Checklist for Safe Decommissioning of Vendor-Specific Identity Features (e.g., Meta Workrooms)

When a vendor shutters identity or collaboration features, your identity plane is at risk — here's a practical, verifiable checklist to get users, data, and access safely out the door.

Hook: In 2026, rapid product sunsetting—like Meta's announcement to discontinue Horizon Workrooms in February 2026—has become a recurring operational hazard for engineering and security teams. If a vendor-hosted identity or collaboration product (VR workrooms, shared identity stores, vendor-managed SSO) is discontinued, teams face immediate risks: broken authentication flows, stuck user data, noncompliant retention, and exposed admin access. This checklist turns that chaos into a repeatable program.

Executive summary (most important first)

When a vendor discontinues a product that contained identity/collaboration features, run these parallel workstreams in this order:

1. Freeze critical decisions: stop new integrations, snapshot current configs and access.
2. Export and archive: obtain machine-readable, verifiable exports of user identities, group memberships, assets, and audit logs.
3. Plan migration: map account identifiers, define target identity model (federated, SCIM, password migration), and decide UX for users.
4. Enforce access control: revoke vendor admin keys, rotate secrets, and reconfigure SSO metadata.
5. Legal & compliance: trigger contract exit clauses, confirm data deletion and portability obligations, preserve evidence for audits.

Context: why this matters in 2026

Late 2025 and early 2026 saw several large vendors retire collaboration and identity products. Notably, Meta announced the discontinuation of Horizon Workrooms (effective February 16, 2026) and stopped sales of enterprise VR SKUs. These shutdowns underscore a broader 2025–2026 trend: vendors refocusing product portfolios and accelerating sunsetting. At the same time, regulators worldwide ramped up enforcement of data portability and deletion rights. Teams can no longer treat vendor shutdowns as a rare contingency; you need a repeatable decommissioning playbook.

Checklist: Phase-by-phase decommission plan

Phase 0 — Triage & discovery (Day 0–2)

• Confirm timeline published by vendor (official shutdown date, sale-stops, support window).
• Identify impacted systems: list apps that use the vendor's identity APIs, SSO, SCIM provisioning, OAuth clients, webhooks, and shared assets (documents, rooms, avatars, logs).
• Snapshot configuration: export SSO metadata (SAML XML, OIDC issuer/config), SCIM endpoints, OAuth client IDs/secrets, admin lists. Save checksums to tamper-evident storage.
• Stakeholders: assemble SRE, app owners, security, legal, and communications leads; define decision authority and escalation.

Phase 1 — Export & archive (Day 1–7)

Export must be machine-readable, verifiable, and include provenance metadata.

• User records: export user IDs, primary email, hashed password metadata (if provided), created/last-login timestamps, 2FA status, device registries, recovery contacts.
• Groups & perms: groups, role bindings, resource ACLs, custom roles, policy JSON blobs.
• Collaboration artifacts: rooms, files, contextual metadata (shared links, permissions), presence/attendance logs, avatars/asset binaries.
• Session & token data: active sessions, refresh tokens, long-lived API keys, device tokens — get lists or revoke targets.
• Audit logs: admin actions, provisioning/deprovisioning, consent grants, data exports, retention timestamps. Prefer export in newline-delimited JSON (NDJSON).
• Retention metadata: vendor TTLs and deletion schedules for backups and archives.

Practical export example (SCIM-like):

curl -s -H "Authorization: Bearer $VENDOR_API_TOKEN" \
  "https://api.vendor.example.com/scim/v2/Users?startIndex=1&count=100" \
  | jq -c '.Resources[]' > users.ndjson

# For assets (paginated):
curl -s "https://api.vendor.example.com/v1/assets?page=1" \
  -H "Authorization: Bearer $VENDOR_API_TOKEN" | jq -r '.data[] | @base64' \
  | while read -r item; do echo "$item" | base64 --decode >> assets.ndjson; done

Phase 2 — Data validation & normalization (Day 3–10)

• Validate exports: verify counts (users, groups) against vendor dashboard; check checksums.
• Normalize identifiers: map vendor UUIDs to your canonical user IDs; create mapping CSV with fields: vendor_id, email, canonical_id, migration_status.
• Schema translation: convert vendor-specific role/policy JSON into your IAM schema or target directory format (SCIM, LDAP LDIF, or custom API payloads).
• Protect PII: encrypt exports at rest (AES-256), restrict access to migration team, track key use in HSM or KMS.

