Every departure is a security event. Treat it like one.
When someone leaves your organisation, whether they resign, are made redundant, or reach the end of a fixed-term contract, a clock starts ticking. Every system they can still access, every device they still hold, every file they can still reach represents an open door. Some of those doors lead to sensitive client data. Others lead to financial systems. A few lead to your entire infrastructure.
Most organisations handle onboarding reasonably well. New starters get equipment, accounts, and access on day one. But offboarding rarely receives the same attention or rigour. The result is a sprawl of orphaned accounts, unreturned devices, and lingering permissions that accumulate over months and years. Each one is a vulnerability waiting to be exploited.
This guide provides a comprehensive, step-by-step framework for IT offboarding. It covers the period before the employee’s last day, the day itself, and the weeks that follow. Every item includes practical context about why it matters and how to execute it properly. Whether you manage IT for a 20-person business or a 500-person organisation, the fundamentals are the same.
Why offboarding security matters
Poor offboarding is one of the most common and most preventable security risks in any organisation. The consequences range from minor inconvenience to catastrophic data breaches. Understanding the specific risks helps build the case for investing in a robust, repeatable process.
Persistent account access
When a former employee retains active credentials, they keep a direct route into your systems. This is not a theoretical risk. Research from Beyond Identity found that 83% of employees admitted to maintaining access to accounts at a previous employer after leaving. Even without malicious intent, an orphaned account is a vulnerability. If that account is compromised through a phishing attack or credential stuffing, the attacker inherits whatever permissions the former employee had. Your organisation may not notice for weeks or months because the account appears legitimate.
Data exfiltration
Departing employees, particularly those leaving for competitors or on difficult terms, may take data with them. Client lists, pricing documents, intellectual property, strategic plans. Cloud storage makes this trivially easy: a quick sync to a personal device, a forwarded email chain, a shared link that remains active after departure. Without a structured offboarding process that includes auditing recent file access and revoking sharing permissions, you have no visibility into what left with them.
Compliance and regulatory exposure
Frameworks like GDPR, ISO 27001, and Cyber Essentials all require organisations to demonstrate effective access control, including timely deprovisioning when someone leaves. If a data breach occurs through a former employee's account, the ICO will ask what controls you had in place. An ad hoc, undocumented offboarding process is not a defensible answer. For organisations holding Cyber Essentials certification, failure to manage user access is a direct violation of the User Access Control requirement.
Licence waste and cost leakage
Every active account consumes a licence. Microsoft 365, CRM platforms, project management tools, design software. When accounts persist after departure, you continue paying for licences nobody is using. For a 50-person company with average annual turnover, this can easily amount to thousands of pounds per year in unnecessary subscription costs. A clean offboarding process ensures licences are reclaimed promptly and reassigned to new starters or released entirely.
“Onboarding gets a welcome pack and a first-day schedule. Offboarding gets a hastily forwarded email to IT two days after the person has already left. That asymmetry is where the risk lives.”
Before the last day
The preparation phase is where most of the real work happens. A well-executed offboarding starts the moment a departure is confirmed, not on the employee’s final afternoon. These steps should be completed in the days or weeks leading up to the last working day, giving you time to handle handovers properly and avoid last-minute scrambles.
Confirm the last working day with HR
This sounds obvious, but the single most common offboarding failure is IT not knowing someone has left until days or weeks after their departure. Establish a formal notification process where HR informs IT the moment a resignation is accepted or a termination is decided. Ideally, this should be automated through your HR system. The notification should include the confirmed last working day, the employee's manager, and whether there are any special circumstances such as gardening leave or immediate departure.
Identify all data and files that require handover
Work with the departing employee and their manager to audit every piece of work that needs transferring. This includes documents on OneDrive or SharePoint, ongoing projects, email threads with clients, and any work stored in third-party platforms. The goal is to ensure nothing critical lives solely in the departing employee's personal storage or accounts. Schedule dedicated handover sessions rather than relying on informal knowledge transfer. Document what was handed over and to whom.
Configure email forwarding or shared mailbox access
Before the employee leaves, decide what happens to their email. Options include converting the mailbox to a shared mailbox (preserving the archive without consuming a licence), setting up forwarding to a manager or team inbox, or configuring an auto-reply directing contacts to the right person. The approach depends on the role. A client-facing employee's mailbox needs different handling than an internal role. Make this decision early so you can test the configuration before the last day.
Transfer ownership of cloud files and shared resources
OneDrive files, Teams channels they own, SharePoint sites they administer, shared calendars, Power BI reports, automation flows. All of these have an owner, and if that owner's account is disabled without transferring ownership, access can be lost or workflows can break. In Microsoft 365, use the admin centre to transfer OneDrive content to another user before the account is disabled. For Teams and SharePoint, ensure another team member has owner-level access. Check for any Power Automate flows or Power Apps tied to the departing user's account.
