figma guide

Designing member offboarding and deprovisioning UI in Figma: removal, transfer, and handoff

Design member offboarding and deprovisioning UI in Figma with remove member flows, content transfer, SCIM deprovision, seat reclaim, and Dev Mode specs for enterprise admin.

Published
Updated
Jul 13, 2026
Read time
7 min
Level
Intermediate

Quick answer

Member offboarding removes or suspends access when someone leaves—triggered manually by admins, via SCIM, or automated after session timeout policies. Design a remove member modal with content transfer (reassign files, projects, billing ownership); suspend vs remove states on the member list; SCIM deprovision sync indicators; last-owner guards; and seat reclaim tied to org billing. Log member.removed, member.suspended, and transfer actions to audit activity. Revoke API keys, sessions, and connected accounts on removal. Start from the Figma guides hub and pair with Dev Mode handoff for offboarding state machine specs.


Who this is for

  • Product designers building People tabs, security consoles, and IT admin workflows for departing employees.
  • Design system teams aligning manual removal with automated directory deprovision.
  • Engineers implementing soft delete, content reassignment, webhook events, and compliance retention.

Offboarding triggers

TriggerInitiatorTypical latencyUI surfacing
Manual removeOrg adminImmediatePeople → member row
SCIM deprovisionIdP / ITSeconds–minutesSCIM status + member badge
Self-delete accountUserImmediateAccount settings (consumer)
Contract endScheduled jobDate-basedRare—enterprise add-on
Security lockoutAdmin / automatedImmediateLink to account recovery

Verdict: manual and SCIM paths should converge on the same removal modal where possible—admins see consistent transfer options whether IT or People admin initiated.


Suspend vs remove vs deactivate

StateAccessSeatReversibleUse when
ActiveFullConsumedDefault
SuspendedBlocked loginOften still consumedYesInvestigation, leave
RemovedNo accessFreed (usually)Re-invite onlyLeft company
Deactivated (SCIM)Same as removedPolicy-dependentIdP reactivateDirectory-driven
MemberStatusBadge
├── Active (green)
├── Suspended (amber) — "Login disabled"
└── Removed (gray) — hidden from default list

Suspended members should appear in a Suspended filter with Reactivate and Remove permanently actions—not vanish silently.


Remove member modal

StepUIRequired?
1. Confirm whoName, email, role, teamsYes
2. Content transferReassign owner dropdown per resource typeIf they own assets
3. Billing impact”Frees 1 seat on next cycle”If applicable
4. Final confirmType REMOVE or checkboxEnterprise
RemoveMemberModal
├── Warning: "Alex will lose access immediately"
├── OwnedResourcesSummary
│   ├── 12 projects → Reassign to [ Admin ▼ ]
│   ├── 3 billing contacts → Reassign required
│   └── API keys (2) → Revoke all
├── SeatLine: "Seat available for new invite"
└── Confirm: [ Cancel ] [ Remove member ]

Block removal if sole Owner without ownership transfer step first.


Content transfer patterns

Asset typeTransfer UIIf skipped
Owned projectsPick new owner from adminsOrphan → org admin
Published librariesReassign maintainerUnpublish warning
Draft billing contactRequired pickBlock remove
Personal API keysAuto-revoke listSecurity default
Shared draftsOptional bulk moveStay with org
Comments / mentionsRead-only historyKeep attribution

Show resource count before confirm—admins underestimate owned projects.

TransferSection
├── Projects (12) — [ Select new owner ]
├── Libraries (2) — [ Select maintainer ]
└── ☑ Revoke all personal API keys and sessions

Link to API keys and active sessions for detail drill-down.


Last owner and role guards

GuardConditionUI
Last OwnerOnly one Owner leftBlock; force promote another
Last Billing AdminInvoices unassignedPick replacement
SCIM immutable OwnerIdP owns role”Change in directory” message
Self-remove OwnerOwner tries leaveSame as last owner
LastOwnerBlocked
├── "You are the only Owner of Acme Org"
├── Promote [ member dropdown ]
└── [ Transfer ownership and continue ]

Pair with custom roles when “Admin” can almost-but-not-quite own billing.


