Employee Offboarding Checklist

Get the last working day, the exact cutover time, the departing user's UPN, and the receiving manager's name from the HR system. The cutover time matters — disabling at 9:00 AM on a stated 5:00 PM last day is a wrongful-termination headache.

Export the user's Entra ID group memberships, app role assignments, and licenses. Cross-check against the SSO catalog (Okta or Entra) and any SaaS apps known to be outside SSO. The non-SSO list is where orphaned access tends to hide.

Disable — do not delete. Deletion breaks audit trails and downstream SaaS deprovisioning that relies on SCIM events. Set account expiration in AD if hybrid-joined so the disable propagates on next sync.

In Entra admin center, run "Revoke sessions" on the user. A disabled account with a valid refresh token can still pull mail in Outlook for up to an hour without revocation. Repeat in Okta if applicable.

Delete the user's authenticator methods (Microsoft Authenticator, Duo, YubiKey registrations) and unenroll Intune-managed devices. A re-enabled account with a stale authenticator on a personal phone is a common re-entry vector.

Inspect the mailbox for inbox rules that auto-forward to a personal address — a known exfiltration tactic in the final two weeks. Disable any found, and confirm the org-wide outbound auto-forward block is still in place via the anti-spam outbound policy.

Convert in Exchange Online and grant the manager Full Access plus Send As if HR approved continued correspondence. A shared mailbox under 50 GB does not require a license, which removes the temptation to keep the user's E3 active just for inbox access.

Per the manager's written request, configure the time-bound exception — for example, a guest account in Entra with a hard expiration date, or scoped delegate access with an automated removal task. Add the expiration date to the run's calendar so it doesn't become permanent.

In M365 admin center, set the manager as secondary owner on the leaver's OneDrive before the 30-day retention clock starts. After day 30 the OneDrive enters a deleted state and recovery requires opening a Microsoft case.

Run a permissions report on shared SharePoint sites and Teams the user owned. Reassign ownership of any site where the leaver was the sole owner — orphaned Teams sites cannot be modified by members and become read-only ghosts.

Confirm the BitLocker (or FileVault PRK) recovery key is escrowed in Entra or Intune before the device is wiped. Keys not in escrow have to be retrieved from the user, which is awkward post-departure if the laptop won't unlock during inspection.

For remote employees, ship a prepaid return label via the RMM ticket. For on-site, schedule pickup with the office manager. Set an RMM lock-out timer on the device — Intune "Lost Mode" or Kandji equivalent — so the laptop self-locks if not returned in 14 days.

Recover company phone or SIM, YubiKey or smart card, office badge, and parking fob. For BYOD phones, trigger the MDM selective wipe (Intune company portal removal or JAMF Self Service) to drop corp data only.

Photograph the laptop, charger, and accessories on receipt. Note any cracked screens, missing keys, or liquid damage. HR needs the photos to deduct from final pay if the offer letter allows it — otherwise the cost lands on the IT refresh budget.

Attach the inspection photos and the original asset record showing condition at issue. HR coordinates any deduction or replacement-cost claim. For non-returned devices, escalate to legal if the value crosses the org's threshold (commonly $500).

Confirm SCIM deprovisioning fired in each SSO-integrated app (Salesforce, Slack, Atlassian, Zoom). Check the Okta or Entra provisioning logs — "deprovision pending" without an event 24 hours later means the app's SCIM endpoint dropped the message.

Walk the non-SSO list from the access inventory — typically a long tail of marketing tools, shadow-IT trials, and vendor portals. For each, deactivate (don't delete — preserve activity history for audit) and screenshot the confirmation.

Remove from all org memberships and revoke any personal access tokens, deploy keys, or SSH keys associated with the user. Audit personal forks of org repos — the org's IP can persist in a fork even after the membership is removed.

Attach SCIM deprovision logs, non-SSO deactivation screenshots, BitLocker key escrow confirmation, and the inspection photos to the PSA ticket (ConnectWise, Autotask, or HaloPSA). This is the SOC 2 / ITGC artifact your auditor will sample.

Re-query the access inventory at +30, +60, and +90 days to catch anything that crept back in — re-enabled distribution group, license re-applied for shared mailbox conversion that got reversed, SaaS app where deprovisioning silently failed.

Update the on-call rotation in PagerDuty or Opsgenie, the internal directory, and any client-facing handoff — for MSP-supported clients, notify the account manager so the vCIO or QBR cadence stays accurate.