How do old employee accounts stay active after deprovisioning?

Old employee accounts stay active after deprovisioning because removing a user from your identity provider does not automatically remove or revoke their access inside every SaaS application. Many SaaS tools maintain their own local user directories, long-lived OAuth tokens, API keys, and external user invitations that continue to function independently of the primary identity provider.

This is why old accounts, OAuth tokens, and integrations can remain active weeks or even months after an employee leaves. Tools like FrontierZero help teams detect these lingering accounts by correlating SaaS user lists, OAuth authorizations, and token activity against the current identity directory.

Why Old Accounts Survive After Deprovisioning

Even well-managed organizations struggle with “identity drift,” where SaaS accounts continue to exist long after the employee is gone. The problem isn’t negligence — it’s how SaaS ecosystems are architected.

1. SaaS apps maintain their own user directories

Deprovisioning an employee in:

  • Okta
  • Entra
  • Google
  • OneLogin
  • Ping
  • JumpCloud

does not guarantee removal inside the SaaS tool itself.

Many apps create:

  • local user profiles
  • local passwords
  • local access tokens

These remain active unless manually removed.

2. OAuth tokens survive directory offboarding

OAuth tokens:

  • do not automatically expire
  • do not obey identity-provider deactivation
  • do not get removed when a user is suspended

This means apps continue to access:

  • email
  • storage
  • documents
  • calendars
  • identity data

even after the employee is gone.

FrontierZero automatically identifies tokens tied to deprovisioned users.

3. External users and guest accounts are not tied to the identity provider

Employees may have been invited into:

  • SaaS projects
  • shared drives
  • collaboration tools
  • vendor platforms
  • customer platforms

These invitations are email-based, not identity-based.

If a user is deprovisioned, these external accounts:

  • still exist
  • still have access
  • still hold permissions

FrontierZero maps external user access across all connected SaaS platforms so you can remove lingering guest access.

How to Find and Remove Accounts That Survive Deprovisioning

The steps below apply across all identity providers and SaaS platforms.

1. Cross-check SaaS user lists against your identity directory

Compare every SaaS app’s user list with:

  • active identities
  • disabled accounts
  • offboarded users
  • contractors that have ended engagements

Look for:

  • mismatched users
  • accounts tied to deleted identities
  • users that no longer exist in HRIS

FrontierZero automates this correlation and highlights discrepancies instantly.

2. Review OAuth tokens, refresh tokens, and long-lived keys

Check:

  • token lifetime
  • apps with offline access
  • tokens tied to disabled users
  • API keys created by former employees

These tokens can remain valid indefinitely.

FrontierZero highlights tokens linked to inactive or terminated identities.

3. Remove lingering access inside each SaaS tool

Inside each SaaS platform:

  • disable the account
  • revoke tokens
  • remove seat licenses
  • delete integration keys
  • cancel external user invitations

This is the only way to guarantee the account is fully removed.

Why do SaaS accounts still work even after SSO is disabled?

Because many apps fall back to:

  • local passwords
  • API keys
  • stored sessions
  • OAuth tokens

SSO only controls authentication, not all access methods.

FrontierZero identifies apps using non-SSO access paths.

How do API keys survive deprovisioning?

API keys are not tied to human identity lifecycle events.
If a user created a key before leaving, that key may still allow:

  • data access
  • integrations
  • service connections

FrontierZero surfaces these keys and maps them to their owners.

How do I know which old accounts are high-risk?

Look for accounts assigned:

  • admin roles
  • file or inbox read/write access
  • external sharing permissions
  • connected AI assistants
  • long-term tokens

FrontierZero scores these accounts based on exposure level.

FAQ

Is it normal for SaaS accounts to remain after offboarding?

Unfortunately, yes. Most SaaS apps don’t integrate deeply enough with identity providers to remove accounts automatically.

Do disabled users still have access through OAuth?

Yes. OAuth tokens remain valid until revoked, regardless of identity status.

Is this a security risk?

Yes. Old accounts often have:

  • outdated permissions
  • no MFA
  • unknown access paths
  • high-value data exposure

Attackers frequently target abandoned identities.