Phase 3 — Migration strategy (Day 7–21)

Choose one of three identity migration approaches based on user experience, security, and time-to-complete:

1. Federate to your IdP (Recommended when possible)
   • Swap SAML/ OIDC metadata to route auth to your IdP; create mapping for group/role claims.
   • Use SSO bridge for apps that expect vendor issuer (create bridge endpoint that proxies assertions).
2. Provision into target directory (SCIM/LDAP)
   • Bulk-provision users and groups via SCIM to target IdP; set temporary passwords and force reset where needed.
3. Account linking + staged migration
   • Ask users to link accounts via email verification; useful when passwords can't be migrated.

Key migration considerations:

• 2FA & device data: Devices and TOTP seeds often can’t be transported. Plan re-enrollment flows or use vendor-supplied recovery tokens.
• Password migration: If hashed password export is available, validate algorithm compatibility. Avoid translating hashed passwords if it reduces security.
• Session continuity: expire sessions at cutover windows and offer seamless SSO where possible to reduce help desk load.

Phase 4 — Cutover & access revocation (Day 14–+)

• Cutover runbook: define downtime window (if needed), run preflight checks, execute cutover steps, and verify success metrics (auth success rate, error rate).
• Revoke vendor credentials: remove vendor admin user access to your org, rotate API keys used by your systems, and snapshot for forensic evidence before revocation.
• Reconfigure SSO: update SP/IdP metadata, publish new metadata endpoints, and allow partners to update their side.
• Reissue client secrets: retire any client IDs that depended on vendor's auth infrastructure, and re-register OAuth clients in your IdP.
• Revoke tokens: call the vendor's OAuth2 revocation endpoint and revoke refresh tokens; use introspection to list active tokens where available.

# Example: OAuth2 token revocation
curl -X POST "https://vendor.example.com/oauth/revoke" \
  -u "$CLIENT_ID:$CLIENT_SECRET" \
  -d "token=$TOKEN_TO_REVOKE"

Phase 5 — Legal, contractual & compliance actions (immediate & ongoing)

Contractual steps should run in parallel to technical migration.

• Trigger exit clauses: exercise contractual rights: data portability SLA, export assistance, escrow agreements, and notification of termination.
• Request deletion certificates: ask for signed attestations confirming deletion of customer data from live and backup systems and the timeline used.
• Audit rights & evidence: preserve vendor communications, export reports, and timestamps for regulators or internal auditors.
• Escrow keys & IP: if vendor hosted keys or tokens (e.g., platform-managed KMS), ensure retrieval via agreed escrow or plan a rekeying strategy.

Sample contractual clauses (boilerplate you can adapt)

Data Export SLA: "Upon Customer’s written request and where Product is discontinued, Provider will (a) provide a full export of Customer Data in machine-readable formats (CSV, NDJSON, or other mutually agreed formats) within 15 business days, (b) provide export integrity checksums, and (c) provide reasonable assistance for 60 calendar days to support the Customer’s technical migration."

Deletion Attestation: "Provider will, upon Customer’s request after cutoff, deliver a signed deletion certificate within 30 days certifying that Customer Data has been irreversibly deleted from all production and disaster recovery systems, subject to any lawful retention obligations. Provider will retain proof of deletion logs for 3 years."

Escrow & Continuity: "In the event of Product discontinuation, Provider will deposit the current Product configuration and export tooling into a mutually agreed code escrow, accessible to the Customer under defined conditions, to enable migration to an alternative provider or self-hosted solution."

Access-control checklist: hardening during sunsetting

• Disable vendor admin console access for your admins; switch vendor access to read-only for export operations.
• Rotate any service account keys used by automation before and after data transfer; track with your KMS audit trail.
• Remove vendor SSO connectors from critical apps only after test migration completes; document who did the change and when.
• Revoke or rotate OAuth client secrets that were issued by the vendor and are no longer required.
• Enforce short-lived tokens and revoke refresh tokens as part of final cutover.

