Offboarding Steps - Troubleshooting

This article covers expected behaviours, outcomes, and common errors for each offboarding step in CloudM Automate. Use the contents list below to jump to the relevant step.

Generic errors

• An error may occur if the user being offboarded has already been deleted within Google Workspace.
• If the Google APIs used to perform the operations are unavailable, errors will be returned.
• If a step fails, it will automatically retry up to a maximum of 5 times. Note: there may be exceptions where a NON_RETRYABLE message is displayed, in which case retrying will not resolve the issue.

Request Approval

The executor of the workflow is prompted to approve the offboarding. The notification is sent both within CloudM Automate (Notifications section) and by email. When approving via email, the executor is taken to the offboarding detail page to approve or deny. The email is re-sent every 24 hours until actioned.

If the executor does not have the relevant permissions in Roles to approve or deny offboarding, they are granted a temporary one-time permission for the specific offboarding workflow they are the executor for. This permission is revoked once they have actioned the request.

Expected outcome

Once approved, the offboarding continues to the next step in the workflow.

Possible errors

• An error may occur if the user assigned as the executor has been deleted.
• If a group is set as the executor, individual users within the group will not be able to approve.

Preemptively Suspend User

The user's account is suspended so they cannot log in or access any services.

Expected outcome

The user is suspended and cannot log in.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.

Assign Google Workspace License

If a user has a Google Archived User licence, this step removes it and restores their full Google Workspace licence. If a user has a Cloud Identity licence, the admin selects the licence type to assign during workflow setup. That licence is then applied to the user during offboarding.

Some offboarding steps require the user to have mail or Drive services enabled. Placing this step at the beginning of the workflow ensures the user has the correct licence type, preventing subsequent steps from failing. To remove the licence at the end, include the Unassign Licenses or Delete User step towards the end of the workflow.

Expected outcome

The user either has their Archived User licence removed, or has the licence selected by the admin applied to them, depending on their current licence.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• If the selected licence type is not available in your licence pool, this step will fail.

Prompt for Resource Allocation

A prompt is sent to the executor to set the target destination for specific offboarding steps. These destinations override the original destinations set at the overall workflow level, allowing the executor to define a specific target for that individual user's offboarding.

Before confirming allocations, the executor can validate whether the targets are valid user profiles. A target can be an external user or a group email address, but this may cause errors during migrations if the target is not a valid CloudM Automate user profile. The step can still proceed with an invalid target, but errors may occur.

The offboarding process will not continue until all resources have been allocated.

Expected outcome

After the resource allocation is confirmed, the next step begins processing using the targets specified.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• If the target is not a user account registered within CloudM Automate, errors may occur when processing the relevant steps.
• If the target user does not have Drive or mail enabled, or does not have the correct licences, this may also cause issues.

Wipe Mobile Devices

The user's Google Workspace account is removed from any registered mobile devices. An audit log entry is created for each device wiped. If CloudM Automate does not have authorisation to wipe a device, that device is skipped — the workflow is not marked as failed, but a log entry is created to record the skip.

The following Google API scope is required: https://www.googleapis.com/auth/admin.directory.device.mobile.action. In most cases this scope is approved automatically when logging into CloudM Automate.

Expected outcome

The user's Google Workspace profile is removed from all mobile devices. Any skipped devices are recorded in the audit log.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• If the required API scope has not been granted, the step will fail.

Wipe Chrome OS Devices

All user profiles are wiped from any Chrome OS devices registered to the user. An audit log entry is created for each device wiped. If CloudM Automate does not have authorisation to wipe a device, that device is skipped — the workflow is not marked as failed, but a log entry is created.

The following Google API scope is required: https://www.googleapis.com/auth/admin.directory.device.chromeos. In most cases this scope is approved automatically when logging into CloudM Automate.

Expected outcome

The user's profile is removed from all Chrome OS devices. Any skipped devices are recorded in the audit log.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• If the required API scope has not been granted, the step will fail.

Change Password

The user's password is changed to a random 16-character alphanumeric string. The new password is not visible to anyone once applied.

Expected outcome

The user cannot log in with their old password. The new password is not accessible to anyone.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.

