How to Delete Offboarding Employee Accounts

The most overlooked step in offboarding is deleting internal system and SaaS accounts. Even when formal offboarding is complete, accounts often remain active — leading to repeated incidents of data exfiltration and unauthorized access by former employees.

Recent research shows that as the number of SaaS tools companies use continues to grow, former employee accounts are frequently left undeleted for extended periods. This "account persistence" creates a compounded risk of data breaches, compliance violations, and unnecessary license costs.

This article is aimed at IT administrators and covers everything you need to know: why deleting ex-employee accounts matters, the risks of leaving them active, what types of accounts to delete, step-by-step procedures, tools to streamline the process, common failure patterns, a glossary of key terms, and FAQs. It can also serve as an offboarding checklist.

‍

What Is Ex-Employee Account Deletion?

Ex-employee account deletion refers to the comprehensive process of reliably disabling and removing all system, SaaS, and device accounts and access rights used by a departing employee, aligned with their last day of employment. It is a critical step in the IT department's onboarding/offboarding workflow, and an indispensable process from three perspectives: security, compliance, and cost management.

In recent years, the number of SaaS tools per company has grown rapidly, making the scope and variety of accounts to delete increasingly complex.The average company uses more than a 100 SaaS applications, meaning it's not unusual for dozens of accounts per departing employee to require deletion.

‍

Purpose of Account Deletion

The goals of ex-employee account deletion come down to three points.

• Preventing unauthorized access and data breaches: Cutting off the risk that former employees use credentials from their employment to continue accessing confidential information from outside the organization
• Compliance and audit readiness: Meeting the "removal of unnecessary access rights" requirements under laws and standards such as the Act on the Protection of Personal Information, GDPR, and ISO 27001
• License cost optimization: Stopping monthly charges for unused accounts and reducing waste in the IT budget

The Difference Between Deletion and Deactivation

In practice, accounts are handled in three states: "deactivated" (sign-in only suspended), "archived" (data retained), and "fully deleted." The standard approach is a three-step process: deactivate for a period, then archive, then fully delete. Since immediate deletion can result in loss of operational data, a coordinated procedure with the departing employee's department is required.

‍

Risks of Leaving Ex-Employee Accounts Active

Failing to delete ex-employee accounts exposes companies to several serious risks. Here are four categories that information security publications repeatedly flag.

‍

Data Breaches and Exfiltration

The greatest risk is unauthorized access and data theft by former employees. Cases have been reported where emotional disputes at the time of departure led to former employees using credentials from their employment to extract customer data and confidential documents. IPA's "Top 10 Information Security Threats" has consistently ranked "insider information leaks" near the top, with ex-employee incidents being particularly prominent.

‍

Entry Points for Third-Party Attackers

Ex-employee accounts are easy targets for cybercriminals. Accounts that haven't been used for a long time tend to receive less monitoring, and if exposed credentials or weak passwords remain, attackers frequently exploit them as entry points. Multiple major incidents have involved "dormant accounts" as the initial intrusion vector.

‍

Compliance Violations

Regulations and standards including GDPR, Japan's revised Personal Information Protection Act, SOC 2, and ISO 27001 all require proper management and deletion of unnecessary access rights. Leaving ex-employee accounts active constitutes a violation, and can lead to audit findings, regulatory penalties, and contract termination. This is especially critical in financial services, healthcare, and the public sector.

‍

Wasted License Costs

Major SaaS products operate on monthly subscription models, meaning undeleted accounts continue to be billed. Even at a few hundred dollars per license per month, 100 lingering ex-employee accounts can mean thousands of dollars in annual losses. Research on SaaS cost management shows that a significant portion of enterprise SaaS spend goes to "unused licenses," with ex-employee accounts being one of the main causes.

‍

Types of Accounts to Delete at Offboarding

"Just email and the laptop" is not enough in the SaaS era. Accounts requiring deletion span a wide range — organizing them by category is essential to prevent gaps.

‍

Core System Accounts

Accounts for systems that form the company's core infrastructure. These include the following.

• Active Directory / Entra ID: The foundation of internal authentication
• Email accounts: Microsoft 365, Google Workspace
• File sharing: OneDrive, Google Drive, SharePoint, Box
• VPN / remote access: Credentials enabling access from outside the office
  ‍

These must be deleted first. In particular, accounts that serve as the root of an IDaaS or SSO system should be deactivated on the departure date itself.

‍

Individual Business SaaS Accounts

SaaS usage varies by department and role, making this the area most prone to gaps.

• Sales / CRM: Salesforce, HubSpot, Pipedrive
• Development: GitHub, GitLab, Jira, Confluence
• Communications: Slack, Microsoft Teams, Zoom
• Work management: Asana, Notion, Trello
• HR / payroll: SmartHR, freee, MoneyForward
  ‍

Because these vary by department, the IT team can't track them alone — coordination with department managers is essential.

‍

Device and Physical Access Accounts

Physical devices are also in scope.

