Operations

Employee Offboarding Checklist

When someone leaves, their access needs to leave too. Here's exactly how to make sure it does.

🚪 Microsoft 365⏱ Same-day critical steps👤 Owner / IT Admin

Every day a former employee's account stays active is a liability. Ex-employees retain access to email, files, and business systems — sometimes for months after they leave. This checklist ensures that when someone walks out, their access walks out with them.

0 of 13 complete

1. Immediate — Day of Departure

These steps happen before or the moment the employee's last day ends. Not the next morning.

Disable the Microsoft 365 / Azure AD account — do not delete yetDisabling blocks login but preserves the mailbox and OneDrive data. You can delete in 30 days.
Revoke all active sessions (sign out of all devices) in Entra ID admin centerSettings > Users > Select user > Revoke sessions. This kills any active browser or app sessions immediately.
Remove from all Microsoft 365 groups, Teams, and SharePoint sitesEven a disabled account can remain in group memberships — remove explicitly.
Change any shared passwords the employee knewWi-Fi, shared email accounts, alarm codes, door codes. All of it.
Recover company devices — laptop, phone, any hardwareDo not let the employee keep a company device while you process access removal.

2. Within 24 Hours

Set up email forwarding or a shared mailbox so incoming messages aren't lostForward to their manager or a shared mailbox. Don't just let it go into a void.
Transfer ownership of critical files and OneDrive content to their managerUse the M365 admin center 'Give another user access to OneDrive' option under the disabled user.
Remove from any third-party SaaS tools: QuickBooks, Slack, Dropbox, HubSpot, etc.Make a list of every tool the role uses and deactivate each one. This is where most businesses miss.
Revoke any VPN certificates or remote access credentialsIf you use certificate-based VPN, revoke the certificate. If password-based, the M365 disable handles most cases — verify VPN specifically.

⚠️ Heads upDon't skip third-party SaaS tools. Microsoft 365 handles Microsoft access, but your CRM, accounting software, payroll system, and project management tools each have their own access — and they don't automatically sync with Azure AD unless you've configured SSO.

3. Within 30 Days

Review and archive or delete the Microsoft 365 licenseOnce you're sure no mail or file access is needed, remove the license to stop billing. Apply a Microsoft 365 Archive license if you need to retain the mailbox.
Audit shared document access — remove the departed user from any shared drives or foldersGoogle Drive, SharePoint, OneDrive shared links tied to the user account may still work.
Delete or reassign any active subscriptions or billing accounts in the employee's nameCheck if they owned any company-paid SaaS subscriptions under their personal email.
Document the offboarding in your HR recordsDate, what access was removed, who performed each step. You'll want this if anything comes up later.

💡 MTDS tipIf you're on Microsoft 365 Business Premium with Intune, you can remotely wipe a company-managed device the moment you know someone is leaving — even before the physical device is returned.

Want a documented offboarding process for your business?

MTDS can build a custom offboarding SOP and runbook for your Microsoft 365 environment — so the next departure is handled in minutes, not days.

Talk to MTDS