Hi @Admin-LizG.50391 (Customer)​ , Thank you for reaching out to the Okta Community! 

I would strongly recommend opening a ticket to work with our Okta Support Colleagues on this to ensure a smooth transition.  

That being said, to give you some general guidance. 

1. To lock the user out today without risking your production environment, follow these steps:

1. Change Their Password: Manually reset their password and keep it to yourself. This prevents any new logins but leaves the existing OAuth tokens intact, keeping the background workflows running.
2. Avoid the "Clear User Sessions" UI Button: Do not click this button under any circumstances until your new Service Account is fully set up. Because that also revokes the Oauth tokens
3. To Clear Active UI Sessions (API Method Only): If you cannot wait for their current active browser session to time out naturally and need to force them out of the interface immediately, you must use the Okta API instead of the Admin UI.

• Endpoint: DELETE /api/v1/users/{userId}/sessions
• Unlike the UI button, this API endpoint defaults to clearing only the web session cookie without revoking OAuth tokens (unless you specifically append ?oauthTokens=true to the request).
• Note: If you are not comfortable running API calls during this emergency, rely solely on the password change today and let their active browser session expire according to your Org's session lifetime policy.

Once the immediate offboarding emergency is handled, you can safely proceed with the dedicated Service Account migration steps below. 

2. Safest Way to Build a Workflows Service Account:

Once the emergency has passed, follow these steps to securely migrate the connections:

1. Create a Dedicated User: Create a standard user in your Okta directory, give it a clearly identifiable name for example: workflows_svc_admin@comany.com .
2. Assign Admin Roles: Assign this user the Super Admin role. ( While there is a dedicated Workflows Admin role available and least privilege is best practice, you are currently looking to replace the old admin who had Super Admin rights. )
3. Create Exemptions: -Place the Service Account in a dedicated Okta Group.

• Create a Password Policy for this group that sets the password to never expire.
• Create an Authentication Policy rule for this group that exempts the account from MFA (or, if required by company policy, set up a shared TOTP key stored in a secure corporate password vault).

1. Re-authorize Connections: Log out of your own account, log into the Okta Workflows console as the new Service Account, and click Reauthorize on all Okta connections.
2. Deactivate the Old Admin: Once all connections are successfully running under the Service Account, you can safely Suspend or Deactivate the offboarded user's account.

If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

Hope my answer helps! 

--

Help others in the community by liking or hitting Select as Best if this response helped you.

Collect them all. Learn a new skill and earn a new Okta Learning badge.

Just released: More Okta Community badges just added