Offboarding 101: the 15 things that have to happen when an employee leaves

Most breaches don’t come from sophisticated attackers. They come from a former employee who still has an active Gmail session 14 months after leaving, a Dropbox that was “shared with editor@companyX.com” and nobody revoked it, or a third-party tool that never got notified the account should be disabled.

Offboarding is where security actually breaks. Not at the perimeter. Not at the user’s endpoint. At the gap between HR telling IT and IT completing the checklist.

Here’s the 15-step list we run for clients. Ordered.

Before the employee’s last day

1. Confirm the exit date and access sunset time

The moment HR knows the person is leaving, IT should know. Get the exact end-of-access date and time in writing. Not “Friday” — “Friday 5:00pm ET.” This matters because the actions below should fire on a schedule, not when someone remembers.

2. Check for shared admin responsibilities

Is this person the sole admin on any critical account? Apple Business Manager, the Google Workspace super admin, the AWS root, the GitHub org owner? If yes, add a second admin before the first day of their notice. Not the last. Recovery if you skip this is weeks, not hours.

3. Identify their personal data vs. company data

Especially on Macs. A departing employee with iMessage, personal photos, personal Apple ID content on the device deserves a clean separation. Document what gets preserved (their personal stuff) vs. what gets wiped (everything else).

4. Schedule a data-handoff meeting

Work files on their laptop that only exist there. Work they own in email threads. A short structured session (15-30 min) where they walk a replacement through handoffs beats any amount of “we’ll figure it out later.”

On the last day (or scheduled cutover time)

5. Disable primary identity

Entra ID, Google Workspace, Okta — whichever is your primary IdP. Disable the account (don’t delete yet — deletion cascades). All SSO-connected apps should lose access within minutes via conditional access revocation.

6. Revoke active sessions everywhere

This is the step everyone misses. Disabling the account stops new logins. It doesn’t kill existing sessions. In Entra, revoke sessions from Azure AD. In Google, sign out all sessions. In Slack, deactivate the user (which force-signs-out). Every tool has a “sign out of all sessions” button somewhere. Use them.

7. Remove from any MFA allowlists

App-specific passwords, backup codes they generated, authenticator apps on their phone. If the person had admin MFA exemption for any tool, remove it.

8. Handle email and calendar

Usual pattern: auto-reply with replacement contact, forward incoming mail to their manager or replacement for 30-60 days, transfer calendar ownership for any recurring meetings, then archive the mailbox. Don’t leave the mailbox active with nobody monitoring it for months.

9. Transfer file ownership

Google Drive, Dropbox, OneDrive — before the account gets deleted, transfer ownership of anything business-relevant to a successor. Most services do this at scale via admin console; do it in bulk, don’t click through hundreds of files.

10. Audit third-party access

This is where the time goes. The person probably had accounts in 30+ SaaS tools beyond your SSO. Monday, Figma, Linear, 1Password vaults, Stripe dashboards, Mailchimp, whatever finance uses. Your IT-managed SaaS registry should have this list. If you don’t have a registry, this is the clarity call topic.

11. Remote-wipe the device

Through your Apple Device Management console: remote lock or remote wipe, depending on whether you’re repossessing the device or letting the employee keep it. If keeping, ensure the device is un-supervised and removed from ABM so they can wipe and re-register personally.

12. Retrieve the device (if applicable)

Shipping label with tracking, not “drop it in the mail.” Most return flows that rely on employee diligence produce a device that never comes back. Use a prepaid label and track it. If the device doesn’t arrive in 10 business days, escalate to HR.

Within 7 days of departure

13. Verify everything actually disabled

Spot-check: log entries for any admin-level operations the person could have performed, email forwards they might have set up before disable, API keys they generated that still work. Treat this as a security review, not an admin task.

14. Transfer or reassign licensed seats

Seats on paid SaaS cost money. Reassign them or downgrade within the billing cycle. This is the step that quietly saves clients thousands per year.

15. Document the offboarding

Every step above, signed off, with timestamps, stored in your client portal or ticketing system. If this employee ever becomes a legal or security question 3 years from now, “we don’t have records” is worse than any single action you took.

The common shortcuts that bite later

• “We’ll delete the account in 90 days.” Then forget. Put it on a calendar with an actual assignee.
• Keeping the email forward active indefinitely. Former employees’ inboxes filling with password reset emails is a phishing attack vector waiting to happen.
• Letting the person “keep” their laptop without removing it from your MDM. Either supervise (it stays in your fleet) or de-supervise (it leaves cleanly). Never both.
• Not changing shared credentials. That support@ inbox, that team Netflix account, any service that was intentionally shared — passwords get rotated at offboarding, not quarterly.

Why this is 15 steps and not 5

Because the ways environments fail scale with employee count. A 5-person startup can handle offboarding in a Slack thread. A 50-person company cannot. And the 50-person version without a written process is how companies end up paying a forensics firm after a departed employee exfiltrates data that their still-active Google Drive share was still exposing six months later.

We build this process into every managed engagement. Standardized. Time-boxed. Documented. Every step above has a runbook associated with it so it’s repeatable and doesn’t rely on any one person remembering.

Onboarding makes your IT visible. Offboarding is the test of whether it’s real.