Systems the offboarder pushes deprovisioning to when a user leaves. Select one to configure it. Active Directory, Entra ID, Google Workspace, Okta, Delinea, JumpCloud, AWS, GitHub, and Local Accounts (CrowdStrike) are functional today.
Systems that feed offboarding events in — HR / ITSM sources that raise or track a leaver request. Coming soon.
| Agent ID | Hostname | Domain | Last Seen (UTC) | Status | Script Version | LDAP Bind | DC Cert |
|---|---|---|---|---|---|---|---|
| Select a tenant to load agents. | |||||||
Configure Entra ID tenants for cloud identity offboarding. Requires the Entra ID Module.
| Display Name | Tenant ID | Slug | UPN Domains | Actions | Status | |
|---|---|---|---|---|---|---|
| Loading… | ||||||
Service account + domain-wide delegation. Actions: sign out, suspend, revoke OAuth tokens, remove from priv groups. Spec: Connectors.md.
| Display Name | Slug | Admin Email (DWD subject) | UPN Domains | Actions | Status | |
|---|---|---|---|---|---|---|
| Loading… | ||||||
https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.user.security, https://www.googleapis.com/auth/admin.directory.group.memberOkta Management API (SSWS token). Actions: clear sessions, remove app assignments, remove from groups, suspend, deactivate. Spec: Connectors.md.
| Display Name | Slug | Org URL | UPN Domains | Actions | Status | |
|---|---|---|---|---|---|---|
| Loading… | ||||||
offboarder-{slug}). The token inherits the permissions of the admin who creates it — use an admin scoped to user lifecycle + group management.ok:true, org_reachable:true.Delinea Secret Server (PAM) REST API. OAuth2 password-grant service account. Actions: disable, remove from groups, delete. Spec: Connectors.md.
| Display Name | Slug | Base URL | UPN Domains | Actions | Status | |
|---|---|---|---|---|---|---|
| Loading… | ||||||
ok:true, api_reachable:true.JumpCloud API (Service Account, OAuth2). Actions: remove from groups, unbind systems, suspend, delete. Spec: Connectors.md.
| Display Name | Slug | Org ID | UPN Domains | Actions | Status | |
|---|---|---|---|---|---|---|
| Loading… | ||||||
ok:true, api_reachable:true.AWS IAM + IAM Identity Center (access-key auth). Actions: revoke SSO assignments, disable IAM access, remove IAM groups, detach IAM policies, delete users. Spec: Connectors.md.
IAMFullAccess) plus a base user with sts:AssumeRole only. Neither artifact stores credentials — the script prompts for them at run time, CloudFormation runs under the deployer's own session.
aws cloudformation deploy --template-file <file> --stack-name offboarder-aws-connector --capabilities CAPABILITY_NAMED_IAM. Both output the access key id, secret, and assume-role ARN to paste into the form below.| Display Name | Slug | Region | UPN Domains | Actions | Status | |
|---|---|---|---|---|---|---|
| Loading… | ||||||
sso:* / identitystore:* for the actions you enable.ok:true, iam_reachable:true.ExternalId (most reliable). IAM users have no email/employee field — resolution there falls back to matching the username.GitHub organization access. Actions: remove org membership (destructive), remove from teams, revoke SSO credential. Two auth modes per tenant: GitHub App (recommended) or fine-grained PAT. Four identity strategies tried in order: SAML / SCIM / mapping / local-part. Spec: Connectors.md.
| Display Name | Slug | Org | Auth | UPN Domains | Actions | Status | |
|---|---|---|---|---|---|---|---|
| Loading… | |||||||
admin:org) or a fine-grained token (org permissions: Members = Read & write, Administration = Read-only). Classic: github.com/settings/tokens. Fine-grained: github.com/settings/personal-access-tokens. When editing an existing tenant, leave empty to keep the existing token.github.com/settings/personal-access-tokens with admin:org + read:org scopes on the target org. Paste above. Cannot revoke SSO credentials of other users — revoke_sso on PAT mode will return needs_review.github.com/settings/apps. Required permissions: Organization > Members (Read & write), Organization > Administration (Read). Generate a private key (downloads as PEM). Install the App in the target org (note the Installation ID from the URL: github.com/organizations/<org>/settings/installations/<installation_id>). Paste App ID, Installation ID, and PEM above.ok:true, org_reachable:true.{} when not using the mapping strategy.Azure DevOps REST API (Entra app, client_credentials). MVP action: remove user from organization (frees license + kills access). Spec: Connectors.md. Setup script provisions app reg, KV secret, SP entitlement, and PCA group membership in one run.
| Display Name | Slug | Org URL | UPN Domains | Actions | Status | |
|---|---|---|---|---|---|---|
| Loading… | ||||||
az login → create Offboarder-AdoOffboard-{slug} app reg → mint client secret → write ado-client-secret-{slug} to KV → entitle the SP to the ADO org (Basic access) → add it to Project Collection Administrators. Requires: Global Admin on the client Entra tenant, KV Secrets Officer on the Offboarder KV, and PCA on the target ADO org (the operator running the script — SPs can’t grant themselves rights).ok:true, token_loaded:true, org_reachable:true.Offboard a departing user's local accounts on endpoints — the gap directory connectors can't see. Choose a provider. Spec: Connectors.md.