Revoke 2-Step Verification

All backup codes for the user are invalidated and 2-step verification is disabled for the account. If the user is suspended when this step runs, they will be unsuspended for the duration of the step, then suspended again afterwards. A 1 hour wait is triggered before the step proceeds to allow for data propagation.

If the user's 2-step verification is managed by a Google Workspace policy (such as at OU level), the step will not error but CloudM Automate will be unable to disable it.

The following scope is required: https://www.googleapis.com/auth/admin.directory.user.security. In most cases this is approved automatically when logging into CloudM Automate.

Expected outcome

The user's backup codes are invalidated and 2-step verification is removed from their account.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• If the required API scope has not been granted, the step will fail.

Remove Recovery Methods

The user's recovery phone number and recovery email address are removed from their account.

Expected outcome

The user's recovery phone number and email address no longer exist on the account.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.

Revoke Application Specific Passwords

Any application-specific passwords the user has set up are revoked. The following scope is required: https://www.googleapis.com/auth/admin.directory.user.security. In most cases this is approved automatically when logging into CloudM Automate.

Expected outcome

All application-specific passwords are removed. The user has none remaining on their account.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• If the required API scope has not been granted, the step will fail.

Revoke OAuth Tokens

All OAuth tokens issued for the user's account are revoked, preventing any applications from accessing the account on the user's behalf. The following scope is required: https://www.googleapis.com/auth/admin.directory.user.security. In most cases this is approved automatically when logging into CloudM Automate.

Expected outcome

All OAuth tokens are revoked. Applications can no longer perform operations on behalf of the user or access their information.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• If the required API scope has not been granted, the step will fail.

Remove and Replace User as Manager

If the offboarding user is set as a manager on any associated user profiles, this step removes or replaces them in the Manager field. If the Replace option is selected, the Manager field is updated with the specified target user.

Expected outcome

The offboarding user is removed from the Manager field on all associated profiles. If Replace is selected, the field is updated with the target user.

Possible errors

• An error may occur if the offboarding user has already been deleted within Google Workspace.
• An error may occur if the replacement target user has also been deleted.

Revoke Existing Delegate Access

Any existing delegate access to the offboarding user's mailbox is revoked during this step.

Expected outcome

Any users who had delegated access to the offboarding user's mailbox can no longer access it.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.

Set Out of Office Message

The specified out of office settings are applied to the user. A subject and message can be configured, along with an executor as an alternative contact. The settings applied are as follows:

• Start date — the date and time the step was processed
• End date — 1 year from when the step was processed
• Active for all people contacting the user, not just domain contacts

Expected outcome

The out of office is set for the user and any emails sent to them receive the configured auto-reply.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• An error will occur if the user does not have a valid Google Workspace licence, as CloudM Automate will be unable to access their mailbox.

Delegate Access

The user's mailbox is delegated to the executor defined at workflow level, allowing them to read, send, and delete emails on the user's behalf. If the user does not have mail services enabled (for example, a Cloud Identity user), the step is skipped.

Expected outcome

The executor has access to the offboarded user's mailbox.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• If the executor does not have mail services enabled or is suspended, an error will be returned when attempting the delegation.

Move User

The user is moved to the specified Organisational Unit. If the user is already in that OU, the step is skipped. This step can be combined with the "Offboard suspended users" setting to automatically move suspended users to an OU with specific offboarding policies.

Expected outcome

The user has been moved to the specified OU.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace, or if the target OU no longer exists.

Hide User

The user is removed from the Google Workspace Global Address List (GAL).

Expected outcome

The user no longer appears in the Global Address List.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.

Rename User

The user is renamed in both CloudM Automate and Google Workspace. The new email address follows the format specified in the step — by default this is a random ID.

Expected outcome

The user is renamed in the specified format in both CloudM Automate and Google Workspace.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• If this step is used alongside other offboarding steps, an error may occasionally appear stating that the profile cannot be located. The offboarding process will continue without issues in this case.

Assign Alias

The offboarded user's old email address is added as an alias to the user specified in the workflow step. A label can also be set so that any incoming emails to that alias are automatically labelled in Google.

Expected outcome

The specified user has an alias for the offboarded user's old email address. If a label is configured, a rule is set up in Google to apply it to incoming emails.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.

