User Offboarding Checklist

Capture the last working day, exact disable time (often coordinated with the manager's termination meeting), manager of record, and whether any post-departure access extensions are approved. Voluntary vs. involuntary departures affect timing — involuntary terminations typically disable at the start of the meeting, not end-of-day.

Export the user's app assignments from Entra ID, Okta, or JumpCloud as the source-of-truth access list. Cross-check against IT Glue / Hudu documentation for non-SSO apps (legacy systems, vendor portals, shared credentials). The SSO list will miss anything provisioned outside the IdP — that's where orphan access hides.

Disable — do not delete. Deletion breaks audit trail and mailbox recovery. In hybrid environments disable in on-prem AD and let AD Connect sync, or block sign-in directly in Entra ID. Move the object to a disabled-users OU to prevent accidental re-enablement.

Disabling the account does not kill in-flight sessions — OAuth refresh tokens can keep the user signed in for up to 90 days on mobile. Run "Revoke sessions" in Entra ID and the equivalent in Okta / Google Admin. Sign out of all devices in M365 admin center.

Delete Authenticator registrations, FIDO2 keys, phone numbers, and TAP (Temporary Access Pass) entries. Leftover MFA on a re-enabled account is a backdoor; clean state is the only safe state.

Disable IMAP/POP/SMTP AUTH on the mailbox and remove any user-created inbox rules that forward externally. Pre-emptive — a departing user can stage exfiltration via a forwarding rule before the disable fires.

Revoke client certificates in the firewall or ZTNA broker (Cisco AnyConnect, FortiGate SSL VPN, Palo Alto GlobalProtect, Cloudflare Access, Zscaler Private Access). Cert revocation is separate from account disable — a cached cert can still authenticate against some configurations.

If converting to shared in M365: convert before the 30-day grace ends to avoid relicensing. If forwarding: configure transport rule rather than user-side rule (survives mailbox conversion). If retention-then-delete: apply the in-place hold per retention policy.

Set the manager as the secondary owner in M365 admin or transfer via Google Workspace data transfer. OneDrive auto-deletes 30 days after license removal — get the transfer done before the license is reclaimed.

List every shared mailbox, calendar, and Teams channel where the user had Send As / Full Access. Remove individual grants; reassign to the role's successor where needed. Send-As left on a departed user is a common audit finding.

Walk the list from the IdP export plus IT Glue / Hudu non-SSO apps. For each: Salesforce, HubSpot, Asana, Notion, Figma, Atlassian, GitHub — deactivate (don't delete) to preserve activity history. Capture a screenshot or admin-log entry per app.

Remove the user from the org. Check for personal forks of internal repos — those don't auto-delete and may contain secrets. Rotate any PATs (personal access tokens) or deploy keys the user created. SSH key revocation is separate from org removal.

Pull the vault audit log (Keeper, 1Password, Bitwarden, IT Glue) for every shared item the user accessed in the last 90 days. Rotate those credentials. Standing knowledge of a shared admin password survives the account disable.

For remote employees, send a prepaid shipping label or schedule a courier; for on-site, collect at exit interview. Track shipment with the asset record. Set a 10-business-day SLA — escalate to HR if the device isn't back by then.

Match serial number against the asset record. Note any damage on the intake form — drives chargebacks per company policy. If the device was lost or unreturned, trigger the remote-wipe path in Intune / JAMF before closing this step.

Trigger MDM wipe command and confirm acknowledgement from the device. For unmanaged or off-network devices, file an internal incident — the device is now an unaccounted-for asset with company data, and may require breach assessment under HIPAA / GDPR depending on contents.

Confirm the recovery key is escrowed in Entra ID / Intune / JAMF before wiping. Wiping a device without the escrowed key, when forensic preservation may later be needed, is a one-way mistake.

Run the company wipe standard — Autopilot reset for Windows, Apple Configurator erase for Mac, or full DBAN for end-of-life disposal. Update Intune / JAMF so the device record is freed for the next assignment.

Send the confirmation to HR, the manager, and (for client-facing roles) the account team so external auto-responders and CRM ownership get updated. Include a one-line summary of exceptions — extended access granted, devices outstanding, etc.

Remove from PagerDuty / Opsgenie schedules, the GAL, internal wiki ownership, Slack channel topics, and the public org chart. Stale on-call schedules cause real outages when an alert pages a departed user at 3am.

Attach evidence — IdP disable confirmation, drive transfer screenshot, SaaS deactivation log, asset return form, wipe confirmation. This is the audit artifact for SOC 2, ISO 27001, and SOX access-termination controls.

Query Entra ID sign-in logs, SaaS admin logs, and the badge system for any activity tied to the disabled identity. Cross-check IT Glue / Hudu for credentials still listing the user as owner. Anything found here is a process gap — feed it back into the checklist.