Disable accounts, revoke sign-in sessions, reclaim licenses, get the laptop back, and prove every step for audit — in one tracked run across Microsoft 365, Google Workspace, Okta, and JumpCloud.
The HR action — "Jane is leaving Friday" — and the IT action — "disable Jane's accounts" — almost always live in different systems on different timelines. That gap is where former-employee access lingers: an Entra account still enabled, a Google session never revoked, a paid Slack seat still billing, a laptop nobody collected. Industry breach reporting consistently ties a large share of cloud intrusions to misuse of valid-but-dormant credentials — exactly the kind an incomplete offboarding leaves behind.
Most "offboarding tools" are checklists. They remind a human to go do the work in five admin consoles, then trust that it happened. Passage orchestrates the work and records that it happened.
This is the offboarding mistake almost everyone makes. When you disable a user in Okta, Entra or Google, you stop single sign-on through that provider — but apps that keep their own authority don't care. GitHub, Salesforce, Atlassian, Zoom and Slack authenticate independently and keep their own user records and tokens. A GitHub personal access token, a Salesforce refresh token in a mobile app, an Atlassian API token, a live Slack session — each keeps working after the IdP disable. These are non-federated SaaS apps, and the lingering credential is residual access. In practice, roughly 40% of departed employees retain access to at least one app this way.
So Passage ends access in two steps per app: seat removal stops interactive login, and OAuth grant/token revocation kills the already-issued, programmatic access. Access is considered ended only when both halves are done — and an Access ended panel shows the per-app verdict (seat removed ✓, OAuth token revoked ✓, access ended) or flags residual access risk when a token is still live.
A role template only assumes which apps a person holds grants in. Real people self-authorize OAuth apps and create personal tokens no template anticipated — a personal automation tool a developer wired into GitHub, an ad-hoc API token. Discovery queries each non-federated app for the user's actual authorized grants and flags each one as covered (the run already revokes that app's tokens) or uncovered (residual-access risk the plan would miss). The dangerous grants are the ones nobody knew existed; discovery surfaces them so you don't close the run believing access ended when a personal integration is still live.
The closure gate is the safety mechanism that won't let a run be marked done while something dangerous is unfinished. Beyond requiring every critical step and the device return, it carries a first-class residual-token blocker: for any SaaS app where the seat was actually removed but the OAuth token was not revoked, the gate hard-blocks — even if no individual step looks unfinished. To clear it you revoke the token (or document why with a waive). That's the difference between a tool that claims the door closed and one that won't let you say so until it did.
When you start a leaver run in Passage, one tracked workflow drives every required action and won't let you mark it complete until the critical ones are done:
A finished run isn't just "done" — it emits a hash-anchored evidence record mapped to the controls auditors actually ask about: SOC 2 CC6.2/CC6.3, HIPAA §164.308(a)(3)(ii)(C) termination procedures, NIST 800-171 3.1.x / 3.5.x, NIST CSF PR.AA, and ISO 27001 A.5.18. The record carries the per-app saasAccessEnded proof (seat removed, token revoked, access ended — with each call's method/endpoint and before/after) and a licenseReclamation rollup of the seats freed and the monthly/annual dollars saved. Collect it once during the offboarding you already had to do; reuse it across every framework. See the compliance mapping for detail.
A note on accuracy: Passage builds and orchestrates the provider-correct API calls and captures the evidence. In this build the live connector calls are simulated behind a boundary — the request shapes are wire-accurate and the live execution is on the roadmap — and discovery returns realistic fixtures rather than querying a live provider. The orchestration, the closure gate, and the hashed evidence are real today.
Enterprise identity-governance suites gate lifecycle automation behind a per-user platform fee and charge thousands to implement. Passage's free tier actually disables accounts, paid plans start at $7.50 per managed user per month, and there's no implementation call. If you run IT for a 20–500 person company — or a portfolio of them as an MSP — this is offboarding sized for you. Compare Passage vs Rippling and Passage vs BambooHR.
It runs the IT side of a departure as one tracked workflow: disable accounts, revoke active sign-in sessions, end access in non-federated SaaS apps by removing the seat and revoking the OAuth grant/token, remove licenses and group memberships, convert or delegate the mailbox, reclaim devices, and produce a timestamped record proving each action happened.
Access should be cut on the employee's last working minute, not the next business day. Passage closes the HR-to-IT gap by running the leaver as a single scheduled run with a closure gate that blocks until every critical step is done.
An orphaned account is a login that still works after its owner has left. They're a leading cause of credential-misuse breaches because nobody is watching them. Offboarding software prevents them by disabling every account in a tracked, provable run.