How to Offboard Users

Best Practices for Offboarding Users from Twingate

Overview

Effective offboarding of users is a critical aspect of maintaining security and managing access within your organization. This document outlines the best practices for offboarding users from the Twingate platform, focusing on two common scenarios: when a company uses social logins (e.g., Microsoft, Google, LinkedIn, Github) and when a company integrates with a third-party enterprise identity provider (e.g., Okta, Entra ID).

When your company allows users to log in through third-party services such as Microsoft, Google, LinkedIn, or Github, the offboarding process involves a few straightforward steps within the Twingate Admin Console.

First, log in to the Twingate Admin Console using your administrative credentials.
Once logged in, navigate to the Teams page from the main dashboard. Here, you will find a list of all users.
Locate the user you wish to offboard, and you will see options to either disable or delete the user.

Disable or Delete a User
After selecting the appropriate option, confirm the action to remove their access.

Disabled users will not be able to log in to Twingate, but their account information will be retained. They will also continue to count towards billable users. Deleted users will have their account information permanently removed from Twingate and will no longer count towards billable users.

Scenario 2: Offboarding Users with Enterprise Identity Providers

When your company uses a third-party enterprise identity provider (IdP), the offboarding process involves managing the user within the IdP and ensuring that changes are synchronized with Twingate.

Start by logging in to your enterprise IdP. If you are completely offboarding the user from the organization, locate the user you need to offboard and disable or delete their account within the IdP. If you only need to remove their access to the Twingate service, remove them from any groups that may be synced over to Twingate. These changes will automatically sync over to Twingate. Be aware that there might be a delay in synchronization, depending on the specific IdP and its settings.

To ensure immediate access revocation, it is advisable to also block the user’s device(s) directly in the Twingate Admin Console. Log in to the Twingate Admin Console, navigate to the Devices section, and block the user’s device(s). This action ensures that access is immediately revoked, regardless of any delays in the synchronization process from the IdP. The device will not be able to access any Resources until it is unblocked.

Summary

Following these best practices will help ensure that user access is promptly and securely managed during the offboarding process. Whether your organization uses social logins or an enterprise identity provider, you can effectively control and revoke access through the Twingate Admin Console and your respective IdP.

By adhering to these guidelines, you can maintain a secure and well-managed access control environment, protecting your organization’s resources from unauthorized access.

Last updated 8 months ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Usage-based Auto-lock

Ephemeral Access

Resource Tags

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

VPN Replacement

Infrastructure Access

Device Security Controls