Employee offboarding is not just “disable the account and hope HR took the laptop.” A good IT offboarding checklist protects company data, prevents awkward access surprises, and gives the next tech a clean record of what happened.

Here is the short version: verify the request, identify every account and device tied to the user, disable sign-in at the right time, revoke active sessions, preserve or transfer business data, collect hardware, remove group and app access, then document the closure.

If you are new to help desk work, this is one of those tickets where speed matters, but sloppy speed causes problems. You want a repeatable runbook, not panic-clicking through admin portals while HR keeps asking, “Is it done yet?”

The offboarding checklist

Use this as a baseline. Your company may have legal, HR, or compliance steps that override parts of it, so treat this as the IT flow, not the entire employment process.

StepWhat to doWhy it matters
1Confirm the request and timingPrevents accidental lockouts and missed urgent terminations
2Inventory accounts, groups, apps, and devicesShows what needs to be removed or preserved
3Disable sign-in and revoke sessionsStops access quickly, including already-signed-in sessions
4Reset passwords where neededBlocks shared or cached credentials from lingering
5Preserve mailbox, files, and business dataKeeps managers from losing work they still need
6Remove licenses, groups, and app accessCleans up cost and privilege creep
7Collect or wipe devicesProtects company hardware and stored data
8Document everything in the ticketMakes audits and follow-up tickets less painful

1. Verify the request before touching anything

Do not offboard someone because “a manager said so in chat.” You need a proper HR ticket, approved manager request, or whatever your company uses as the source of truth.

Before making changes, confirm:

  • Employee name and username
  • Department and manager
  • Last working day and exact cutoff time
  • Whether this is normal offboarding or urgent termination
  • Whether the user is remote, hybrid, or onsite
  • Whether legal hold, investigation, or HR instructions apply
  • Who should receive mailbox or file access after departure

This is where a lot of mistakes start. There is a huge difference between “disable Friday at 5 PM” and “disable immediately, do not notify user, preserve mailbox.” If the ticket is vague, push back before taking action.

2. Build the access inventory

Most employees have more access than anyone remembers. Start with the core identity system, then branch out.

Check for:

  • Active Directory or Entra ID account
  • Microsoft 365 or Google Workspace mailbox
  • VPN access
  • MFA methods and registered devices
  • Group memberships
  • Shared mailboxes and distribution lists
  • File shares, SharePoint, Teams, OneDrive, or Google Drive access
  • SaaS tools like Slack, Zoom, Jira, GitHub, CRM, HRIS, password managers, RMM, MDM, and ticketing systems
  • Local admin rights on endpoints
  • Company-owned hardware assigned to the user

If you already have an identity governance tool, great. If not, this is where a simple checklist still beats memory. For account basics, our Active Directory tutorial for beginners is a good refresher.

3. Disable sign-in at the correct time

For normal departures, disable sign-in at the approved cutoff time. For urgent separations, disable sign-in immediately after the authorized request arrives.

The usual sequence is:

  1. Disable the primary directory account.
  2. Block cloud sign-in.
  3. Revoke active sessions and refresh tokens.
  4. Disable VPN access.
  5. Remove or suspend access in critical SaaS apps.
  6. Confirm the account can no longer authenticate.

Do not rely on password reset alone. Password resets do not always kill existing sessions fast enough, especially in cloud apps. If your platform has “sign out everywhere,” “revoke sessions,” or “invalidate refresh tokens,” use it.

This is also where MFA matters. If the user still has active sessions on a phone or personal device, a plain account disable may not be the full story. Pair this with the MFA reset checklist for help desk techs when identity risk is part of the ticket.

4. Handle email and calendar access cleanly

Email offboarding causes a ton of follow-up tickets when it is done casually.

Decide what should happen to the mailbox:

  • Convert it to a shared mailbox if your platform supports that.
  • Delegate access to the manager or replacement.
  • Set an automatic reply if HR approves the wording.
  • Forward messages only if policy allows it.
  • Preserve mailbox data for retention requirements.
  • Remove mobile device partnerships if needed.

Do not hand over mailbox access just because a manager asks in a side channel. Mailboxes can contain HR, medical, legal, and personal messages. Follow policy and document the approval.

For messy email cases, link the follow-up ticket to your email troubleshooting checklist so the next tech knows whether the problem is access, forwarding, shared mailbox permissions, or Outlook being Outlook.

5. Preserve files before deleting anything

This is the step that saves you from the classic “we deleted Bob and now the sales forecast is gone” disaster.

Before deleting or deprovisioning storage, confirm:

  • OneDrive or Google Drive ownership transfer
  • Shared folder ownership
  • Department file-share permissions
  • Important local files on assigned laptops
  • Project folders in Teams, SharePoint, or Slack
  • Git repositories, scripts, dashboards, or automation the user owned

If the person was technical, look for scheduled tasks, API tokens, service accounts, SSH keys, and scripts that might break after account disablement. A user account should not own production automation, but the real world loves teaching that lesson at 4:55 PM.

