Deactivate and Remove Users on Expensify
We have enabled the Okta Expensify integration (ie. deactivation process per https://docs.expensify.com/en/articles/1576302-deactivating-users-with-okta).
1) How do you confirm that the Okta's Expensify deactivation process is successfully (i.e. users on Expensify have been deactivated)?
2) How do you view the deactivated users on Expensify?
3) How do you remove/delete the users on Expensify?
4) What are the impacts when the users are deactivated and deleted?
Answers
-
Christina Dobryzynski Expensify Success Coach - Admin, Expensify Team, Expensify Student Ambassador Posts: 267 Expensify TeamOptionsWelcome to the Expensify Community, @tng! These are fantastic questions, in fact, I might add them to our general Okta post.
1) How do you confirm that the Okta's Expensify deactivation process is successfully (i.e. users on Expensify have been deactivated)?
If you keep the Required for Login enabled at Settings > Domains > [Domain Name] > SAML, the employee will not be able to login to his/her Expensify account once they are deactivated in the Okta app.
2) How do you view the deactivated users on Expensify?
I recommend moving a deactivated employee to a new domain Group at Settings > Domains > [Domain Name] > Groups which will allow you to keep track of the employees who have been locked out of the expensify domain.
Side note: This will only work if you choose not to close the users account in the domain.
3) How do you remove/delete the users on Expensify?
Once you have removed the user from the Okta app, you can close the users account in the domain by clicking the checkbox to the left of the email and choosing Close Accounts. This will actually close their account so this is a very final step to take to remove the user from Expensify.
4) What are the impacts when the users are deactivated and deleted?
Deactivated users:
If you choose to deactivate the user in Okta but not close their account in the domain you will need to make sure the following permissions are enabled to ensure they cannot login to their account.
1) Login required is toggled on at Settings > Domains > [Domain Name] > SAML
2) Restrict primary login selection is toggled on for the domain group of the user.
With these in place, the user will not be able to login to his/her Expensify account associated with the company domain email.
I recommend creating a new Group for deactivated users to keep record of these emails.
Deleted users:
If you choose to remove a user from Okta and also close the account in the domain, the user will no longer have his/her Expensify account.
With either option, before taking any action to remove the user from Expensify, it's best to ensure the user has added all unreported company expenses to a report and all reports are in a final approved state (Reimbursed or Approved). These reports will be maintained within the group policy.
If a user has an added a personal email as a secondary login to his/her company Expensify account , they will be able to disconnect their personal email from the expensify account through these steps.
-
1) How do you confirm that the Okta's Expensify deactivation process is successfully (i.e. users on Expensify have been deactivated)?
If you keep the Required for Login enabled at Settings > Domains > [Domain Name] > SAML, the employee will not be able to login to his/her Expensify account once they are deactivated in the Okta app.
I understand that the employee will not be able to login if his or her account is deactivated on Okta. My setting has enabled the SAML's Required for login on the domain control.
My question is more related to how to confirm the employee on Expensify has been deactivated on Expensify via the Okta deactivation process (i.e. Okta triggers the employee deactivation on Expensify). On the Domain Members page, there is no status field to show who are active and deactivated. We still see all users employees on Expensify without any knowledge of their status
2) How do you view the deactivated users on Expensify?
I recommend moving a deactivated employee to a new domain Group at Settings > Domains > [Domain Name] > Groups which will allow you to keep track of the employees who have been locked out of the expensify domain.
Side note: This will only work if you choose not to close the users account in the domain.
Referring to question #1. I don't know which employees on Expensify on the Domain Members page have been deactivated to move to another group.
If there is integration Okta integration to deactivate the user, why does it need to manually move the deactivated employee to another Groups?
4) What are the impacts when the users are deactivated and deleted?
Deactivated users:
If you choose to deactivate the user in Okta but not close their account in the domain you will need to make sure the following permissions are enabled to ensure they cannot login to their account.
1) Login required is toggled on at Settings > Domains > [Domain Name] > SAML
2) Restrict primary login selection is toggled on for the domain group of the user.
With these in place, the user will not be able to login to his/her Expensify account associated with the company domain email.
I recommend creating a new Group for deactivated users to keep record of these emails.
The login required setting is only delegating the login/authentication to the Okta. This does not impact the employee account's data, such as status if it has such field.
The restrict primary login selection is only preventing the employee from making a non-company domain email address as his or her primary email. The employee can still be allowed to add secondary logins .
How can the domain admin knows which employees have setup their secondary logins? I don't see secondary login listed on the Domain Member settings pop-up window.
Can the employee still be able to login with the secondary login? If yes, the employee is still active and can login.
To many of us, a deactivated account means the account is not longer active (i.e. cannot login by the user but data still available for the admin to view). Does Expensify have an inactive status?
-
Ted Harris Expensify Success Coach - Admin, Expensify Team, Expensify Student Ambassador Posts: 359 Expensify TeamOptionshow to confirm the employee on Expensify has been deactivated on Expensify via the Okta deactivation process (i.e. Okta triggers the employee deactivation on Expensify).
Ah, I believe this is managed via Okta isn't it? The Expensify account exists, but because the only way to sign in (because you have Required it) is via Okta, they must be listed here in order to access Expensify:
There's nowhere in Expensify you'd see this though.
I don't know which employees on Expensify on the Domain Members page have been deactivated to move to another group.
If there is integration Okta integration to deactivate the user, why does it need to manually move the deactivated employee to another Groups?
There simply hasn't been a need to build this yet, but I'd always encourage you share this as an Idea you'd like to see in the future. Right now, I'd say you'll just need to check your Okta list against the Expensify Domain Members list and figure out who isn't in the other.
How can the domain admin knows which employees have setup their secondary logins? I don't see secondary login listed on the Domain Member settings pop-up window.
This is not something you as a Domain Admin can know. Only the individual and any of their copilots can know this.
Can the employee still be able to login with the secondary login? If yes, the employee is still active and can login.
Only if you disable the SAML Requirement.
To many of us, a deactivated account means the account is not longer active (i.e. cannot login by the user but data still available for the admin to view). Does Expensify have an inactive status?
Expensify has no inactive status, only closed. Remember, an employees account is their own - they are free to use Expensify for personal expense tracking, with side-businesses, with family or for charitable means amongst many other possibilities and submitting their work expenses to one employer can often just be one aspect of their utility of Expensify. This is why any user can retain access to their own account by adding a personal login.
