Google Workspace Offboarding: How to Deprovision a Departing User Securely
By Patronum
July 07, 2026
Read Time: 6 mins

By Patronum
July 07, 2026
Read Time: 6 mins

Someone resigns at 4:00 p.m. IT “disables” the account by 5:00, everyone goes home, and the box gets ticked. At 7:12 p.m. a mailbox forwarding rule is still quietly copying email to a personal inbox, a phone is still syncing shared files, and an app the person connected months ago is still pulling data. The account looked closed. The access wasn’t.
To offboard a Google Workspace user securely, arrange mail and data handover first where you need it, then suspend the account to block access. Reset the password, revoke OAuth access, app passwords and security keys, and terminate any third-party SSO session. Transfer Drive ownership and review the file’s sharing afterwards, remove group and shared-drive roles, and wipe managed devices. Choose an end state, archive or delete, based on your retention schedule. Order matters more than speed.
The right first move depends on how the person is leaving.
| Situation | Priority |
|---|---|
| Planned departure | Arrange mail and data handover, then suspend and clean up access in order. |
| Immediate or high-risk exit | Suspend, terminate IdP sessions, reset credentials, revoke tokens, and contain devices first. Sort out handover after access is closed. |
The trap in both cases is treating identity as the same thing as access. Suspending or disabling a user does not by itself end every desktop session or connected app. Those can survive the goodbye email, so the sequence below closes each path deliberately.
Work in this order. Each step maps to an action in the Google Admin console.
1. Set up mail handover before suspension, where needed. New mail and calendar invitations are blocked for a suspended user, and messages to a suspended account are not delivered, so decide how incoming mail should be handled before you suspend. If it needs to reach a manager or shared inbox, use an approved admin-level approach, such as an address map, alias, or account reassignment, then test that it works. Preserve the historical mailbox separately through your retention process rather than relying on the live account (Google Admin Help, “Route or reroute incoming messages”; preserve former employee data).
2. Suspend the account. In Admin console, go to Directory, then Users, and suspend the user. Suspending blocks Google Workspace access and resets browser and mobile sign-in cookies. It does not necessarily sign the user out of Gmail or Drive for desktop, so also reset their password, revoke OAuth access and app passwords, and remove or wipe managed devices as appropriate. Do not delete yet (Google Admin Help).
[SCREENSHOT: Admin console > Directory > Users > “Suspend user” action – SOURCE: Google Admin UI (we capture)]
3. Reset credentials and revoke sessions and connected apps. Reset the password to a random value, sign the user out of all sessions, delete their app-specific passwords, remove security keys and other MFA factors, and revoke access for connected third-party apps. If you use third-party SSO, terminate the user’s IdP session too. Resetting Google sign-in cookies alone may not end that session (Google Admin Help).
[SCREENSHOT: User security panel showing reset password, “sign out of all sessions,” and app-specific passwords – SOURCE: Google Admin UI (we capture)]
4. Transfer Drive files, then review their sharing. Move the leaver’s Drive file ownership to their manager or a shared drive before the account is deleted. A super admin can transfer some data during deletion, but the safe habit is to transfer first. After transferring Drive content, review its sharing settings. Transfer changes ownership, not who already has access (Google Admin Help).
[SCREENSHOT: Admin console transfer-data flow (Drive files to a new owner) – SOURCE: Google Admin UI (we capture)]
5. Remove role assignments. Remove group memberships, shared-drive roles, mailbox delegation, and other role assignments so privileges are not restored if the account is reactivated or reused. This is role hygiene: it keeps a future reinstatement or a recycled address from quietly inheriting old access.
6. Wipe managed devices. Remove or wipe the corporate account from any phones and tablets the user linked, so cached mail and synced files don’t leave on a personal device.
7. Choose an end state. Base this on your retention schedule, not a fixed clock: archive the account where you need to preserve data, or delete it once transfers, legal holds, and retention obligations are satisfied. Google treats suspension, archive licenses, data transfer, export, Vault, and deletion as separate options for preserving a former employee’s data, so pick the combination your policy requires (Google Admin Help; options to preserve former employee data).
The distinction that separates a clean exit from a messy one is verify, not just revoke. A user marked “suspended” is a task done. A user whose sessions, tokens, IdP session, managed devices, role assignments, and file sharing have all been checked and closed is a risk actually removed.
Why the urgency? One vendor survey is enough to make the point: in a 2022 Beyond Identity study, 83% of former employees said they still had access to accounts from a previous employer (Beyond Identity). Treat that as a prompt to close every path above, not as a precise measure. The authority for each step is Google’s own documentation, cited inline.
Offboarding rarely fails in the policy document. It fails in the gaps between teams, when one person assumes another handled the forwarding rule or the mobile wipe. That is why the whole sequence is worth automating.
For Google Workspace, Patronum can run an offboarding policy that carries out the routine steps consistently: resetting the password, updating the recovery email, deleting app-specific passwords, revoking data access, wiping mobile devices, setting an auto-responder, applying an archive-user license, and scheduling the eventual deletion. The point is not speed for its own sake. It is that a defined policy runs the same way every time, so the step that usually gets forgotten doesn’t. For the detail on holding versus removing the mailbox, see our guide on whether to archive or delete a leaver’s Google Workspace mailbox, and for the full security-first version, the forensic offboarding checklist.
Should I suspend or delete a Google Workspace user when they leave?
Suspend first. Suspension blocks sign-in immediately while preserving data. Delete only after data is transferred and your retention window has passed (Google Admin Help).
How do I keep a former employee’s emails and Drive files?
Transfer their Drive file ownership to a manager or shared drive before deleting the account, then review the transferred files’ sharing, because ownership transfer does not change who already has access. For mail, set up admin-level routing to a manager or shared inbox before suspension, and preserve the historical mailbox through your retention process (Google Admin Help: transfer Drive files; route incoming messages).
How do I deprovision a user’s access and active sessions?
Reset the password to a random value, sign the user out of all sessions, delete app-specific passwords, remove security keys and MFA factors, and revoke connected third-party app access. If you use third-party SSO, terminate the user’s IdP session as well, since resetting Google sign-in cookies alone may not end it. Then wipe managed devices.
Should I archive or delete a former employee’s account?
It is a retention decision, not a fixed timeline. Archive the account where you need to preserve data, or delete it once transfers, legal holds, and retention obligations are satisfied. Google treats suspension, archive licenses, transfer, export, Vault, and deletion as separate options, so choose the combination your policy and laws like GDPR or CCPA require (Google Admin Help).
Can I automate Google Workspace offboarding?
Yes. A Patronum offboarding policy can run the routine chain automatically: password reset, recovery-email update, app-password deletion, data-access revocation, mobile wipe, auto-reply, archive license, and scheduled deletion.
What is the biggest offboarding mistake?
Confusing deactivation with containment: disabling the user while leaving sessions, forwarding rules, connected apps, group access, or mobile sync alive.
Offboarding fails in the gaps between steps. Patronum runs the whole sequence as one consistent policy, so nothing gets left open. See how Patronum automates Google Workspace onboarding and offboarding, or start a free trial and build your first offboarding policy.