Falcon API (OAuth2 client-credentials). Discovery is cloud-side (Hosts API); when Account disable is on, matched endpoints are remediated via the signed RTR playbook (disable-only).
| Display Name | Slug | Cloud | UPN Domains | Mode | Status | |
|---|---|---|---|---|---|---|
| Loading… | ||||||
Offboarder-Disable-LocalUser RTR script once (RTR → Response scripts, Active Responder) — or grant the client RTR Administrator.hosts_reachable:true.AAD app (OAuth2 client-credentials). Discovery via Advanced Hunting (KQL over DeviceLogonEvents — every logon, fleet-wide). When Account disable is on, matched endpoints are remediated via Live Response running the signed playbook (disable-only).
| Display Name | Slug | Region | UPN Domains | Mode | Status | |
|---|---|---|---|---|---|---|
| Loading… | ||||||
AdvancedQuery.Read.All, Machine.Read.All, Machine.LiveResponse → grant admin consent.Offboarder-Disable-LocalUser.ps1 to the Live Response library (Settings → Endpoints → Live Response).ah_reachable:true.API token. Discovery via a real-time question over the Local Users / Local Administrators sensors (purpose-built fleet query — can return local-admin directly). When Account disable is on, matched endpoints are remediated by deploying the approved disable package (disable-only).
| Display Name | Slug | Server | UPN Domains | Mode | Status | |
|---|---|---|---|---|---|---|
| Loading… | ||||||
$1 = username); set its name below.server_reachable:true.API token. Discovery via Deep Visibility (login-event query, cloud-side). When Account disable is on, matched endpoints are remediated via Remote Script Orchestration running the approved disable script (disable-only).
| Display Name | Slug | Console | UPN Domains | Mode | Status | |
|---|---|---|---|---|---|---|
| Loading… | ||||||
-TargetUser).console_reachable:true.API key + key id. Discovery via XQL over login events (cloud-side). When Account disable is on, matched endpoints are remediated via run_script of the approved disable script (disable-only).
| Display Name | Slug | API | UPN Domains | Mode | Status | |
|---|---|---|---|---|---|---|
| Loading… | ||||||
TargetUser).api_reachable:true.Disables overlooked native Azure SQL logins / contained users that survive an offboard (Phase 2 cloud SQL connector). Runs Function-App-inline with passwordless managed-identity auth by default. Disable only — never DROP. A bare login match is namespace-crossing: surfaced on the Correlation page for confirmation, never auto-disabled. Spec: Database.md.
| Name | Slug | Server | Auth | Dialect | Status | |
|---|---|---|---|---|---|---|
| Loading... | ||||||
ALTER ANY USER grant, and writes the cert/IDs to our Key Vault. Then Save here with Auth mode = Client app registration and click Test.Disables overlooked native RDS SQL Server logins (Phase 2 cloud SQL connector). Runs Function-App-inline; passwordless RDS IAM authentication by default (reuses the AWS connector credentials). Disable only — never DROP. Namespace-crossing: confirmed on the Correlation page, never auto-disabled. Spec: Database.md.
| Name | Slug | Server | Region | Auth | Status | |
|---|---|---|---|---|---|---|
| Loading... | ||||||
Generate a bootstrap the client's AWS admin runs in their account. It creates an IAM role Offboarder-RdsOffboard-{slug} whose trust policy requires our exact principal ARN + a generated External ID (no wildcard), attaches a least-privilege rds-db:connect-only policy scoped to the one DB user, and enables RDS IAM database authentication. No secret is embedded. Paste the printed Role ARN + External ID back into the target above.
Disables overlooked native PostgreSQL roles that survive an offboard (Phase 3 cloud SQL connector). Runs Function-App-inline with passwordless managed-identity auth by default (Entra token-as-password, scope ossrdbms-aad). Disable only — ALTER ROLE … NOLOGIN (reversible), never DROP. A bare role match is namespace-crossing: surfaced on the Correlation page for confirmation, never auto-disabled. Spec: Database.md.
| Name | Slug | Server | Auth | Database | Status | |
|---|---|---|---|---|---|---|
| Loading... | ||||||
Cross-tenant (aad_sp): when the PG flexible server lives in a different tenant than the Offboarder Function App, use a dedicated app registration (no Microsoft Graph). Fill Slug + Server + Tenant ID + PG user, then click Download Setup Script below — it provisions the app reg + cert, sets the SP as the PG server's Entra admin, and stores the cert in our Key Vault. Note: PG's Entra admin is server-level (no narrower built-in scope), unlike Azure SQL.
Disables overlooked native Azure Database for MySQL users that survive an offboard (Phase 3 cloud SQL connector). Runs Function-App-inline with passwordless managed-identity auth by default (the Entra token is passed as the MySQL password, scope ossrdbms-aad). Disable only (ACCOUNT LOCK) — never DROP. A bare user match is namespace-crossing: surfaced on the Correlation page for confirmation, never auto-disabled. Spec: Database.md.
| Name | Slug | Server | Auth | User | Status | |
|---|---|---|---|---|---|---|
| Loading... | ||||||
Offboarder-AzureMySqlOffboard-{slug} with zero Graph permissions, a self-signed cert (RSA 2048, 12 mo), sets the SP as the MySQL Entra admin (server-level — the narrowest scope the MySQL engine allows), and writes the cert + IDs to the Offboarder Key Vault. No secret is stored in the portal blob. Then Save here and Test the row.
Disables native database logins that survive an offboard because they are not tied to any IdP (e.g. a SQL Server LOGIN ... WITH PASSWORD). One connection per database engine, each holding a list of servers with per-server credentials. On-prem servers are handled by the Windows agent over TDS with SQL auth (no DC bind). Spec: Database.md.
sysadmin (or CONTROL SERVER) — the offboarder disables regardless of privilege, and SQL Server won't let a non-sysadmin disable a sysadmin login.database-sqlpwd-{slug} on Save; never echoed back. When editing, leave empty to keep the existing KV password.These apply to every server in this connection; a server can override the SQL login.