<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5KZ00000ui2TR0AYOkta Identity EngineWorkflowsAnswered2025-06-30T15:39:56.000Z2025-06-05T09:26:21.000Z2025-06-30T15:39:56.000Z

LucasD.34646 (Customer) asked a question.

June 5, 2025 at 9:26 AM
Remove all groups from a suspended user to remove licenses while user is on parental leave

Hello everyone,

 

I'm looking to establish a process for managing user accounts and licenses for employees going on parental leave. The goal is to suspend users and remove specific licenses, such as Google Workspace, as some individuals may be on leave for extended periods.

 

Currently, directly de-provisioning these users isn't ideal because our existing workflow automatically deletes accounts after a few weeks. Additionally, all users receive certain applications via groups, and I can't filter out "suspended users" from these groups. I understand that a workflow will be necessary to achieve this.

 

Does anyone have a similar process in place? If so, could you share how you implemented it?

 

Thanks a lot, Lucas de Souza.

  • 2 answers
  • 164 views

  • TimL.58332 (Workflows)

    Mihai is correct. You can likely achieve this by creating a series of flows to handle each of the tasks when the user goes into a status of "Suspended" and when they are "Unsuspended".

     

    As far as "Parental Leave" you would need to have some indicator such as a custom attribute that would need to be set "Prior" to suspending the user. So when the Suspend event hook is sent to Workflows causing the flow to run it can then "Check" to see if the Suspend was for Parental Leave and if so continue processing or Stop otherwise.

     

    This would be a custom buildout and very unique to your environment. If you are looking to have something like this built out for you it would require a Professional Services engagement.

    Expand Post
    Selected as Best

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @LucasD.34646 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    Based on the information I could find on this topic, you might be able to achieve an automation via Okta Workflows.  

    Something along the lines of...

     

    >Trigger: The main flow will be triggered when a user's status changes in Okta (specifically to "Suspended").

    >Get User Groups: It will identify all groups the suspended user is a member of.

    >Filter Groups: You'll want to filter out any "critical" groups (like "Everyone" or administrative groups) that suspended users should always remain in, or groups that don't control license assignment.

    >Remove from Groups (Helper Flow): For each remaining group, a helper flow will be called to remove the user.

     

     

    For specifics, you might need to get help from Workflows specialists during weekly community office hours.

    Or if you have an account with us, open a case to discuss the matter with our Okta Support team. That being said, design implementation might fall in the realm of Professional Services. 

     

    You can also check with the Workflows discussion group to see if anyone there has implemented this before. 

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Collect them all. Learn a new skill and earn a new Okta Learning badge.

    Expand Post

    • TimL.58332 (Workflows)

      Mihai is correct. You can likely achieve this by creating a series of flows to handle each of the tasks when the user goes into a status of "Suspended" and when they are "Unsuspended".

       

      As far as "Parental Leave" you would need to have some indicator such as a custom attribute that would need to be set "Prior" to suspending the user. So when the Suspend event hook is sent to Workflows causing the flow to run it can then "Check" to see if the Suspend was for Parental Leave and if so continue processing or Stop otherwise.

       

      This would be a custom buildout and very unique to your environment. If you are looking to have something like this built out for you it would require a Professional Services engagement.

      Expand Post
      Selected as Best
This question is closed.
Loading
Remove all groups from a suspended user to remove licenses while user is on parental leave