Document any unique access or credentials
Some employees are the only person who knows certain passwords, PIN codes, or access procedures. This is always a risk, but it becomes critical during offboarding. Work through every system, service, and piece of equipment the employee uses. Are there shared accounts where only they know the password? Service accounts they created? Admin credentials for line-of-business applications? Physical access codes? Document everything and rotate any shared credentials immediately. If your organisation uses a password manager, audit their vault for any entries that need reassigning.
Review and reassign any recurring tasks or automations
Modern workplaces run on automations: scheduled reports, Power Automate flows, Zapier integrations, cron jobs, monitoring alerts. Many of these are tied to individual accounts. If the account is disabled, the automation stops. Audit every automated process connected to the departing employee. Reassign ownership to a service account or another team member. Test the reassigned automation before the employee leaves so you can troubleshoot with their help if something breaks.
On the last day
The last day is the most time-sensitive phase of the offboarding process. Every action here has a direct impact on your security posture and should be executed promptly, ideally within a coordinated window that aligns with the employee’s departure from the building or their final remote session.
For involuntary departures or high-risk situations, these steps may need to happen simultaneously with the exit meeting. Coordinate with HR in advance so both teams are aligned on timing.
Disable the user account immediately
The moment the employee's working day ends, disable their account in your identity provider, whether that is Azure AD, Google Workspace, or another directory. Disabling is distinct from deleting. A disabled account preserves the data, mailbox, and audit trail, but prevents any further sign-in. This should happen at a predetermined time, ideally coordinated with the employee's final departure from the office or their last remote session. For high-risk departures, such as terminations, the account should be disabled during the exit meeting itself.
Revoke all active sessions and tokens
Disabling an account does not always terminate existing sessions immediately. Modern applications use access tokens that can remain valid for minutes or hours after a password change or account disable. In Microsoft 365, use the admin centre to revoke all refresh tokens. In Google Workspace, sign the user out of all sessions. Check any SSO-connected applications and force re-authentication. For mobile devices enrolled in your MDM, trigger a remote sign-out or selective wipe. The goal is to ensure that from the moment of departure, no device or session can access company data.
Reset the account password
Even after disabling the account, reset the password to a long, random string. This provides a secondary layer of protection in case the account is re-enabled accidentally or through an administrative error. It also prevents any cached credentials from being used. If the employee used their work email to sign up for any personal services (which they should not have, but often do), the password reset ensures those services cannot be accessed through the work credential.
Remove from all groups, distribution lists, and security roles
A disabled account that still belongs to a security group can create unexpected access paths, particularly if the account is ever re-enabled. Remove the departing user from every group: Microsoft 365 groups, distribution lists, security groups, Teams memberships, SharePoint site permissions, and any role-based access control assignments. This is also an opportunity to audit group membership generally. If the departing employee was the only member of a group, that group may need reassigning or archiving.
Collect all physical equipment
Laptops, monitors, keyboards, mice, headsets, mobile phones, tablets, USB drives, external hard drives, docking stations. Create a comprehensive checklist of every item issued to the employee and verify each one is returned. Check your asset register against what was issued. If an item is missing, escalate immediately. For remote employees, arrange a courier collection or in-person handover at a convenient location. Do not rely on the departing employee to post equipment back without follow-up. Every day a company device remains in the hands of a former employee is a day your data is at risk.
Collect access cards, keys, and security fobs
Physical access to your premises is just as important as digital access. Collect ID badges, door access cards, building keys, car park fobs, and any other physical security tokens. If your access control system uses individually assigned cards, disable the card in the system as well as collecting it physically. If the card is lost or not returned, disable it immediately and consider whether any access codes or PIN pads need updating. For high-security environments, audit access logs for the final period of employment to verify that no unusual building access occurred.
After departure
The offboarding process does not end when the employee walks out the door. The weeks that follow are critical for cleaning up residual access, reclaiming resources, and ensuring your records are accurate. These steps protect you against delayed risks and keep your environment tidy for future audits.
Set an auto-reply on the former employee's email
If the mailbox has been converted to a shared mailbox or is being monitored, configure a professional auto-reply that directs contacts to the appropriate person. Keep the message simple and factual. Avoid mentioning the reason for departure. Something like: 'Thank you for your email. [Name] is no longer with [Company]. For enquiries related to [topic], please contact [Name] at [email].' Review the auto-reply periodically and remove it once the volume of incoming mail drops to a negligible level, typically after 60 to 90 days.
Wipe and reimage returned devices
Every returned device should be wiped to factory settings and reimaged with a clean build before being redeployed. Do not simply delete the user profile and hand the device to the next person. A full wipe ensures that no personal data, cached credentials, browser sessions, or downloaded files remain on the device. For mobile devices, perform a full factory reset through your MDM platform. For laptops and desktops, use your standard provisioning process to reimage from a clean baseline. Record the wipe in your asset register.
