How to Offboard Users

Best Practices for Offboarding Users from Twingate

Overview

Effective offboarding of users is a critical aspect of maintaining security and managing access within your organization. This document outlines the best practices for offboarding users from the Twingate platform, focusing on two common scenarios: when a company uses social logins (e.g., Microsoft, Google, LinkedIn, Github) and when a company integrates with a third-party enterprise identity provider (e.g., Okta, Entra ID).

Scenario 1: Offboarding Users with Social Logins

When your company allows users to log in through third-party services such as Microsoft, Google, LinkedIn, or Github, the offboarding process involves a few straightforward steps within the Twingate Admin Console.

  • First, log in to the Twingate Admin Console using your administrative credentials.
  • Once logged in, navigate to the Teams page from the main dashboard. Here, you will find a list of all users.
  • Locate the user you wish to offboard, and you will see options to either disable or delete the user.
    Disable or Delete a User
    Disable or Delete a User
  • After selecting the appropriate option, confirm the action to remove their access.

Scenario 2: Offboarding Users with Enterprise Identity Providers

When your company uses a third-party enterprise identity provider (IdP), the offboarding process involves managing the user within the IdP and ensuring that changes are synchronized with Twingate.

Start by logging in to your enterprise IdP. If you are completely offboarding the user from the organization, locate the user you need to offboard and disable or delete their account within the IdP. If you only need to remove their access to the Twingate service, remove them from any groups that may be synced over to Twingate. These changes will automatically sync over to Twingate. Be aware that there might be a delay in synchronization, depending on the specific IdP and its settings.

To ensure immediate access revocation, it is advisable to also block the user’s device(s) directly in the Twingate Admin Console. Log in to the Twingate Admin Console, navigate to the Devices section, and block the user’s device(s). This action ensures that access is immediately revoked, regardless of any delays in the synchronization process from the IdP. The device will not be able to access any Resources until it is unblocked.

Block a User's Device
Block a User's Device

Summary

Following these best practices will help ensure that user access is promptly and securely managed during the offboarding process. Whether your organization uses social logins or an enterprise identity provider, you can effectively control and revoke access through the Twingate Admin Console and your respective IdP.

By adhering to these guidelines, you can maintain a secure and well-managed access control environment, protecting your organization’s resources from unauthorized access.

Last updated 2 months ago