• Work PCs and smartphones: Factory reset, account unlink
• Shared printers: Credentials, print history
• IC cards / access cards: Physical access rights
  ‍

Work PCs are often wiped and reissued, so disk encryption and wipe procedures should be in place to ensure no former employee data remains.

‍

External Systems and Third-Party Access

These are easy to forget.

• Cloud vendor management consoles: AWS, Azure, GCP
• Developer tool APIs: Personally issued tokens and API keys
• Vendor / partner systems: Accounts at outsourced providers or agencies

API keys and admin tokens are especially high-impact if leaked, so rotation and revocation must be performed without fail.

How to Execute Ex-Employee Account Deletion

Account deletion should be designed as an end-to-end process, from the moment of resignation through a defined period after the departure date. Ad hoc handling leads to gaps — a five-step operational approach is most effective.

‍

Step 1: Account Inventory at Time of Resignation

Once resignation is confirmed, create a list of all accounts belonging to the departing employee. Accounts under AD, IDaaS, and SSO are relatively easy to identify, but shadow IT and standalone SaaS tools require input from the department. Having the employee self-report the services and login IDs they've used improves coverage.

‍

Step 2: Data Handoff and Backup Before the Departure Date

Starting one week before the departure date, begin transferring operational data. Archive emails, files, and chat history that constitute company assets and move them to a location accessible to the successor. Ask the departing employee to document any knowledge that only they possess.

‍

Step 3: Access Deactivation on the Departure Date

At the end of business on the departure date, simultaneously revoke all access rights. Specific actions include the following.

• Deactivate the account in IdP / AD (immediate cutoff)
• SCIM deprovisioning or manual deactivation per SaaS application (note: cutting SSO alone may leave local login active in some apps — confirm deactivation at the app level too)
• Revoke VPN / remote access rights
• Invalidate API keys and personal tokens
• Confirm return of physical devices, PC, and smartphone
  ‍

The ideal is an automated workflow that executes all of these simultaneously at end of business on the departure date.

Step 4: Data Archiving and Deletion

After deactivation, retain data as an archive for a defined period (typically 30–90 days). Records subject to legal retention requirements (HR, finance) must be kept accordingly; after the retention period, proceed to full deletion. Microsoft 365 and Google Workspace both offer automatic archiving via retention policies.

‍

Step 5: Record Keeping of Completed Deletions

For audit purposes, retain logs, checklists, and approval records of deletion activities. Document who deleted which account, when, and by what procedure — and keep those records accessible for at least several years. Retaining communication logs with the departing employee also helps if issues arise later.

‍

Tools to Streamline Ex-Employee Account Deletion

Manual offboarding processes are prone to errors, gaps, and delays. For modern companies using many SaaS tools, specialized tooling is the practical solution. Here are six key categories and products.

‍

Active Directory / Microsoft Entra ID (formerly Azure AD)

In Microsoft environments, AD or Entra ID is the starting point for account deletion. Entra ID supports bulk deactivation and automation via PowerShell scripts or the Graph API. Integration with Microsoft 365 enables simultaneous control of access to email, OneDrive, and Teams.

‍

Okta

Okta integrates with more than 8,000 SaaS applications as an IDaaS, automating bulk deactivation of ex-employee accounts. By integrating with HR systems (Workday, SmartHR, etc.), it can automatically disable all SaaS accounts the moment a departure is triggered in the HR system.

‍

Microsoft Entra ID Governance

Entra ID Governance provides access review capabilities within Microsoft Entra ID, enabling periodic access audits and automated permission revocation. It's particularly effective for discovering and deleting residual accounts after a departure has occurred.

‍

Google Workspace Admin Console

In Google Workspace environments, the Admin Console lets you deactivate ex-employee accounts, transfer data, and schedule final deletion in sequence. Combined with Vault, it also supports long-term retention of emails and files for litigation purposes.

‍

SailPoint IdentityIQ

SailPoint is a leading enterprise IGA (Identity Governance and Administration) platform. It manages the full access rights lifecycle across the organization — including offboarding — and is widely adopted by large enterprises with strict compliance requirements such as SOX and GDPR.

‍

Josys

Josys is a modern AI-native identity security and governance platform that integrates with more than 350+ SaaS applications to automate bulk deletion of ex-employee accounts. By connecting to HR systems, it can execute account deactivation, license reclamation, and data archiving across all SaaS tools in one automated flow triggered by a departure event.

‍

Common Failure Patterns and How to Avoid Them

There are several typical failure patterns in ex-employee account deletion operations. Being aware of them in advance allows you to build in preventive measures.

‍

Gaps in Individual SaaS Deletion

The most common failure is SaaS accounts managed independently by a department being overlooked, leaving former employees able to authenticate after departure. Solutions include maintaining a SaaS inventory, building department manager confirmation into the process, and using SaaS visibility tools.

‍

Timing Delays

Running a "delete the week after the departure date" process creates a window of exfiltration risk. Enforce immediate deactivation at end of business on the departure date, and run a parallel archive in case data restoration is needed later.

‍

Shared Accounts Left Active

In cases where a department shares a single account (team email, shared credentials), offboarding steps are easily missed. Include shared account password changes and MFA review in the offboarding checklist.

