How do I automatically revoke accounts of departing employees?

Marcel van Beek

3 min read

A departing teacher or caretaker who can still access the learning environment, student grades database or shared drives after their last working day is a risk that many schools recognise. Manually revoking accounts works as long as someone remembers to do it, but in practice, permissions linger. This article explains how you can reliably automate that process and which standards require this.

Why do accounts of former employees often remain active for too long?

The core of the problem is that HR administration and the IT environment are two separate worlds. The departure of an employee is first recorded in the HR system, while the account lives in Microsoft Entra ID or Google Workspace. Without an integration, someone must manually pass on this signal. With temporary contracts, substitutes and changes around the summer holidays, this regularly goes wrong. As a result, access rights exist longer than the employment relationship, which contradicts the principle that an employee should only have access as long as it is necessary for their work.

How do I automate the revocation of access based on the HR system?

The solution is to make the HR system leading. Joinly by KoppelHet functions as an orchestration layer and automation layer on top of Microsoft Entra ID or Google Workspace, powered by data from the HR system. The process can be divided into three steps: the source is the HR system, the orchestration layer translates every change into accounts and permissions, and the work environment is the place where the employee actually logs in.

For offboarding, this means that an end date in the HR system automatically triggers a chain. On the agreed date, the account is disabled, roles and group memberships are revoked, and access to applications is terminated. Because this is role-based, no one has to figure out for each individual employee which permissions need to be removed. Every action is logged, providing proof afterwards of when which access was revoked. The same chain works the other way around for onboarding and job role changes. Management focuses exclusively on employees; student accounts fall outside this scope.

Which standards require timely revocation of access?

For primary and secondary education, the information security and privacy standards framework of Kennisnet and SURF is the guideline. Access management is a fixed theme in this, requiring access rights to match the role and to be revoked in a timely manner when that role ends. In higher education, this is tested via the audit framework of SURFaudit, which features fifteen domains and corresponding control measures, including access security. In the 2023 SURFaudit benchmark, a record number of 103 institutions participated, and the average maturity level was 2.3 on a scale of five, while the sector aims for level 3.

In addition, new legislation is on the way. The Cybersecurity Act, the Dutch implementation of the European NIS2 directive, was adopted by the House of Representatives on 15 April 2026 and is currently with the Senate, with an intended entry into force on 1 July 2026. The government has decided to bring higher education under this act; secondary education does not currently fall directly under it. Still, controlled offboarding is a measure that recurs in all these frameworks, as orphaned accounts are a well-known entry point for attackers.

FAQ

Does this also apply to student accounts? No. This approach focuses exclusively on employees. The management of student accounts falls outside the scope.

Does this work with both Microsoft and Google? Yes. The orchestration layer runs on top of Microsoft Entra ID or Google Workspace and is in both cases powered by the HR system.

Can I prove afterwards that access has been revoked? Yes. Every action is logged, so you can demonstrate per employee when which permissions were terminated.

Browsing is free

Schedule a no-obligation demo

In 30 minutes, we would love to show you how Joinly adds value for the entire organization.

Browsing is free

Schedule a no-obligation demo

In 30 minutes, we would love to show you how Joinly adds value for the entire organization.

Browsing is free

Schedule a no-obligation demo

In 30 minutes, we would love to show you how Joinly adds value for the entire organization.