Employee offboarding is the riskiest hour in any IT operation. Done well, departing employees are smoothly transitioned, their accounts are revoked cleanly, their data is preserved for legal and business continuity, and the audit trail is bulletproof. Done badly, dormant credentials persist, sensitive data walks out the door, and the organization wakes up months later to discover an ex-employee still has admin access. This guide is the practical 2026 IT-side offboarding checklist for SMBs and mid-market firms.
The 4 Offboarding Scenarios
| Scenario | Timing | Special Considerations |
|---|---|---|
| Voluntary departure (notice given) | Last day at end of business | Knowledge transfer; orderly handoff |
| Involuntary termination | Same hour as termination | Speed; cannot tip off the employee |
| RIF / layoff (group event) | Coordinated wave | Scale; communications; bulk processing |
| Privileged user departure | Coordinated with security | Credential rotation; audit log review |
The Day-Of Offboarding Checklist
- Disable identity in Entra ID / AD. Disable, do not delete. Block sign-in but preserve mailbox and audit history.
- Force sign-out across all sessions. Revoke all refresh tokens; force MFA re-authentication for any active sessions.
- Convert mailbox. Convert to shared mailbox or place on retention hold per legal; assign delegate as needed.
- Forward email. Set up forwarding to manager or successor for the transition window (typically 30–90 days).
- Revoke SaaS app access. SCIM-driven deprovisioning takes care of most; manually verify the long tail.
- Reassign file ownership. Transfer OneDrive / Drive ownership to manager; preserve content per retention policy.
- Revoke physical access. Building badge, parking access, server room if applicable.
- Recover company devices. Laptop, phone, hardware keys, dongles. Ship return label if remote.
- Wipe and re-image returned hardware. Full wipe per data retention policy; re-image for next user.
- Update on-call rotations and approvals. Remove from PagerDuty, approval routes, distribution lists.
- Document the offboarding ticket. Save the audit trail in your ITSM tool.
The Privileged-User Departure Playbook
- Rotate every shared credential they may have known. Service accounts, vendor admin passwords, root accounts.
- Reset the KRBTGT password (twice). Defeats Golden Ticket attacks if any persistence was established.
- Revoke and re-issue API keys, OAuth tokens, SSH keys. Audit any infrastructure-as-code repos for embedded secrets.
- Review their last 90 days of activity. Sign-in logs, mailbox audit, sensitive-file access, conditional access exceptions.
- Hand off vendor relationships. Transfer admin contact on every SaaS contract, certificate authority, registrar.
- Rotate cyber insurance contact. Carrier and broker need updated point-of-contact on file.
The 30/60/90-Day Post-Offboarding Tail
| Milestone | Action |
|---|---|
| Day 30 | End email forwarding (or extend with documented exception); audit residual SaaS access |
| Day 60 | Convert shared mailbox status; final review of file ownership transitions |
| Day 90 | Delete (or archive per retention) the disabled identity; clean up group memberships |
Common Failure Modes
- Manager forgets to notify IT until end-of-day; ex-employee has unrestricted access for hours
- SaaS apps without SCIM not deprovisioned; access lingers for months
- Personal device with company email never wiped (BYOD without MDM)
- Mailbox deleted instead of converted; legal requests data 6 months later
- OAuth token to a shadow-IT app never revoked; ex-employee retains access
- Privileged credential rotation skipped; Golden Ticket potential remains
- No audit trail of the offboarding event; cannot prove access was revoked
Frequently Asked Questions
How fast should termination offboarding be?
Within minutes. Coordinate so that IT disables identity at the same time HR delivers the message.
How long should we retain a former employee’s mailbox?
Per your retention policy and legal requirements. Common defaults: 12 months for general employees, longer for executives or anyone subject to litigation hold. Convert to shared mailbox to avoid paying for an active license.
Should we monitor ex-employees post-departure?
Set up alerting for any sign-in attempt on the disabled account, any sensitive file access via residual SaaS, and any attempted access to former corporate VPN.
Bottom Line
Offboarding is a security control disguised as an HR process. Build the day-of checklist as automation, treat privileged-user departures as a security event, and audit residual access at 30/60/90 days.
Need help building or auditing your offboarding workflow? ACS designs IT offboarding programs for U.S.-based SMBs and mid-market firms. Contact us.
