How to Say Goodbye - A Checklist for Employee Off-boardings

Most businesses know how to handle the human side of employee departures pretty well - hopefully a nice going-away or retirement party, the laptop gets returned, and HR updates the org chart. But the tech side has plenty to take care of as well and if it isn't done right things can get a little messy.

When someone leaves your company, their access to your systems doesn't disappear on its own. Their Microsoft 365 license is still active, logins to your various tools still work, the shared password for your social media accounts haven't been rotated.

It's a common gap MSPs encounter when they start working new clients, and it's usually because there just isn't a process in place to make sure someone is ticking all the boxes everytime.

Digital access doesn't come with an expiration date. Every account, login, and permission an employee accumulates over their time with you stays active until someone manually turns it off. The longer that goes unchecked, the more exposure you're carrying.

Why it matters beyond the obvious

The security angle gets talked about a lot, so we'll keep it brief. A former employee's account, even one left open accidentally, is a potential entry point. Hackers specifically look for inactive credentials because they're less likely to trigger alerts. A login that hasn't been used in four months is less suspicious to your systems than one that's being actively monitored.

Then there's the cost angle. Software subscriptions are often per-user so if you have 15 active Microsoft 365 licenses, but three of those belong to people who no longer work for you, that's a good chunk of change every month for licenses that serve no purpose. And then you probably need to multiply that across the various programs in use in your org. 

The concern can be even bigger for businesses in industries with compliance requirements like medical practices dealing with HIPAA, legal firms with client confidentiality obligations, and CPAs handling tax data. Unrevoked accounts are now a liability.

The checklist

This is the core of what needs to happen every time an employee leaves, whether the departure is planned or sudden.

Most of the risk from poor offboarding is accidental. An old account gets compromised, a subscription keeps billing, a shared password never gets changed. A consistent process closes those gaps before they become problems.

Before the last day (if you have notice)

• Pull a full list of every system and application the employee has access to. If you don't have this documented, building it in real time from memory is how things get missed.
• Identify any files, projects, or accounts they own that need to be transferred before access is revoked.
• Coordinate with HR on the exact exit date and time so IT actions align with the departure.

On the last day

• Disable the primary account (Microsoft 365 or Google Workspace, depending on what you use). This is the master switch. If you have Single Sign-On set up, this revokes access to everything connected to it.
• Revoke VPN access and any remote desktop connections.
• Reset passwords on any shared accounts they had access to - social media accounts, billing portals, anything the whole team used.
• Collect all company devices. Laptops, phones, tablets, any hardware issued to that person.
• Set up an email forward from their address to their manager or successor, or configure an auto-reply letting contacts know who to reach instead. Don't leave the mailbox active and unmonitored

Within the first week

• Review their recent file activity. Did anything get downloaded to a personal device or moved to a personal cloud account in the days before they left? This is especially worth checking for roles with access to client data or financial information.
• Go through subscriptions and remove their license so you don't keep paying once they're gone.
• Wipe any returned devices before reissuing them.

Within 30 days

• Archive or close their email mailbox, depending on your retention policy.
• Audit access logs to confirm all permissions were actually revoked.
• Update your master access list so it reflects the current state of who has access to what.

The part most businesses skip

That last step of maintaining a master access list will help make every future off-boarding faster and cleaner.

When you don't have a running record of who has access to what, every departure becomes a scramble. Someone has to try to reconstruct everything from memory and things will inevitably be missed. When you do have it, the off-boarding checklist becomes a simple matter of working down the page rather than guessing.

It's also useful beyond off-boarding. When you onboard someone new, you'll be granting access to the same systems. When a role changes, you need to know what to add and what to remove. The list pays off in multiple directions!

If you're not sure where to start, the master access list is the best first step. Spend an hour documenting who has access to what right now, and you'll have something concrete to work from the next time someone gives notice.