Someone resigns, you do the right human things, you plan the handover, you wish them well. Then the day gets busy.

A week later, you discover their laptop is still signed into email, their phone still has Teams, and a vendor portal still recognises them as an admin. That is how “small” offboarding misses turn into real risk.

This checklist is designed for one outcome: the person can leave cleanly, and your business is not left with a door open.

Before you touch anything, get the facts straight

Offboarding goes sideways when everyone assumes someone else has the details. Spend five minutes up front and you will save an hour of backtracking.

  • Confirm the last working day and last working minute. If it is a normal resignation, you can plan a tidy handover. If it is an immediate termination, you need to move fast.
  • List what they had access to. Email, files, line-of-business apps, finance systems, HR systems, password managers, VPN, remote access tools, social accounts, anything customer-facing.
  • Decide who owns their work next. Name a manager or role owner for mailbox access, OneDrive files, shared folders, and ongoing vendor relationships.
  • Check for “quiet admin” roles. People often end up as the admin for a SaaS tool “just to get it set up.” Those are the accounts that bite later.

The first 15 minutes: stop sign-ins and cut off active sessions

Why first: most modern systems keep you signed in even after you close a laptop. You are not just changing a password, you are shutting down existing access.

  • Block sign-in to Microsoft 365 immediately. Microsoft’s offboarding guidance starts with preventing sign-in so the account cannot be used again.
  • Revoke sign-in sessions. Blocking sign-in stops new logins, but revoking sessions helps force reauthentication and cuts down the window where existing tokens still work.
  • Disable email apps on mobile (if applicable). If the user has company email on a phone, you want to stop that access fast, not next week.
  • Remove privileged access first. If they have admin roles anywhere (Microsoft 365, Entra, finance apps, backups, firewalls), strip those roles before you do anything else.

Practical tip: if you can only do two things right away, do these two: block sign-in and revoke sessions.

Keep the business running: hand over email and files the right way

Why this matters: offboarding is not just security. It is continuity. Customers will still email them. Their OneDrive probably contains real work. You need a clean handoff that does not involve sharing passwords.

  • Set an automatic reply (out of office). Keep it simple: the employee has left, and here is the new contact.
  • Forward email (only if you truly need it). Forwarding can be useful for a short transition, but it can also create confusion and privacy issues. Set an end date.
  • Transfer OneDrive ownership or access. Microsoft provides a guided process to give another employee access to the former employee’s OneDrive and Outlook data, and there is also a simplified OneDrive transfer experience for departing employees.
  • Move business files out of “personal” storage. If key documents live only in one person’s OneDrive, relocate them into the right SharePoint site or team folder so the business owns the work.
  • Review external sharing links. OneDrive and SharePoint make it easy to share files by link. As part of the handover, review what has been shared and remove links that should not live on.

Devices: get company data off endpoints you do not control

Why this matters: even with accounts disabled, data can remain on laptops and phones. Offboarding is when you make sure company information is not sitting in someone’s pocket.

  • Collect company-owned equipment. Laptop, phone, tablet, security keys, badges, and any removable media.
  • For Intune-managed devices, choose the right action. “Retire” removes company data without a full factory reset, which is often the right move for BYOD or personally owned phones.
  • For company-owned devices, plan a wipe or reset. For Windows devices, Autopilot Reset can remove personal files, apps, and settings while preparing the device for the next user.
  • If you use Windows Autopilot, clean up device records properly. Microsoft notes that fully removing a device from a tenant can require deleting records across Intune, Entra ID, and Windows Autopilot, so build that into your process.

If you are not using device management today, offboarding is a good time to notice the gap. Without it, you are relying on “please delete the email app” as a control.

Third-party apps: remove access where people forget to look

Why this matters: Microsoft 365 is only part of the picture. A growing business runs on SaaS, and those logins often outlive the employee.

  • Remove them from core business apps. Accounting, payroll, CRM, project management, ticketing, marketing, e-signature, and any industry-specific platforms.
  • Remove them from password managers and shared vaults. If they ever had access to shared credentials, rotate anything that matters (especially finance and admin logins).
  • Check for shared accounts. If multiple people know one password (a “shared inbox login” or “the vendor portal login”), treat it as compromised on departure and change it.
  • Update vendor points of contact. If invoices, support renewals, or security alerts go to the departing employee, you will miss something important.

After the dust settles: document, retain, and close the loop

Why this matters: the goal is not a heroic scramble. It is a repeatable process you can prove happened.

  • Record what you did and when. At minimum: sign-in blocked time, sessions revoked, devices returned or wiped, access removed from key systems.
  • Decide how long to keep the account and data. Many businesses keep mailboxes and files for a defined period for legal, HR, or continuity reasons, then delete according to policy.
  • Remove licences when appropriate. Microsoft’s offboarding flow includes removing licences so you can reassign them, while still managing access and retention correctly.
  • Schedule a quick “offboarding review” for next time. Ask one question: what did we discover late that we should add to the checklist?

Want this to run smoothly every time?

Offboarding should feel boring. When it is boring, it is consistent, and that is when it is safe.

If you would like help building an employee IT offboarding process that fits your tools (Microsoft 365, Intune, your line-of-business apps), the Flexnet Networks team can set it up and document it for you.

Sources