When using Qlik Cloud with Qlik's built-in Identity Provider (Qlik IDP), deactivating or deleting a user's corporate email address does not automatically remove or disable their access to Qlik Cloud. This is a common misconception that can create a security gap during employee offboarding.
Symptoms
A user's corporate email has been deactivated or their account deleted from the corporate directory. However, the user still appears as active in Qlik Cloud Management Console and their license seat remains occupied. The user may still be able to log in to Qlik Cloud if they have an active session or a previously set password.
Resolution
Administrators must manually remove or disable the user directly in Qlik Cloud. To do this, go to Management Console, navigate to Users, find the user and either remove them or change their role to No Access. This should be added as a required step in your organization's employee offboarding checklist.
If your organization requires automatic user deprovisioning, the permanent solution is to replace Qlik IDP with an external Identity Provider such as Microsoft Entra ID (Azure AD) or Okta, configured with SCIM provisioning. With SCIM enabled, when a user is disabled or removed in your corporate directory, Qlik Cloud is automatically notified and the user's access is revoked without any manual intervention.
Cause
Qlik IDP is a standalone identity store built into Qlik Cloud. It manages user accounts independently from any external corporate directory. Because there is no synchronization between Qlik IDP and external systems, changes made outside of Qlik Cloud such as deactivating an email or removing an Active Directory account have no effect on the user's Qlik Cloud account.
