AscendCore
Back to Runbook Library
Provisioning Live in production

Employee Offboarding

Automate end-to-end employee offboarding across Okta, Microsoft 365, Jira, and Intune. Suspend accounts, revoke OAuth tokens, transfer files, revoke licenses, archive mailbox.

Integrates with

OktaM365JiraIntune

The problem

Offboarding is one of the highest-stakes IT workflows because the cost of getting it wrong is asymmetric: a missed step leaves an active access path that surfaces in the next security audit or breach. Manual offboarding across Okta, Microsoft 365, Jira, and Intune typically takes 30-45 minutes per departing employee and routinely misses subordinate steps (orphaned OAuth tokens, unrevoked SaaS access, untransferred file ownership).

What AscendCore does

An HR system emits a termination event, or an IT admin initiates offboarding manually. AscendCore proposes the full offboarding flow as a single approval card: account suspension, token revocation, drive ownership transfer, license revocation, mailbox archival. On approval, every step executes with per-step verification and a complete audit trail.

Workflow

  1. Trigger — HR system webhook or admin-initiated offboarding
  2. Compose — assemble the full step list based on the user's connected systems
  3. Propose — single approval card listing every action across every connected system
  4. Approve — IT admin + HR approval (always required)
  5. Execute — account suspension, OAuth token revocation, file transfer, license revocation, mailbox archive
  6. Verify — per-step success confirmation; failures escalated (e.g., legal hold blocks mailbox archive)
  7. Audit — every action logged with timestamps, approvers, and step-level outcomes for compliance review

Integrations

  • Okta — Account suspension, OAuth token revocation
  • Microsoft 365 — Drive ownership transfer, license revocation, mailbox archival
  • Jira / Atlassian — Project access revocation
  • Microsoft Intune — Device deactivation, policy removal
  • Slack + Microsoft Teams — Approval and confirmation

Status

Live in production for the core flow (Okta account suspension via the offboard command). Full multi-system orchestration with file transfer and mailbox archive is on the customer-driven roadmap; multi-system runbooks expand as design partners surface specific configurations.

Runbook source preview

Versioned, deterministic, auditable

Every runbook is defined as a versioned YAML manifest with explicit triggers, steps, and approval policies. The runbook itself is the audit-ready record of what AscendCore can and will do — chat is just the interface that triggers it.

name: employee-offboarding
trigger:
  source: workday
  event: termination.confirmed
steps:
  - suspend_okta_account
  - revoke_oauth_tokens
  - transfer_drive_ownership
  - revoke_licenses
  - archive_mailbox
approval:
  required: true
  approvers: [it-admins, hr-ops]
Ready to deploy

Run employee offboarding from Teams or Slack today

AscendCore deploys in 48 hours for Slack + Okta or Teams + Entra stacks. See the first automated resolution the same day.

See plans & pricingBrowse all runbooks

More provisioning runbooks

Live

M365 License Assignment

Automate Microsoft 365 license assignment from Slack and Teams. Pool-availability check, approval-gated assignment, optional Intune or Jamf endpoint policy push.

Read more
Live

New Hire Provisioning

Automate new-employee account creation across Okta, Microsoft 365, and Jira with single-approval workflow. License assignment, group membership, and welcome kit delivery.

Read more
Live

Software Decommission

Reclaim a specific M365 license seat from a user with full audit trail — distinct from full offboarding. Snapshots the seat pool before/after, optionally surfaces the user's Intune-enrolled devices that have the matching app for follow-up cleanup visibility.

Read more
AscendCore

AscendCore Team

Online · Ask us anything

AscendCore

Hi! Welcome to AscendCore. Ask us anything about how we automate your IT help desk — or just say hi.