When an employee leaves — whether it's a planned departure, a resignation, or a termination — the first 24 hours matter most. Accounts that stay open, devices that walk out the door, and data sitting in personal cloud folders are how breaches start. This is the checklist we walk our clients through.

Submit a ticket as soon as you know the departure date (even better: the day before the last day) and we can run most of this for you. If you want to handle pieces internally, this is the order to do them in.

Before the last day

• Open a ticket with us — give the employee's full name, email address, last day, and whether anyone should receive their email and files going forward.
• Identify a delegate — who is taking over their inbox, calendar, OneDrive/Google Drive, and any shared mailboxes or Teams channels they own?
• Inventory their access — list the SaaS apps and shared accounts they use (CRM, accounting, banking, vendor portals, social media, anything with a shared login). Don't forget mobile apps and password managers.
• Plan device return — laptop, phone, tablet, hardware keys, badges. If they work remotely, arrange a shipping label or pickup.

On the last day (or immediately after termination)

• Disable the user account — in Microsoft 365 or Google Workspace, block sign-in and revoke all active sessions. This logs them out of every device and browser instantly.
• Reset the password — even though the account is disabled, reset it. Belt-and-suspenders.
• Revoke MFA tokens and app passwords — remove their authenticator app registrations and any legacy app passwords.
• Sign them out of every device — for managed devices, push a remote sign-out or wipe via Intune / Jamf / your MDM.
• Forward their email — set up forwarding to the manager or designated delegate for at least 30–90 days.
• Set an auto-reply — internal contacts only need to know who to talk to now. External auto-replies should be subtle ("For assistance please contact …") — don't broadcast that someone left.
• Change shared passwords — every shared login they had access to gets rotated. This is the step most companies skip. Use a password manager so it's not painful.
• Remove from distribution lists, shared mailboxes, Teams, Slack, and SharePoint sites — they shouldn't continue to receive internal communications.
• Remove physical access — building badge, alarm code, key fobs, any after-hours codes.

Within the first week

• Transfer ownership of files — OneDrive and Google Drive let you assign a new owner. Do this before the license is removed or the account is deleted, or files will be lost.
• Transfer ownership of shared resources — Teams they own, calendars they manage, Power Automate flows, scheduled reports, any service accounts in their name.
• Audit SaaS apps — go through every app on your inventory list and either disable, transfer, or delete their account. Most breaches involving departed employees happen through forgotten SaaS access (Dropbox, Canva, QuickBooks, etc.) — not the main email account.
• Reclaim or wipe their device — for company-owned hardware, full reset before reissuing. For BYOD, selectively wipe company data only.
• Update internal contact info — remove from the website, email signatures, voicemail directories, customer-facing references.

30 days after

• Remove or downgrade the license — once email is forwarded and files are transferred, you can remove the Microsoft 365 or Google Workspace license. The mailbox can be converted to a shared mailbox if you need to keep access to history without paying for a full license.
• Confirm no lingering access — review the audit log for any sign-in attempts from the disabled account. If you see attempts, investigate.
• Update documentation — remove them from org charts, contact lists, runbooks, and emergency contact rosters.

Special cases

Involuntary termination. Move faster. Ideally the account is disabled during the termination conversation, not after. Coordinate timing with HR — we can have everything locked at a specific minute if you give us a heads-up.

Suspected data theft. Don't just disable the account — preserve it. Take a litigation hold on the mailbox, preserve OneDrive and SharePoint activity logs, and call us before deleting anything. Once a mailbox is deleted, the audit trail is much harder to recover.

Departing executive or admin. They likely have access to systems most users don't — Microsoft 365 admin, banking, domain registrar, DNS, password manager admin. Audit these specifically and rotate any shared credentials they could have memorized or exported.

Person of record changes. If the departing employee was the primary contact on accounts (carrier, vendor, banking, our help desk), let us know who the new person of record is so we can update records on our side and notify vendors.

What we'll handle for you

When you submit an offboarding ticket, we take care of:

• Disabling the Microsoft 365 / Google Workspace account and revoking sessions
• Setting up email forwarding and the auto-reply
• Transferring OneDrive / Google Drive ownership to your designated delegate
• Removing them from distribution lists, Teams, and shared mailboxes we manage
• Locking the user out of any SaaS apps that use single sign-on through us
• Converting the mailbox to a shared mailbox and removing the license at 30 days

The pieces we can't handle without your input: shared passwords on apps we don't manage, physical building access, and which person inherits what. Send us that info in the ticket and we'll move quickly.

Need to offboard someone right now? Open a ticket with the employee's name, last day, and the delegate's name — we'll take it from there.