‍

API Keys and Tokens Left Active

API keys and tokens personally issued by developers or system administrators frequently go undeleted. Conduct regular audits of cloud vendor audit logs, and establish a process to immediately rotate any keys where the issuer has since departed.

‍

Immediate Deletion Without Handoff

Deleting accounts before properly transferring operational data — leaving successors unable to access needed emails and files — is another frequent accident. Always include an archiving period (Step 4) and require a handoff completion confirmation before final deletion.

‍

Glossary of Key Terms in Ex-Employee Account Deletion

Six terms that come up frequently in offboarding work — useful for IT administrators communicating internally and externally.

‍

Offboarding

The end-to-end process of terminating a departing employee's system access. It encompasses not just account deletion but also device return, data handoff, and exit interviews. The counterpart to "onboarding" (the setup process when someone joins).

‍

Provisioning / Deprovisioning

Provisioning is the process of creating accounts when someone joins; deprovisioning is the process of removing them when someone leaves. Automated deprovisioning via the SCIM (System for Cross-domain Identity Management) protocol has become the standard in the SaaS era.

‍

Access Review

The practice of periodically auditing user access rights and removing unnecessary permissions. It also serves to discover and delete residual accounts from incomplete offboarding. Quarterly reviews are recommended.

‍

IGA (Identity Governance and Administration)

A framework for managing enterprise identity from both a governance (control) and administration (operations) perspective. It integrates offboarding, access reviews, and Segregation of Duties (SoD) violation detection. SailPoint and Saviynt are representative vendors.

‍

SCIM

A standard protocol for synchronizing user information across SaaS systems. When an HR system detects a departure, SCIM or APIs can instruct each SaaS to deactivate or delete the account — enabling deprovisioning without manual intervention (behavior may vary by service: deactivation, deletion, or attribute change).

‍

Retention

The period during which data is preserved before deletion. Former employee emails and files are retained for a defined period for legal obligations and handoff purposes, then fully deleted. Microsoft 365 offers "Retention Policies" and Google Workspace offers "Vault" for this purpose.

‍

Automating Ex-Employee Account Deletion: SaaS Integration Is the Key

Executing all of the above manually is not realistic. For modern companies with a growing SaaS portfolio, automating the offboarding process is the most direct path to reducing IT team workload while preventing gaps.

‍

Three Sources of Manual Work in Offboarding

• Account inventory: Identifying which SaaS tools each departing employee uses
• Individual deactivation: Manually opening each SaaS admin panel to disable the account
• Audit trail creation: Recording who deleted what in spreadsheets or tickets
  ‍

Each departure can require several to over a dozen person-hours, and when multiple employees leave around the same time, this becomes a major burden on the IT team.

‍

Automating Offboarding with Josys

Josys integrates with HR systems to use departure events as triggers, automatically executing account deactivation, license reclamation, and data archiving across more than 350 SaaS integrations. It dramatically reduces per-departure handling time and significantly cuts down on human error. Adopted by more than 700 organizations worldwide, the Josys platform has delivered documented results of up to 50% reduction in IT workload and up to 75% reduction in IT costs.

‍

FAQ: Ex-Employee Account Deletion

Q1. When should ex-employee accounts be deleted?

A. The standard approach is to combine immediate deactivation with staged deletion. Perform "access deactivation" at end of business on the departure date, then archive data for 30–90 days before proceeding to full deletion. Follow applicable legal or industry retention requirements where longer storage is mandated.

‍

Q2. How should ex-employee email be handled?

A. The practical approach is typically three steps: set up an auto-reply informing senders of the departure, archive the mailbox for a defined period, and forward work-related emails to the successor. Microsoft 365 and Google Workspace admin tools both support automatic forwarding from a departed user's account.

‍

Q3. In what order should SaaS accounts be deleted?

A. Work in order of priority: IDaaS / SSO root accounts → email and file sharing → communication tools → business SaaS → cloud management consoles → API keys and tokens. Closing the paths through which the former employee can still access the environment is the top priority.

‍

Q4. What's needed to automate the offboarding process?

A. The core is integration between your HR system and an IDaaS / identity governance platform. Build a system where the HR system signals a "pending departure," and the IDaaS sends deprovisioning commands to each SaaS. Using SCIM and API integrations allows reliable account deletion without any manual steps.

‍

Ex-Employee Account Deletion Is the Most Critical Step in Offboarding

Ex-employee account deletion is a business-critical function directly tied to security, compliance, and cost optimization. Standardizing the process and advancing automation are key IT department priorities for structurally reducing the risks of data breaches, unauthorized access, and wasted license spend.

Effective offboarding requires institutionalizing four elements: SaaS inventory, immediate access deactivation, data archiving and full deletion, and audit trail retention. Offboarding processes that rely on manual work are breeding grounds for mistakes and gaps — we're now at a point where leveraging IDaaS and AI-native identity governance platforms is essential.

Platforms like Josys can fully automate the offboarding process, structurally reducing risk at the point of departure — while cutting IT workload and maintaining both compliance and security simultaneously.