Archive

The user's data is archived to long-term storage and can be restored to another user account at a later date. The storage bucket can be configured in the step. A query can be provided to archive only specific items. If the user does not have mail services enabled, the step is skipped.

To view errors that occurred during this step, open the user's offboarding detail page and select the step. You can also export the error list to CSV or Spreadsheet for troubleshooting.

Expected outcome

The items matching the configured query are archived to the specified storage bucket.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• A file may fail if the Google API is unable to process it — this can occur if a file is flagged as malware.
• If a user is archived more than once, you may encounter a fair use policy limit.

Known errors

• User is already archived to another bucket — shown if an admin tries to archive a user to a secondary bucket when data already exists in a primary bucket.
• Invalid License Key — shown if the licence key from the portal is invalid. Generating a new portal key will push it to the CloudM Automate instance and resync them.

Archive Vault

Archives deleted data for a user that has been retained in Google Vault due to configured retention policies. The data is archived to long-term storage and can be restored to another user account. The storage bucket and query can be configured in the step.

Expected outcome

The items matching the configured query are archived to the specified storage bucket.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.

Known errors

• No available Vault licences — the step will fail if no Vault licences are available. Additional licences can be purchased from the portal.
• Invalid License Key — shown if the licence key from the portal is invalid. Generating a new portal key will push it to the CloudM Automate instance and resync them.

Transfer Ownership of Documents

All documents owned by the offboarded user are transferred to the specified account, under the folder name configured in the step. Existing shares on documents are maintained. CloudM Automate tries to preserve the file structure, but some files may become "orphaned" if the new owner cannot see the parent folder — these files are moved to the root of the folder specified in the step. Shortcut items are skipped. A count of successful, skipped, and failed items is recorded in the audit log. If the user does not have mail services enabled, the step is skipped.

To view errors that occurred during this step, open the user's offboarding detail page and select the step. You can also export the error list to CSV or Spreadsheet for troubleshooting.

Expected outcome

Documents owned by the user are transferred to the new owner. Existing shares remain. Shortcuts are not migrated. The file structure is mostly preserved, with orphaned files moved to the root of the specified folder.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• Google may occasionally return an error when transferring document ownership for no apparent reason. Retrying the step may resolve this, but the error may recur.
• If Drive has been disabled for the offboarding user, the target user, or the OUs either user belongs to, the step may fail.

Known errors

• Invalid Credentials — most likely caused by Drive being disabled. Enable Drive for both users and retry the step.
• User Not Found — the target user has been deleted. If this is because the user's Manager has been deleted, edit the offboarding user's profile and update their Manager before retrying. You can only edit the profile of an offboarding user if the step is in the Retry state.

Migrate Calendar Events

The offboarded user's primary calendar events are cloned into the target user's calendar with the naming format specified in the workflow. Non-primary calendars are directly transferred to the target user. Cloned events are independent of the originals — changes made by attendees to the original events will not be reflected in the migrated versions. If "Remove Resources from Calendar Events" is selected, resources are removed from the offboarded user's calendar for past and future events. If both Migrate and Remove Resources are selected, resources are only removed from the source calendar, not the target's. If the user does not have mail services enabled, the step is skipped.

Expected outcome

Primary calendar events are cloned into the target user's calendar. The target user owns the non-primary calendars. Resources are removed from the source calendar if configured.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• Google may occasionally return an error when transferring calendar ownership. Retrying the step may resolve this, but the error may recur.
• If calendar services are not enabled but mail services are, this may cause errors when processing the step.

Known errors

• User Not Found — the target user has been deleted. If this is because the user's Manager has been deleted, edit the offboarding user's profile and update their Manager before retrying. You can only edit the profile of an offboarding user if the step is in the Retry state.

Transfer Ownership of Groups

Ownership of any groups the offboarded user owns is transferred to the specified user. Existing group members and admins are not changed. Transfers are performed by CloudM Automate acting as the registered domain admin on behalf of the user.

Expected outcome

Group ownerships are transferred to the specified user. All existing membership and access remains unchanged.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• If the domain admin account does not have permission to change group ownerships, this step may fail. Note that errors may be caused by the domain admin performing the transfer, not necessarily the offboarding user or the target.

