B2B Users: Best practice (pragmatic) to validate that previously registered users are still with their company. (

We are running a B2B solution where we initially register the customers users by their business email address.  Using only verified email domains, we make sure that the correct users register to the correct customer.  In most cases we will not be informed that Mr X left company Y. But he should not have access anymore after leaving company X.  There are too many customer organisations, with too few number of users to setup a federated AD service.  I can imagine using verify-email.org to check regularly, but there is no guarantee that the customer organization revokes the email-address timely (if at all).  I can imagine sending periodically a "confirm this account" email to the business email-address and inactivating the non-responding users.  I can imagine the sales team doing a periodical check with the customer with or without automated follow up.... (and any combination of these) What other additional best practices have you implemented? (and is it available in the appstore) Thanks for your help.   Jacob  
2 answers

Hi Jacob,

All of your scenarios make sense. For any B2B app we have developed, we ensure that each customer understands their responsibility in maintaining their user profiles. If we can implement their SSO solutions then we are good as we can periodically query and if we don't find a match we can disable the user (don't delete data!). Depending on your licensing, if you are charging the business a fee per user then it motivates them to manage their account list more closely. Ensure you have built the tools needed to administrate well. And finally, if not SSO, I would periodically require a password change. If the password expires for > X days, disable the account and if the user tries to logon give them a message that they need to contact their administrator to be reactivated (or yourself if you are administrating for them). Hope this helps from my experiences.


Hi Jacob, when reading your question I was thinking about the last login attribute of the user entity. Maybe you can use this attribute for checking users that have not been using the system for x number of days, and send them a reminder mail. Then if nothing happens you can safely mark the accounts inactive and permantly delete them later on.

Does this help or?