Remove access from all third-party applications
This is the step most commonly overlooked. Beyond your core platforms like Microsoft 365 or Google Workspace, the average employee has access to dozens of third-party applications: CRM systems, accounting software, project management tools, design platforms, social media accounts, domain registrars, hosting control panels, analytics dashboards, and more. Create a comprehensive list of every SaaS application the departing employee used and remove their access from each one. If any of these applications use shared credentials rather than SSO, rotate those credentials immediately.
Review and reallocate software licences
Once the account is fully deprovisioned, audit the licences that were assigned to it. Microsoft 365 licences, Adobe Creative Cloud seats, Slack subscriptions, Zoom Pro accounts. Remove the licence assignment and either reallocate it to a new starter or release it to reduce your subscription costs. Some platforms charge per-user monthly, so prompt licence recovery has a direct cost benefit. Keep a record of which licences were reclaimed and when, both for cost management and for compliance auditing.
Delete the account after the retention period
Most organisations should retain a disabled account for 30 to 90 days after departure before permanent deletion. This retention period allows time to recover any overlooked data, respond to any legal or HR queries, and maintain audit trails. Your retention period should be documented in your IT policy and aligned with any regulatory requirements. After the retention period expires, permanently delete the account and associated data. Record the deletion date in your offboarding log. For regulated industries, longer retention periods may apply.
Update the asset register and documentation
Close the loop by updating every relevant register and document. Remove the employee from your IT asset register, update your network diagram if applicable, remove them from your software licence inventory, and update any access control matrices or permissions documents. If your organisation maintains a CMDB or IT documentation wiki, ensure the departing employee's entries are archived. This final administrative step ensures that your records accurately reflect your current environment, which is essential for future audits and compliance assessments.
of former employees say they still had access to a previous employer's accounts after leaving
of organisations have experienced a security incident involving a former employee's credentials
recommended account retention period before permanent deletion after departure
“You would never leave the front door unlocked when a tenant moves out. Yet organisations routinely leave digital doors wide open when employees depart. The principle is identical. Change the locks.”
Common mistakes to avoid
We manage joiners, movers, and leavers for organisations across the UK. These are the offboarding failures we encounter most frequently. Nearly all of them are preventable with a documented process and clear ownership.
No formal process or documentation
The most damaging mistake is having no documented offboarding procedure at all. When offboarding is handled ad hoc, steps are missed, responsibilities are unclear, and there is no audit trail. Write a formal offboarding procedure, assign clear ownership for each step, and use a checklist that is completed and signed off for every departure. Store completed checklists for at least 12 months. This documentation is invaluable during compliance audits and in the event of a security incident involving a former employee.
Delayed account disabling
Every hour an account remains active after an employee's departure is a window of vulnerability. Yet many organisations leave accounts active for days or even weeks because IT was not informed promptly, or because someone thought the account might still be needed. The fix is simple: disable the account at the agreed time, no exceptions. If data or mailbox access is needed after departure, use delegated access or shared mailbox conversion rather than leaving the account active.
Forgetting third-party and SaaS applications
IT departments often focus on the core directory (Azure AD, Google Workspace) and forget the dozens of SaaS applications that exist outside centralised identity management. If an application does not use SSO, disabling the directory account does not revoke access. The former employee may still be able to log in with a standalone username and password. Maintain a SaaS inventory and ensure every application is included in the offboarding checklist. Better yet, implement SSO for every application that supports it.
Ignoring shared and service accounts
If the departing employee had access to shared credentials, admin accounts, or service accounts, those passwords need rotating immediately. This includes Wi-Fi passwords that were shared directly, shared social media account credentials, generic admin accounts for line-of-business applications, and API keys or tokens the employee created. Failing to rotate shared credentials means the former employee retains effective access even after their personal account is disabled.
Handling high-risk departures
Not every departure carries the same level of risk. An amicable resignation with a generous notice period is a very different situation from an immediate termination or a departure to a direct competitor. Your offboarding process should account for these differences.
For high-risk departures, compress the timeline. Disable accounts during the exit meeting, not at the end of the day. Have equipment collected before the employee leaves the building. Audit recent file access and email forwarding rules for signs of data exfiltration. Review whether any new sharing links were created or large downloads occurred in the days leading up to the departure.
For employees with elevated privileges, such as IT administrators, finance managers, or anyone with access to sensitive systems, treat every departure as high-risk regardless of the circumstances. Rotate all credentials they had access to, review any configuration changes they made in their final weeks, and audit admin logs for the creation of backdoor accounts or unauthorised access paths. This is not about distrust. It is about due diligence and protecting the organisation.
Need help with user lifecycle management?
We manage joiners, movers, and leavers as part of our IT support service. That includes documented onboarding and offboarding procedures, automated provisioning and deprovisioning, licence management, and full audit trails for every change.
If your current offboarding process is informal or inconsistent, we can help you build a repeatable framework that protects your organisation and satisfies compliance requirements. A short call is enough to assess where you stand and what needs improving.