Workflow Templates for It Operations: Employee Offboarding Checklist

Pre-Departure Coordination

Confirm departure details with HR

Get the last working day, the exact cutover time, the departing user's UPN, and the receiving manager's name from the HR system. The cutover time matters — disabling at 9:00 AM on a stated 5:00 PM last day is a wrongful-termination headache.

Pull the user's access inventory

Export the user's Entra ID group memberships, app role assignments, and licenses. Cross-check against the SSO catalog (Okta or Entra) and any SaaS apps known to be outside SSO. The non-SSO list is where orphaned access tends to hide.

Confirm post-departure access exceptions

Ask the manager whether the user needs any temporary post-departure access — for example, mailbox access for a contracted handover period, or a sales rep retaining Salesforce read-only for commission reconciliation. Get the request in writing with an end date.

Day-of Access Termination

Disable the Entra ID account

Disable — do not delete. Deletion breaks audit trails and downstream SaaS deprovisioning that relies on SCIM events. Set account expiration in AD if hybrid-joined so the disable propagates on next sync.

Revoke active sessions and refresh tokens

In Entra admin center, run "Revoke sessions" on the user. A disabled account with a valid refresh token can still pull mail in Outlook for up to an hour without revocation. Repeat in Okta if applicable.

Remove MFA methods and registered devices

Delete the user's authenticator methods (Microsoft Authenticator, Duo, YubiKey registrations) and unenroll Intune-managed devices. A re-enabled account with a stale authenticator on a personal phone is a common re-entry vector.

Block external mail forwarding rules

Inspect the mailbox for inbox rules that auto-forward to a personal address — a known exfiltration tactic in the final two weeks. Disable any found, and confirm the org-wide outbound auto-forward block is still in place via the anti-spam outbound policy.

Rotate shared and service account credentials

From the access inventory, identify any shared mailboxes, vault entries, or service accounts the user knew the password for. Rotate them in the password manager (Keeper, Bitwarden, Passportal) and update any dependent integrations.

Mailbox and File Handover

Convert the mailbox to a shared mailbox

Convert in Exchange Online and grant the manager Full Access plus Send As if HR approved continued correspondence. A shared mailbox under 50 GB does not require a license, which removes the temptation to keep the user's E3 active just for inbox access.

Configure the documented access exception

Per the manager's written request, configure the time-bound exception — for example, a guest account in Entra with a hard expiration date, or scoped delegate access with an automated removal task. Add the expiration date to the run's calendar so it doesn't become permanent.

Transfer OneDrive ownership to the manager

In M365 admin center, set the manager as secondary owner on the leaver's OneDrive before the 30-day retention clock starts. After day 30 the OneDrive enters a deleted state and recovery requires opening a Microsoft case.

Audit Teams and SharePoint permissions

Run a permissions report on shared SharePoint sites and Teams the user owned. Reassign ownership of any site where the leaver was the sole owner — orphaned Teams sites cannot be modified by members and become read-only ghosts.

Apply the retention hold per legal policy

Apply the standard departure retention hold (commonly 7 years for finance, 3 years for general). If legal has an active eDiscovery hold on this user, do not remove the license until the hold is released — Purview will flag it but won't block you.

Endpoint and Hardware Recovery

Archive the BitLocker recovery key

Confirm the BitLocker (or FileVault PRK) recovery key is escrowed in Entra or Intune before the device is wiped. Keys not in escrow have to be retrieved from the user, which is awkward post-departure if the laptop won't unlock during inspection.

Schedule device retrieval through the RMM

For remote employees, ship a prepaid return label via the RMM ticket. For on-site, schedule pickup with the office manager. Set an RMM lock-out timer on the device — Intune "Lost Mode" or Kandji equivalent — so the laptop self-locks if not returned in 14 days.

Collect mobile device, hardware key, and badge

Recover company phone or SIM, YubiKey or smart card, office badge, and parking fob. For BYOD phones, trigger the MDM selective wipe (Intune company portal removal or JAMF Self Service) to drop corp data only.

Inspect returned equipment for damage

Photograph the laptop, charger, and accessories on receipt. Note any cracked screens, missing keys, or liquid damage. HR needs the photos to deduct from final pay if the offer letter allows it — otherwise the cost lands on the IT refresh budget.

File the damage or non-return report with HR

Attach the inspection photos and the original asset record showing condition at issue. HR coordinates any deduction or replacement-cost claim. For non-returned devices, escalate to legal if the value crosses the org's threshold (commonly $500).

Wipe and re-image the returned laptop

Use Autopilot reset (Windows) or Apple Configurator erase-and-install (Mac) to return the device to gold-image state. Confirm the device record in Intune or JAMF flips back to "available" and update the CMDB with the new status.

SaaS and Application Deprovisioning

Deprovision SSO-managed apps via SCIM

Confirm SCIM deprovisioning fired in each SSO-integrated app (Salesforce, Slack, Atlassian, Zoom). Check the Okta or Entra provisioning logs — "deprovision pending" without an event 24 hours later means the app's SCIM endpoint dropped the message.

Deactivate non-SSO SaaS accounts

Walk the non-SSO list from the access inventory — typically a long tail of marketing tools, shadow-IT trials, and vendor portals. For each, deactivate (don't delete — preserve activity history for audit) and screenshot the confirmation.

Remove the user from GitHub or GitLab orgs

Remove from all org memberships and revoke any personal access tokens, deploy keys, or SSH keys associated with the user. Audit personal forks of org repos — the org's IP can persist in a fork even after the membership is removed.

Update door access in the building system

Disable the badge in Brivo, Kisi, HID, or whichever access system the office uses. Don't just collect the badge — a cloned badge or a held-open door is a real attack vector. Confirm the disable event shows in the access log.

Audit and Closeout

File the offboarding ticket with evidence

Attach SCIM deprovision logs, non-SSO deactivation screenshots, BitLocker key escrow confirmation, and the inspection photos to the PSA ticket (ConnectWise, Autotask, or HaloPSA). This is the SOC 2 / ITGC artifact your auditor will sample.

Schedule the 30/60/90 day orphan-access audit

Re-query the access inventory at +30, +60, and +90 days to catch anything that crept back in — re-enabled distribution group, license re-applied for shared mailbox conversion that got reversed, SaaS app where deprovisioning silently failed.

Notify the team and update the org chart

Update the on-call rotation in PagerDuty or Opsgenie, the internal directory, and any client-facing handoff — for MSP-supported clients, notify the account manager so the vCIO or QBR cadence stays accurate.

Sign off on the offboarding run

The IT manager or service coordinator reviews the evidence package and signs off. Note any exceptions or deferred items (for example, a pending license true-up at the end of the billing cycle) so they don't get forgotten.