend the targeted user and block the user’s access to your organization's Google services. When you suspend an account, the user's email, documents, calendars, or other data are not deleted, however, the user will no longer have access.


9. Remove O365 User License

Add the “Remove User License” action to remove the selected license from your targeted user’s O365 account. When a user's license is removed, data that is associated with that user account is held for 30 days. After the 30 day grace period, the data is deleted and cannot be recovered.


10. Disable O365 User

Add “Disable User” action to your Workflow to disable the targeted user’s account and block Microsoft sign-in access.


11. Deactivate Salesforce User

Select the “Deactivate User” Salesforce action in your Workflow to prevent the targeted user from logging into your Salesforce organization. You cannot delete users in Salesforce, but you can deactivate their account.


12. Disable Slack User

Next, select the “Disable User” Slack action in your Workflow to disable the targeted user’s Slack account. Slack users cannot be deleted, but they can be disabled in your Workspace.

  • The “Disable User” action is only available on Slack Plus and Enterprise Grid plans.


13. Suspend Zendesk User

And, lastly, select the “Suspend User” Zendesk action in your Workflow to suspend the targeted user’s Zendesk account. This means the user will no longer be able to sign in and any new support requests you receive from the user are sent to the suspended tickets queue.


BetterCloud Reference Articles

Other Related Articles

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request