https://hiviewsolutions.com/blog/posts/gsuite-how-to-offboard-employees/
Secure the Account
Step#1: Reset Google Workspace (G Suite) account password
Log into the G Suite/Workspace Admin Console and change the account password. Make a note of the new password. You can now log into the account on behalf of the terminated employee.
Step #2: Wipe any associated mobile devices
This step assumes that you have configured mobile device management (MDM) in the G Suite/Workspace Admin Console. For company issued devices, you can remote wipe the entire device. For personal devices, you can wipe company data from their personal device. They will no longer be able to open their Google apps with their work account.
Google support resource: https://support.google.com/a/answer/173390
Step #3: Change recovery phone and email address
By default, only admins can reset passwords, so this step will not apply to many organizations. However, it’s worth checking as a terminated employee could use their recovery phone/email to get access after the admin has reset the password. Remove the recovery/phone email.
Google support resource: https://support.google.com/accounts/answer/183723
Step #4: Revoke third-party apps
Resetting passwords will often break the connection with 3rd party apps, but make sure to manually review and disable any services tied to their Google account.
Delegate Data
Step #5: Create an automatic email reply
Login as the former employees, and use the “Vacation Responder” to create an auto-reply message. Direct all inquiries to the former employees’ manager.
Step #6: Delegate account access to a manager
Delegate account access to a manager through the Gmail Settings Panel.
Delete Data
Step #7: Export all email data
As an administrator, log into the employee account and navigate to google.com/takeout. Select Email and Google will generate a downloadable archive of email data. The mail will download in the .mbox format, within a zip file. You can then store this archive anywhere you like (maybe within your G Suite Admin Account in Google Drive?). If you need to access this archive at a later date, you can use email clients like Thunderbird and import all mail on a local machine and then perform a search. Alternatively, you can upload the mail back into a Google Workspace/G Suite user account; both options work well.
Step #8: Suspend access to the account
Suspending the account will block new emails and calendar invites, and disable login access. The account has been deleted and historical email/files can be searched through the Google Vault Service. Many companies keep the user account suspended for 6-12 months so they can easily search through old email records. The catch — a “suspended” user still consumes a paid Google Workspace (G Suite) license. If you want to re-purpose the license for a new hire, you must delete the account entirely. If you don’t foresee a need for employee email/files to be searchable via Google Vault, proceed to step #9 immediately.
Step #9: Transfer remaining data (Drive, Docs, etc.)
From the Admin Console, Navigate to Apps → Google Drive. Under Drive Settings, you’ll see an option to transfer files. Transferring ownership will not affect the existing permissions on the files/folders.
Step #10: Delete user account
Once the account is deleted, you can repurpose the Google Workspace license for a new hire.
Want to be more efficient with this process? You can use tools like GAM or BetterCloud to automate several of these steps, or at least reduce the number of pages/clicks in the Admin console.
Additional resources:
>> How to Implement Compliance Rules in Google Workspace
>> Should You Work with a Google Cloud Partner?
>> How to Enable 2-Step Verification for Google Workspace
>> Google Vault Video Walkthrough (5 mins)