The day someone joins, moves, or leaves — every account, license, group, and laptop handled, proven, and audit-ready. Real deprovisioning and the human tasks, in one tracked run.
Create accounts, grant least-privilege access, assign a device — from a role template.
Role or department change: grant the new access and revoke the old — the step most tools forget.
Disable accounts, revoke sessions, reclaim licenses, demand the laptop back — and prove every bit of it.
At the price of a checklist app, Passage gives an SMB real deprovisioning, device return, and an audit trail an assessor will accept.
One run where automated steps disable accounts and revoke sessions, and manual steps (collect badge, transfer files) are tracked to completion with an owner.
Edge vs BambooHR & OktaAssign on join via Cairn; on leave a return task blocks run-closure until the laptop is back or written off. No IGA competitor does this.
Edge vs Okta · LumosEvery offboarding emits timestamped, hash-anchored evidence that auto-satisfies access-control & termination controls across your frameworks.
Nobody else closes this loopOkta gates lifecycle behind a $14 base; others charge $2k–$20k to implement. Passage's free tier actually disables accounts. AI is BYO-key.
The market wedgeof cloud breaches in 2024 involved misuse of dormant credentials — many tied to orphaned accounts that offboarding never disabled. The HR action ("Jane is leaving Friday") and the IT action ("disable Jane's accounts") live in separate systems, on separate timelines. That gap is where former-employee access lingers.
Passage runs the leaver as a single tracked run: accountEnabled=false → revokeSignInSessions → reclaim licenses → convert mailbox → device return → evidence. A critical step can't be skipped — the closure gate won't let the run finish until it's done or waived with a reason.
One completed run, evidence across every framework — collected once, satisfies many.
§164.308(a)(3)(ii)(C) termination procedures — the access-removal proof your Security Officer needs.
CC6.2 / CC6.3 — logical access provisioned and de-provisioned, with timestamped action logs.
3.1.1 / 3.5.6 account management and least privilege — straight into your Bastion SSP & SPRS narrative.
PR.AA identity & access — posture flips green in Sightline with Passage as the evidence source.
A.5.18 access rights & A.5.11 return of assets — device-return enforcement on the record.
Hash-anchored, signed, exportable. Take it with you — no renewal-escalation lock-in.
Four identity connectors modeled end-to-end — Microsoft 365 / Entra, Google Workspace, Okta, and JumpCloud — each with provider-correct disable, session-revoke, license/app, and group steps. JumpCloud app access is handled the right way: through group membership. Live provisioning rolls out per connector.
Annual billing −15%. The free tier actually disables accounts.
Local-first / privacy-first
Core SMB · min $150/mo
Compliance-driven
Volume, annual
Run your first offboarding in minutes — local-first, no card, no implementation call.
Start free