For file-share specific issues, use the network share troubleshooting checklist when managers report missing folders after access is transferred.

6. Remove access without destroying useful history

After the account is blocked and data is preserved, clean up access.

Remove or suspend:

  • Security group memberships
  • Shared mailbox permissions
  • VPN groups
  • Admin roles
  • SaaS licenses
  • Password manager vault access
  • MDM enrollment if the device is returned or wiped
  • Local admin rights
  • Distribution list membership
  • Calendar delegation

Be careful with systems where deletion removes audit history or breaks ownership records. In many tools, “suspend” is safer than “delete” on day one. You can remove licenses and access while keeping the account record for retention.

This is the practical version of access control. If you are studying for Security+, the access control practice questions cover the exam language behind this: least privilege, privilege creep, account lifecycle, and auditing.

7. Collect, lock, or wipe devices

Hardware handling depends on whether the employee is onsite, remote, or missing in action.

For company-owned devices:

  • Confirm serial number and asset tag.
  • Mark whether the device was returned.
  • Lock or wipe through MDM when appropriate.
  • Remove device from the user’s account record.
  • Check for BitLocker or FileVault recovery needs.
  • Reclaim peripherals if your asset policy tracks them.
  • Note condition and missing items.

If the laptop is not returned, escalate according to policy. Do not improvise threats, shipping instructions, or legal language. That belongs to HR, legal, or management.

For Windows devices where recovery keys or encryption state become part of the handoff, the BitLocker recovery key troubleshooting checklist is useful.

8. Watch for service account and shared credential traps

The ugliest offboarding tickets are the ones where a departed user’s account secretly runs something important.

Check for:

  • Scheduled tasks running as the user
  • Shared mailbox automations
  • Power Automate or Zapier flows
  • API tokens created under the user account
  • GitHub deploy keys or personal access tokens
  • Local services on servers
  • Reports, dashboards, or database jobs owned by the user
  • Shared credentials stored in browsers or spreadsheets

If you find one, do not leave it tied to the departed account “for now.” Move it to a proper service account or documented owner. “For now” is how you get an outage three months later when someone finally deletes the account.

Ticket note template

Use a clean note like this:

Verified HR offboarding request for Jane Doe, cutoff 2026-06-06 17:00 ET. Blocked Entra ID sign-in, revoked sessions, disabled VPN group access, removed M365 license after mailbox conversion, transferred OneDrive ownership to manager, removed shared mailbox permissions, confirmed laptop asset IT-0421 pending return via shipping label. No service-account dependencies found. Ticket closed after manager confirmation.

If something is blocked, say that directly:

Offboarding access removal complete except GitHub organization removal. Waiting on engineering manager approval because user owns two repositories and one deploy token. Account sign-in blocked and sessions revoked.

That is better than “done” when it is not actually done. For more examples, use our help desk ticket notes examples post.

Common mistakes

Deleting the account too fast

Disable first. Delete later only when retention policy says it is safe. Deleting too fast can remove mailbox access, file ownership, audit trails, and recovery paths.

Forgetting active sessions

A password reset or account disable may not immediately end every session in every app. Revoke sessions in the identity provider and critical SaaS tools.

Skipping SaaS apps

Directory disablement does not always remove access from every third-party app. Check SSO apps, but also check tools with local accounts.

Leaving manager access undocumented

If a manager gets mailbox or file access, note who approved it, what access was granted, and when it should be reviewed.

Treating contractors like employees

Contractors often have different systems, sponsors, expiration dates, and hardware ownership. Still use a checklist, but verify the contract workflow.

FAQ

Should IT delete the user account during offboarding?

Usually not immediately. Disable sign-in first, preserve data, remove access, and follow retention policy. Deletion can wait until the approved retention window.

Who should approve mailbox access after someone leaves?

Follow company policy. Usually HR, legal, the manager, or a data owner must approve it. Do not grant mailbox access from an informal chat request.

What is the difference between disabling an account and revoking sessions?

Disabling blocks new sign-ins. Revoking sessions forces existing signed-in sessions to re-authenticate or expire. For urgent offboarding, you normally want both.

Should offboarding include personal devices?

Yes, if personal devices had company access. Remove mobile mail profiles, revoke app sessions, wipe only managed corporate data when supported, and follow BYOD policy carefully.

Bottom line

Employee offboarding is an identity, data, device, and documentation workflow. The goal is not just “user cannot log in.” The goal is: no unauthorized access, no lost business data, no surprise broken automation, and a ticket record clean enough that nobody has to decode your thought process later.

If your team does offboarding from memory, turn this into a ticket template. Future-you will be less annoyed, which is basically the whole point of good IT documentation.