When an employee leaves your business, whether they resign or are terminated, every account they had access to becomes a security risk until it's locked down. IT offboarding is the process of revoking all access, preserving important data, and recovering company devices. Doing this quickly and completely prevents ex-employees from accessing company systems and ensures no business data walks out the door. This guide gives you a step-by-step process to follow every time someone departs.
Timing Is Critical
The single most important factor in offboarding is speed. Every hour a departed employee has active credentials is an hour your business is exposed.
For voluntary departures (resignations), complete most steps on the employee's last day. You typically have advance notice, so use it. Coordinate with HR to confirm the departure date and plan the IT steps ahead of time. Have everything ready so that when the employee walks out, their access is revoked within minutes.
For involuntary departures (terminations), complete access revocation immediately, ideally before or during the termination meeting. This is not optional. A terminated employee who still has active credentials and remote access to your systems is a significant risk. If your business uses Microsoft 365 Business Premium with Entra ID, you can block sign-in and revoke all active sessions from the admin console in under two minutes. Have IT standing by during any termination meeting so access can be cut the moment the conversation ends.
Coordination between HR and IT is essential. IT should never learn about a departure after the fact. Build a process where HR notifies IT as soon as a departure is confirmed, with the expected last day and whether it's voluntary or involuntary.
Immediate Actions (Day of Departure)
Revoke Sign-In Access
Start with the employee's Microsoft 365 account, which is usually the gateway to email, files, Teams, and most cloud applications.
Reset the employee's Microsoft 365 password to a long, random value. Then block sign-in on the account in the Microsoft 365 admin center (Admin > Users > Active users > Select user > Block sign-in). This prevents the former employee from authenticating even if they know the old password.
Revoke all active sessions. This is a step many businesses miss. Blocking sign-in prevents new logins, but it doesn't terminate sessions that are already active on the employee's phone, home computer, or tablet. In Entra ID, navigate to the user's account and select "Revoke sessions" to force sign-out on every device immediately.
Disable or reset credentials for VPN access, remote desktop, and any other systems that have their own authentication separate from Microsoft 365.
Disable Accounts in Business Applications
Go through every application the employee used and disable or deactivate their account. This includes your CRM, accounting software, project management tools, practice management system, and any other line-of-business application.
Revoke access to third-party cloud services: Slack, Zoom, Dropbox, Canva, and anything else the employee signed up for or was given access to. Check your records or ask the employee's manager for a complete list.
Remove the employee from all shared vaults in your password manager. If your business uses 1Password, go to the admin console and remove the user from every vault they had access to. This is critically important. Shared vaults often contain credentials for systems, vendor portals, and social media accounts that the former employee should no longer be able to reach. If any passwords in those shared vaults were known to the departing employee, rotate them.
Check for OAuth app consents in Entra ID and revoke them. Employees sometimes grant third-party apps access to their Microsoft 365 account (for example, a scheduling tool that reads their calendar). These consents persist even after the password is changed, so they need to be explicitly revoked.
Data Preservation (Same Day or Within 48 Hours)
Convert the employee's mailbox to a shared mailbox in the Microsoft 365 admin center. This preserves all email without consuming a paid license. Once converted, grant access to the shared mailbox to the employee's manager or their replacement so they can review and respond to messages.
If the manager needs to receive new messages sent to the former employee's address, set up email forwarding on the shared mailbox. This is common when a salesperson or account manager leaves and clients continue emailing their old address.
Set an auto-reply on the mailbox informing senders that the employee is no longer with the company and providing the new point of contact. Keep this professional and brief.
Files and Documents
Transfer the employee's OneDrive files to their manager or replacement. In the Microsoft 365 admin center, go to Users, select the departing user, and use the OneDrive tab to grant a delegate access. The delegate has 30 days to access and move files before OneDrive is automatically deleted, so don't wait.
Before wiping the employee's computer, check for files stored locally that may not have synced to OneDrive. Desktop files, Downloads folder contents, and documents saved outside the OneDrive sync folder are easy to lose if you wipe the machine first.
Transfer ownership of any shared folders, SharePoint sites, or Teams channels the employee owned. If they were the sole owner of a Teams channel, that channel becomes unmanageable until a new owner is assigned.
Other Data
Transfer ownership of CRM records, deals, and client relationships. Open tickets and tasks should be reassigned to another team member. Export or transfer any data from tools the employee used that won't transfer automatically when their account is disabled.
Group Memberships and Permissions
Remove the employee from all Microsoft 365 groups, Teams channels, and distribution lists. Remove their permissions from SharePoint sites they had access to. If they had access to other shared mailboxes (like info@ or support@), remove that access as well.
Transfer ownership of any Microsoft 365 groups or Teams the employee created or owned. If they were the only owner, assign a new owner before disabling the account.
Don't forget physical access. Remove the employee from building access systems, change alarm codes they knew, and collect keys or security badges. Physical security is just as important as digital security.
Device Recovery
Collect the laptop, phone, monitor, headset, docking station, and any other company hardware. Collect access cards, keys, and security tokens. Have a checklist of what was issued to the employee so you can confirm everything is returned.
If the device can't be collected immediately, for example if the employee is remote and needs to ship the equipment back, initiate a remote wipe through Intune. This erases all company data and policies from the device regardless of where it is physically. For Athencia's managed IT clients, this is a standard part of the offboarding process and can be triggered within minutes.
Once the device is returned or wiped, remove it from Entra ID and Intune. Reset it to factory settings so it's ready to be reissued to the next employee. Update your asset inventory to reflect the device's current status.
Post-Departure Verification
Trust but verify. After completing all of the steps above, test the results.
Try to sign in to Microsoft 365 with the former employee's credentials. The login should fail. Verify that access to business applications is disabled by checking each one. Confirm that email forwarding or the shared mailbox is working correctly by sending a test message to the old address. Verify that OneDrive files were transferred successfully and that no critical data was lost.
Check audit logs in Microsoft 365 and Entra ID for any suspicious activity in the days leading up to the departure. Look for large file downloads, forwarding rules set up on the mailbox, or data exports from business applications. This is particularly important for involuntary departures, but it's good practice for all offboarding.
Remove the employee from your IT documentation, phone lists, emergency contacts, and any internal directories.
Delete the Account (After Data Is Secured)
Once you've confirmed that all data is preserved and all access is revoked, delete the Microsoft 365 user account. This frees up the license for reassignment. Microsoft retains the deleted account for 30 days, so if you realize you missed something, you can restore it during that window. After 30 days, the deletion is permanent.
Offboarding Checklist Summary
Use this as a quick reference each time an employee departs.
- Password reset and sign-in blocked on Microsoft 365
- All active sessions revoked in Entra ID
- Business application accounts disabled
- Password manager access removed and shared passwords rotated
- Mailbox converted to shared mailbox with forwarding set up
- OneDrive files transferred to manager or replacement
- Group memberships and ownership transferred
- Devices collected and wiped (remotely via Intune if needed)
- Physical access revoked (keys, badges, alarm codes)
- Post-departure access verified as fully revoked
- Audit logs reviewed for suspicious pre-departure activity
- Account deleted and license reclaimed
Need Help?
Offboarding done poorly creates security gaps that can haunt your business for months. If you want help building a repeatable offboarding process or need to offboard someone quickly, contact Athencia. We'll make sure nothing gets missed.