Communication & UX: reduce helpdesk load

• User notices: post clear notifications in-app, via email, and on support portals describing timelines, actions users should take, and how to get help.
• Migration UX: for account linking flows, implement one-click email verification and show progress. Provide an “I can’t sign in” fallback tied to your support queue.
• Support tooling: prepare canned responses, diagnostic scripts, and bulk password reset endpoints for helpdesk teams.
• Training: brief internal incident responders, SRE, and helpdesk on likely failure modes and resolution steps including logs to check and rollback commands.

Monitoring & verification after cutover (Day 0–30 post-cutover)

• Monitor auth success rates, login latency, and error codes for 48–72 hours post-cutover.
• Keep an eye on spike in password-reset tickets and suspicious authentications (failed login storms).
• Validate audit log continuity: ensure your new system captures the same events and retains logs per compliance policy.
• Retain exported evidence (signed checksums, deletion attestations) in your compliance archive for required retention period.

Edge cases & advanced strategies (2026 best practices)

Handling vendor-proprietary IDs and cryptographic artifacts

Some vendors embed vendor-specific cryptographic artifacts (attestation tokens, VR device signatures). You have two pragmatic options:

• Map and preserve as attributes: store vendor artifacts as non-functional attributes for audit/forensics. Do not use them for future auth unless you have key escrow.
• Re-issue trust: replace hardware-bound identities by re-enrolling devices or issuing signed statements to users explaining re-enrollment steps.

For high-risk industries: legal hold and forensic copies

Regulated sectors (finance, health) should request immutable forensic snapshots and preservation letters. Maintain chain-of-custody and hash verifications. Consider involving external auditors if vendor certification is required.

Automation & scripts

Automate exports, validation, and provisioning. Use idempotent tooling so reruns are safe:

# Simple provisioning loop (toy example)
jq -c '.[]' users.ndjson | while read -r user; do
  email=$(echo "$user" | jq -r '.emails[0].value')
  curl -s -X POST "https://idp.example.com/scim/v2/Users" \
    -H "Authorization: Bearer $IDP_TOKEN" \
    -H "Content-Type: application/json" \
    -d "{\"userName\": \"$email\", \"name\": {\"givenName\": $(echo "$user" | jq -r '.name.givenName'), \"familyName\": $(echo "$user" | jq -r '.name.familyName') }}"
done

Post-mortem & lessons learned

• Document migration metrics: time to migrate, user impact, tickets, and incidents.
• Update procurement checklists to require export SLAs, escrow, and minimum notification period for future contracts.
• Automate periodic exports for services with business-critical identity features, even without a shutdown notice, to reduce future churn costs.

Actionable takeaways (quick checklist)

• Immediately: snapshot config, export users, freeze new integrations.
• Within 7 days: validate exports, map identifiers, start provisioning to target IdP or directory.
• Before cutover: revoke vendor admin access, rotate keys, prepare support flows.
• After cutover: monitor auth metrics, archive attestations, run a post-mortem, and update procurement language.

Why this checklist matters beyond a single shutdown

Vendor sunsetting is now a predictable risk: vendor portfolios shift faster, regulators lean on portability/deletion rights, and hybrid identity architectures increase blast radius. A documented, repeatable decommission playbook protects users, keeps you compliant, and reduces incident costs. Treat this checklist as part of your identity resilience program.

Final notes on Meta Workrooms (case in point)

Meta’s Horizon Workrooms shutdown in early 2026 highlighted typical pitfalls: vendor-managed device registries, proprietary workspace artifacts, and limited export tooling. If you relied on Workrooms-style features, the practical steps above—prompt export, SCIM mapping, reassignment of virtual assets, and legal exit triggers—are exactly what you need to follow.

Call to action

Start your decommission runbook now: download our free, editable migration checklist and contractual clause templates to embed into procurement and incident playbooks. If you need hands-on help migrating identity data, contact our engineering readiness team for a migration assessment and automated scripts tuned to your environment.

Related Reading

• Green Yard on a Budget: Combining Robot Mower and Riding Mower Sales for Different Lawn Sizes
• How to Build the Ultimate Morning Soundtrack: Playlists That Make Your Cereal Taste Better
• Grocery Access and Rental Choice: How a 'Postcode Penalty' Should Shape Where You Rent
• From Stove to Stove-top Success: What Pizza Startups Can Learn from a Craft Syrup Brand
• From Farm to Doorstep: Will Driverless Logistics Make Local Sourcing More Reliable?