User offboarding and SSO revocation: where do teams still slip?

TL;DR: Offboarding must revoke SaaS, SSO, and device access quickly, transfer data safely, and audit for residual exposure because departing users can otherwise retain paths into sensitive systems, according to Zluri. The underlying issue is not just process friction but lifecycle governance that assumes access disappears automatically, which it rarely does.

NHIMG editorial — based on content published by Zluri: Best Practices Top 4 Ways to Enhance User Offboarding Process

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

Questions worth separating out

Q: What breaks when user offboarding only disables SSO?

A: Disabling SSO alone leaves any direct application grants, cached sessions, or delegated permissions intact.

Q: Why do organisations need a formal offboarding process for access revocation?

A: Because access rarely disappears automatically when employment ends.

Q: How do security teams know if offboarding actually worked?

A: They check for evidence that the user has no remaining active sessions, application privileges, shared resource access, or admin links after termination.

Practitioner guidance

• Reconcile every downstream entitlement before closure Build an offboarding checklist that covers directory accounts, SaaS app entitlements, device sessions, shared folders, and delegated permissions.
• Separate data custody from access removal Transfer business data to an authorised owner before final account disablement, and verify retention requirements for mailboxes, drives, and app exports.
• Audit for residual access after the primary cutoff Run a post-offboarding review that checks active sessions, orphaned app grants, and stale group memberships.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• The step-by-step offboarding workflow inside Zluri, including app selection, action sequencing, and playbook creation.
• The platform-specific automation flow for backing up user data before license revocation.
• The direct integration model across SaaS applications and the claimed 300-plus app coverage.
• The detailed example of how recommended actions are presented for each application during deprovisioning.

👉 Read Zluri's guide to improving user offboarding and access revocation →

User offboarding and SSO revocation: where do teams still slip?

Explore further

View Full Forum →  |  NHI Foundation Course →