
How do I automatically revoke all access for an employee upon offboarding?
Marcel van Beek
4 min read
Why is a forgotten account such a major risk?
An account that remains active after an employee has left is one of the most common vulnerabilities in access management. It is an entry point that is no longer monitored, making it difficult to explain in the event of an incident or data breach. For public sector organisations, this is compounded by the frequent use of temporary contracts and external hires, the fact that employees are sometimes active across multiple departments, and the sheer size of the application landscape. The more manual work and disconnected applications there are, the greater the risk that an account or permission is left open somewhere.
The consequences are not without obligation. The government processes a vast amount of sensitive personal data of citizens, and the Baseline Information Security Government (BIO) explicitly requires that incorrect access is revoked immediately and that access is reviewed periodically. Airtight offboarding is therefore not a nice-to-have, but a direct implementation of the baseline requirements.
How does automatic revocation from the HR system work?
The core principle is that the HR system, rather than the IT department, serves as the single source of truth. It records who is employed, in which role, and until which date. An orchestration layer that also automates reads this data and translates it into accounts and permissions within the work environment, whether that is Microsoft Entra ID or Google Workspace. Joinly from KoppelHet is such a layer: the flow runs from the source, the HR system, via the orchestration layer to the work environment.
Upon termination, this process occurs in three steps. First, the layer detects that the termination date has been reached or that the employee has disappeared from the payroll. Next, the layer executes a predefined offboarding routine: the account is disabled or deleted, and the associated roles and group memberships are revoked. Because access is role-based, no one needs to manually check which individual permissions are linked to it. Finally, every action is recorded in a logbook, ensuring it is always traceable who lost which access and when.
Important: this applies exclusively to employees. Citizen identities in public services have their own lifecycle and fall outside this setup.
What do the BIO and the Cybersecurity Act mean for this?
In addition to the Baseline Information Security Government, new regulations are on the horizon. The Cybersecurity Act, the Dutch implementation of the European NIS2 directive, was passed by the House of Representatives on 15 April 2026 and is currently with the Senate; commencement is expected around 1 July 2026, subject to parliamentary proceedings. Municipalities, provinces, and water boards are automatically designated as essential entities, regardless of their size, and will therefore be subject to proactive supervision.
In this context, a demonstrable offboarding process with logging is exactly what both the baseline requirements and the upcoming law demand. It allows you to prove that access aligns with the reality of the organisation and that no permissions remain with those who have left.
FAQ
What happens to the files of an offboarded employee? Revoking the account does not automatically mean data is lost. Many organisations first block the account and transfer or archive the data in accordance with a retention policy before the account is permanently deleted.
Does this also work for external contractors and hires? Yes. By recording an end date upon hire, the same integration automatically revokes access once that date is reached, without anyone needing to remember to do so manually.
Does it work with Microsoft Entra ID as well as Google Workspace? Yes. The orchestration layer operates above both work environments and applies the same offboarding routine.



