When an employee leaves your company, every account they still have access to is an open door into your network. A complete IT offboarding process should revoke all access within hours of departure, recover company hardware and data, and verify that no credentials, files, or permissions remain active. Most small and mid-size businesses in New Jersey skip steps or take days to complete this process, and that gap is where breaches happen.
We have managed IT offboarding for hundreds of NJ businesses over the past 25 years, and the pattern is consistent: companies that treat offboarding as an HR-only process end up with former employees who can still access email, cloud storage, CRM systems, and even VPN connections weeks after their last day. This post is the checklist we use to close those gaps.
Why IT Offboarding Matters More Than You Think
The risk is not limited to disgruntled employees. Even friendly departures create exposure. A former employee's credentials can be compromised through a phishing attack months later, giving an attacker a valid account that no one is monitoring. Shared passwords that were never rotated become permanent backdoors. SaaS licenses that are never deprovisioned keep billing you while providing access to company data.
According to industry research, a significant percentage of former employees retain access to at least one corporate application after leaving. For businesses subject to regulations like HIPAA, PCI DSS, or the FTC Safeguards Rule, this is not just a security problem. It is a compliance violation that can result in fines and audit failures.
The Complete IT Offboarding Checklist
Day Zero: Before the Employee's Last Day
Start the IT offboarding process before the employee walks out the door. Coordinate with HR to get the departure date, determine whether the employee is resigning or being terminated, and decide whether access should be cut immediately or on the last day.
For terminations, disable access before the employee is notified. This is not about distrust. It is about preventing impulsive data deletion or exfiltration during an emotional moment. For voluntary departures, coordinate access removal for end of business on the final day.
Inventory everything the employee has access to. Pull a list from your identity provider, Microsoft 365 admin center, or access management system. This should include email, VPN, remote desktop, file shares, SaaS applications, internal tools, shared mailboxes, distribution lists, and any service accounts they manage. If you do not have a centralized access management system, this is the moment you realize you need one.
Step 1: Disable the Primary Account
Disable the user's Active Directory or Microsoft Entra ID account. Do not delete it yet. Disabling blocks authentication across all connected services while preserving the mailbox, OneDrive files, and audit logs that you may need for legal holds, knowledge transfer, or compliance.
In Microsoft 365, convert the mailbox to a shared mailbox and assign access to the employee's manager or team. This preserves email history without consuming a license. Set up mail forwarding if needed for a defined period, typically 30 to 90 days.
Step 2: Revoke All SaaS and Cloud Access
This is where most offboarding processes fail. Employees accumulate access to dozens of applications over time: Slack, Salesforce, QuickBooks, Dropbox, HubSpot, Zoom, project management tools, analytics dashboards. Each one needs to be individually deprovisioned.
If you use single sign-on through Microsoft Entra ID or another identity provider, disabling the primary account handles connected apps automatically. But many SaaS tools have local accounts that employees created with their work email and a separate password. These survive an SSO disable.
Review your SaaS inventory and remove the user from every platform. If you are not sure what tools your employees are using, a shadow IT audit will surface applications you did not know about.
Step 3: Revoke MFA and Reset Shared Credentials
Remove the employee's MFA registrations, including authenticator app enrollments, security keys, and phone numbers. If the departing employee had access to shared accounts, service accounts, or admin credentials, rotate those passwords immediately. This includes Wi-Fi passwords, shared mailbox credentials, social media accounts, vendor portal logins, and any "team" accounts.
Step 4: Recover Hardware and Devices
Collect all company-owned equipment: laptops, monitors, phones, tablets, USB drives, security keys, access badges, and parking fobs. For employees who worked remotely in New Jersey or elsewhere, arrange shipping with a prepaid label and a deadline.
Before reassigning the device, wipe it. Use Microsoft Intune or your MDM solution to perform a remote wipe if the device is not returned promptly. For BYOD situations, remove the company profile and any managed applications from the employee's personal device using your MDM's selective wipe feature.
Step 5: Transfer and Preserve Data
Transfer ownership of critical files, SharePoint sites, Teams channels, and OneDrive data to the employee's manager. Review the employee's email for any ongoing conversations, pending deals, or client communications that need to be handed off.
Check for data stored in non-standard locations: personal cloud storage synced from the work device, browser bookmarks to internal tools, locally saved files that were never uploaded to the file share. A departing employee's laptop often contains the only copy of important documents.
Step 6: Remove Physical and Network Access
Disable badge access to the building. Remove VPN credentials. If your office uses a managed Wi-Fi network with individual credentials, revoke the employee's certificate or account. If you use a shared Wi-Fi password and cannot rotate it immediately, schedule a rotation within the week.
Review any remote access tools the employee may have installed: TeamViewer, AnyDesk, personal VPN clients, or SSH keys on servers. These create backdoor access that survives a standard account disable.
Step 7: Audit and Document
Run a final access audit 48 hours after the offboarding. Check sign-in logs for any authentication attempts from the former employee's accounts. Verify that no new forwarding rules were added to email. Confirm that all SaaS accounts are deprovisioned.
Document the entire offboarding in your IT records. Note the date of deactivation, what was recovered, what data was transferred, and any issues encountered. This documentation is essential for compliance audits and protects your business if a former employee claims they were locked out of personal data.
How to Build a Repeatable Offboarding Process
The checklist above only works if it runs consistently every time someone leaves. Automate what you can. Microsoft 365 lifecycle workflows can automatically disable accounts, remove group memberships, and notify managers on a scheduled date. Identity governance platforms can trigger deprovisioning across connected SaaS applications with a single action.
For the steps that require human judgment, such as data transfer decisions and hardware recovery, create a shared checklist in your ticketing system that assigns tasks to IT, HR, and the departing employee's manager. Track completion. A managed IT partner like SMS can build and run this entire workflow for you so nothing falls through the cracks.
What Happens When Offboarding Goes Wrong
We have seen it firsthand working with businesses across Morris County and Northern New Jersey. A former employee logs into the company CRM six months after leaving and exports the entire client list. A terminated contractor still has VPN access and accidentally introduces malware from a compromised home machine. An admin account that nobody rotated gets brute-forced because the former employee reused that password on a breached site.
These are not hypothetical scenarios. They are the cases that drive businesses to call us for help, usually after the damage is done. A proper offboarding process costs a fraction of what a single data breach costs in remediation, legal fees, and lost client trust.
FAQ
How quickly should IT access be revoked when an employee leaves?
For terminations, access should be revoked before the employee is notified. For voluntary departures, disable access at end of business on the last day. The goal is zero gap between departure and access removal. Every hour of active credentials after someone leaves is unnecessary risk.
What should we do with a former employee's email and files?
Convert the mailbox to a shared mailbox in Microsoft 365, which preserves all email without requiring a paid license. Transfer OneDrive files to the manager. Set a retention period of 90 days minimum, longer if the employee was in a client-facing or regulated role. Do not delete anything until you are certain there are no legal holds or compliance requirements.
Do we need a formal offboarding process if we only have a few employees?
Yes. Small businesses are actually more vulnerable because a single employee often has broader access across more systems. When you have 10 people and one leaves, that is 10% of your access surface area changing at once. A documented process, even a simple one-page checklist, prevents the oversights that lead to breaches. Your managed IT provider can set this up and run it for you.