SCIM deprovisioning UI

When SCIM marks user inactive:

UI elementSpec
Member badge”Deprovisioned via SCIM”
SourceAzure AD / Okta group name
TimestampSync time
Manual overrideDisabled or “Break-glass” for support
ReactivateGrayed unless IdP re-adds

SCIM deprovision row on member detail:

Directory sync
├── Status: Deprovisioned
├── Source: Okta — "Engineering" group removed
├── Last sync: 2 min ago
└── Content transferred to: Jane Admin (auto-policy)

Document auto-transfer policy in org Security settings—default reassign to org owner vs suspend with orphan assets.


Seat reclaim and billing

Billing modelWhen seat freesUI copy
Active seat countOn remove”1 seat available now”
Annual prepaidSeat freed; no auto-refund”Seat available; billing unchanged until renewal”
True-upNext true-up windowLink org billing

After remove, show Invite replacement CTA if seats available—closes loop with invitations.


Security cascade on removal

Immediately on remove (spec for engineering handoff):

AssetAction
SessionsInvalidate all
API keys / PATsRevoke
OAuth tokensRevoke connected apps
WebhooksDisable user-created
2FA / passkeysCleared on account delete only—not always on org remove
Pending invites sent by userOptional cancel

Show checklist in modal footer: “Also revokes 2 active sessions and 1 API key.”


Offboarding communications

AudienceMessageChannel
Removed userAccess ended, contact adminEmail (optional)
Admins”Alex was removed by Jane”In-app + audit
New asset owners”You now own Project X”Email digest
IT (SCIM)Webhook user.deletedAPI

Do not email removed users their old data export link unless privacy export policy requires—separate compliance flow.


Bulk offboarding

Enterprise scenarios: layoffs, team dissolution.

StepUI
Select membersCheckbox column on People table
Bulk actionRemove selected
Transfer defaultsOne admin for all projects
ProgressJob queue with per-user errors
ReportCSV download of failures

Partial failure must list who succeeded vs failed—never silent half-complete.


PolicyUI
Soft delete 30d”Recoverable until Aug 12” (admin-only)
Legal holdBlock remove; badge on member
Export before removeLink to GDPR export
Hard deleteSupport-only; type org name

If legal hold, removal modal shows:

This user is under legal hold. Removal is blocked.
Contact compliance@acme.com or [ View hold details ]

Common mistakes

MistakeWhy it hurtsFix
Remove without transferOrphan projectsRequired reassignment
Allow last owner deleteOrg lockoutHard guard + promote flow
SCIM and manual fightDouble remove errorsIdempotent API + status badge
Seat freed but UI staleWrong invite enableRefresh billing widget
No session revokeEx-employee still inCascade list in modal
Suspend hiddenGhost membersSuspended filter tab
No audit trailSOC2 failLog actor, transfers, source
Generic “removed” emailPhishing suspicionNamed admin + org
Bulk remove no progressAdmin panicJob UI + error CSV
API keys survive removeCredential leakAuto-revoke default on

  1. Design remove modal with owned-resource summary and transfer pickers.
  2. Add last-owner and billing-admin guards with promote flows.
  3. Build suspended state on member list separate from removed.
  4. Wire SCIM deprovision badge and auto-transfer policy settings.
  5. Prototype security cascade copy (sessions, keys, OAuth).
  6. Add bulk remove with progress and failure report for enterprise.
  7. Hand off state machine, webhook payloads, and retention enums in Dev Mode.

FAQ

Suspend or remove for parental leave?

Suspend preserves seat and assets; remove frees seat. HR products often need suspend with optional auto-reactivate date—enterprise nice-to-have.

What happens to comments after remove?

Keep attribution as “Former member” or display name snapshot—do not rewrite history to “Deleted user” without legal review.

Can removed members rejoin via same email?

Yes via new invite or SCIM re-add. Clear old group memberships unless restored from soft delete.

Deprovision vs delete in SCIM?

Map IdP behavior in admin docs. Deactivate often = suspend; delete = remove. UI labels should match IT expectations.

Export data on admin-initiated remove?

Optional org policy. Consumer: user self-serve export. Enterprise: admin-triggered export before remove—link privacy settings.


Next steps

Share on X

§ Keep reading

Related guides.