Transfer Contacts

Contacts from the offboarded user's "My Contacts" list are transferred to the specified user's contact list, under a group name matching what was configured in the workflow step. If the user does not have mail services enabled, the step is skipped.

Expected outcome

A contact group is created in the target user's account containing the contacts from the offboarded user's "My Contacts".

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.

Transfer Shared Drives

Management of any Shared Drives the offboarded user manages is transferred to the specified user. The target user must have the "Drive and Docs Settings" Google Workspace privilege, which can be assigned via the "Services Admin" role. Transfers are performed by CloudM Automate acting as the registered domain admin. If the user does not have mail services enabled, the step is skipped.

Expected outcome

The specified user can manage the Shared Drives that the offboarded user was managing. The offboarded user is no longer a manager of those drives.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• If the domain admin does not have permission to change Shared Drive ownerships, the step may fail. Errors may be caused by the domain admin performing the transfer, not necessarily the offboarding user or the target.
• If the target user does not have the "Drive and Docs Settings" privilege, the transfer will fail.
• If Drive has been disabled for the offboarding user, the target user, or the OUs either user belongs to, the step may fail.

Known errors

• Invalid Credentials — most likely caused by Drive being disabled. Enable Drive for both users and retry the step.
• User Not Found — the target user has been deleted. If this is because the user's Manager has been deleted, edit the offboarding user's profile and update their Manager before retrying. You can only edit the profile of an offboarding user if the step is in the Retry state.

Remove From Groups

The offboarded user is removed from all groups they are a member of. Note that if the user is in any groups or Smart Teams with dynamic memberships based on search queries, they may be re-added depending on the query.

Expected outcome

The user is removed from all groups.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.

Migrate Emails

The offboarded user's emails are migrated to the specified user via CloudMigrator Lite. Emails are given a label matching the name specified in the workflow, and the original label structure is preserved under it. A query can be used to migrate only specific emails using Gmail search syntax. A tolerance level can also be set — if the total failure rate exceeds this threshold, the step is marked as Failed.

A target can only have one active migration at a time. If multiple users are being offboarded to the same target, they are processed sequentially. If they have different targets, they run in parallel. Migration statistics are fed back into CloudM Automate periodically and can be viewed on the user's offboarding detail page.

Note: if the step is aborted within CloudM Automate, the underlying migration will continue to run. If the step is aborted and then restarted, it may carry on from where it was rather than starting fresh.

Expected outcome

Emails matching the query are migrated to the specified user under the configured label, with the original label structure preserved.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• Emails may fail to migrate if the label cannot be recreated in the target's mailbox. This can occur when a nested label structure causes the label length to exceed the Google limit.

Known errors

• User Not Found — the target user has been deleted. If this is because the user's Manager has been deleted, edit the offboarding user's profile and update their Manager before retrying. You can only edit the profile of an offboarding user if the step is in the Retry state.

Unassign Licenses

Any licences that CloudM Automate has visibility over are unassigned from the user and returned to the pool. The licences CloudM Automate can manage are: Google Workspace, Drive, Education, and Vault.

Expected outcome

All visible licences are removed from the user and returned to the licence pool.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• If the user has auto-licensing set up, CloudM Automate may be unable to remove licences managed in this way.

Suspend User

The user's account is suspended so they cannot log in or access any services.

Expected outcome

The user is suspended and cannot log in.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.

Apply Google Archived User (AU) License

The user is archived in Google Workspace and assigned an Archived User licence. The Archived User licence must correspond to the user's existing Google Workspace subscription — for example, a Business Plus user requires a Business Plus Archived User licence.

Expected outcome

The user becomes archived in Google Workspace.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.
• If there is no Archived User licence available to assign, the step will fail.
• If the corresponding Archived User licence type (matching the user's Google Workspace subscription) is not available, the step will fail. Refer to Google's requirements for more information.

Delete User

The user is permanently deleted from both CloudM Automate and Google Workspace. This operation is irreversible.

Expected outcome

The user is deleted from CloudM Automate and Google Workspace.

Possible errors

• An error may occur if the user has already been deleted within Google Workspace.