Employee turnover is a fact of business life. What isn't inevitable is the security exposure that comes with a poorly handled departure. A former employee with active credentials to your systems is a liability — whether they're disgruntled, careless, or just honestly forgot they still had access to your QuickBooks login.
This isn't about assuming bad intent. It's about running a tight ship. The same way you'd collect a building key on the last day, you should be collecting digital access too — systematically, on a checklist, every time.
What Can Actually Go Wrong
Before the checklist, it helps to understand what you're actually protecting against — because "former employee with access" can mean a lot of different things.
None of these are far-fetched. They happen to small businesses regularly, and the common thread is always the same: the offboarding checklist didn't include IT.
The average small business has no formal process for revoking employee access when someone leaves. In many cases, accounts stay active for weeks or months — sometimes indefinitely — simply because no one owns the task of shutting them down.
The IT Offboarding Checklist
Run this on the last day — or ideally, have everything queued up before the conversation happens, so access is cut the moment they walk out the door.
- Disable the M365 / email account immediately. Don't delete it yet — disable it. You may need to access email for business continuity.
- Reset the password and block sign-in before disabling, so any active sessions are invalidated.
- Revoke all active MFA devices and app passwords associated with the account.
- Sign out all active sessions — in M365, this is "Sign out of all sessions" in the admin portal.
- Remove from all shared mailboxes, distribution lists, and Teams.
- Forward or redirect their email to a manager or owner for a defined period (30–90 days is typical).
- Collect the company device — laptop, phone, tablet. Confirm it's been returned before the last paycheck if your policy supports it.
- Remote-wipe or unenroll the device from Intune/MDM if applicable, especially if it was a personal device with company data on it.
- Change any shared passwords the employee had access to — Wi-Fi, alarm systems, shared logins, social media accounts.
- Revoke access to third-party apps — QuickBooks, Dropbox, Slack, any SaaS tool they used individually.
- Remove from any password manager shared vaults (LastPass, 1Password, Bitwarden, etc.).
- Check for active VPN credentials or remote access and revoke them.
- Review their OneDrive / shared drive for any files that should be preserved or reassigned before the account is eventually deleted.
- Reassign or archive the mailbox once active forwarding is no longer needed.
- Delete the M365 account — M365 retains deleted account data for 30 days, giving you a recovery window if needed.
- Audit any files or data the employee owned that need to be reassigned to active staff.
- Remove any remaining permissions in systems you may have missed on day one.
- Update your internal IT documentation to reflect the access changes.
The Shared Password Problem
This one deserves its own section because it's where small businesses get into trouble most often — and it's largely invisible until something goes wrong.
If your team shares passwords — for the Wi-Fi, for the alarm panel app, for the social media accounts, for that one piece of software that "only has one login" — every one of those needs to change when someone who knew them leaves. Every single one.
It sounds like a lot of work, and honestly, it is if you don't have a system. The long-term fix is moving away from shared credentials entirely: individual logins for every system, a business password manager to manage them, and MFA wherever possible. That's the setup where offboarding becomes a matter of removing one person's access rather than changing every shared key in the building.
Social media is the most commonly forgotten one. The Instagram, Facebook, or Google Business Profile that a former employee was managing — if they logged in with their own credentials or a shared password, access needs to be audited and changed. We've seen businesses lose control of their own social media accounts to former staff. It's an ugly situation to untangle.
Run the Checklist Regardless of How It Ends
There's a natural tendency to skip the thorough offboarding when someone leaves on good terms. They've been with you for years, they're leaving for a great opportunity, the goodbye was warm — it feels overly formal, maybe even insulting, to immediately lock down their accounts.
Do it anyway. This isn't personal — it's process. A clean offboarding protects the business and protects the former employee too. If their old credentials are ever used for something unauthorized, you don't want any ambiguity about who had access and when it was revoked. That documentation matters.
For terminations, the calculus is different — access should be cut before or simultaneously with the conversation, not after. In those situations, the window between "you're terminated" and "your access is gone" is the exposure window. Keep it at zero.
Make This a Process, Not a Scramble
The businesses that handle offboarding well aren't doing something magical. They have a documented checklist — like the one above — that HR and IT work through together on every departure. It takes 30–60 minutes to do it right. It can take months to recover from doing it wrong.
If you're running M365, most of this can be managed directly from the admin portal with no special tools required. If you have Intune set up for device management, remote wipe and unenrollment happen in a few clicks. The hard part isn't the technology — it's remembering to do it consistently and completely every single time.
If you don't currently have a process for this, or if you're not sure what access your employees actually have to your systems, that's a good thing to understand before the next departure — not after.