Your Guide to Offboard Users from Your SaaS Apps

December 5, 2023

Former employees retaining SaaS app access happens far more often than businesses care to admit. Nearly a third of all employees retain some degree of access to the SaaS stack. 

When employees move on, voluntarily or otherwise, it’s in the organization’s best interests to remove all access to corporate assets. Much of this process is done through automated workflows, where employees are removed from the identity provider (IdP) which triggers their removal from other systems. 

However, users must be manually deprovisioned from applications that weren’t integrated into the IdP. Failure to do so could lead to data theft, breaches, or other incidents conducted by either the former employee or someone who steals their credentials. 

A newly released guide, “Offboarding Employees from Your SaaS Stack in 7 Steps”,  explains why deprovisioning users isn’t always as straightforward as it seems, and gives step-by-step instructions to fully deprovision users, as well as automate the process. The process is summarized as follows: (For the full details, download the guide here). 

Challenges in Deprovisioning Users from SaaS Apps

 Organizations must overcome many challenges to permanently  remove a user from their SaaS applications:

  • Applications that are not integrated with the IdP aren’t aware that the employee is no longer part of the company. Applications that are not integrated with their IdPs or that do not enforce SSO can often be accessed using local credentials.
  • Teams share passwords to simplify administration or reduce license fees.
  • Individuals may have received passwords from coworkers over the course of their employment and can use them to access applications.

Manually Deprovisioning Employees

Removing access for  former employees requires that they be fully deprovisioned. If you are using a manual process, follow these steps. (For further explanation on all these steps, download the full guide here).

  • Step 1 – Begin by revoking access to their email by resetting their password and disabling account recovery methods.
  • Step 2 – Transfer admin rights of SaaS applications from the deprovisioned employee to another user to prevent the app from becoming inaccessible.
  • Step 3 – Disable SSO access for the user.
  • Step 4 – Manage publicly available resources that were shared with external users.
  • Step 5 – Review third-party applications that were connected to the core stack.
  • Step 6 – Reset passwords for user accounts not managed by an SSO.
  • Step 7 – Remove access to accounts and deactivate or delete their email account.

Following this process will remove ex-employee access while ensuring that other users will still have access to the app.

Strong Governance Policy Reduces the Risk

Beyond manual deprovisioning, introducing and enforcing strong governance policies for SaaS applications can go a long way toward reducing the risk. For example, if company policy required all SaaS users to login through an SSO or using MFA, user access would be curtailed the moment their login tools were deprovisioned. 

Some users, particularly those with high privileges, are required by the application to have local access. Unfortunately, these users will retain their access even when they are removed from the SSO or MFA. In those circumstances, maintaining a list of users with local access can be used to identify is instrumental to identifying users that must be manually deprovisioned.   

Shared passwords are another way users can get around deprovisioning, as they may maintain access through a shared team account. Enforcing an anti-password sharing policy and training users about the dangers of password sharing can go a long way toward reducing risk.  

Automate User Deprovisioning

The easiest way to deprovision users from SaaS applications is through a SaaS Security Posture Management (SSPM) platform that is integrated with a SOAR. Using automated workflows, these processes quickly identify and fully deprovision offboarded employees who maintained access to SaaS applications.

By using an SSPM, enterprises can confidently move forward, knowing that access to their applications is under their full control. 

Have users you need to deprovision? Download our latest ebook, Offboarding Employees from Your SaaS Stack in 7 Steps!

About the writer

Arye Zacks
Sr. Technical Content Specialist
Your Guide to Offboard Users from Your SaaS Apps
Arye takes complicated concepts and makes them easy to understand. A gifted storyteller with a marketing background dating back to the 90s, he knows how to engage readers with stories that address the challenges they face. Oh, and he is beloved for his skills on the grill and smoker.
GDPR Compliant
ISO 27001 Compliant
ISO 27001 Certified
ISO 27701 Certified
SOC 2 Compliant
Cyber GRX