The Complete IT Offboarding Checklist: 27 Steps You Can't Afford to Miss
HR sends you an email at 4:47 PM on a Friday: "John's last day is today." You have 13 minutes before he walks out the door with active credentials to your entire environment. Here's every step you need to cover — and how to make sure none of them slip through the cracks.
Why offboarding is the most dangerous gap in IT ops
Onboarding gets all the attention. New hire starts Monday, everything needs to work — email, VPN, badge, laptop. There's urgency, there's a deadline, there's a human standing at the front desk waiting. So onboarding gets checklists, workflows, and automation.
Offboarding gets a Slack message from HR at 5 PM.
The problem is that a missed step during onboarding means someone can't access a file share. A missed step during offboarding means a terminated employee still has access to your SharePoint, your email, your CRM, and potentially your customer data. One is an inconvenience. The other is a data breach waiting to happen.
According to the 2024 Ponemon Institute study, 48% of organizations have experienced a security incident caused by a former employee or contractor who still had active access. Nearly half. That's not a theoretical risk — it's the default outcome when offboarding is done manually and inconsistently.
This checklist covers everything. Print it, pin it to your monitor, or better yet — automate it so you never have to think about it again.
The complete checklist
Organized by phase. Each step includes what to do, why it matters, and the PowerShell command where applicable.
Phase 1: Immediate actions (Day 0)
Do these before the employee walks out the building. Every minute of delay is a minute they have active credentials.
Disable the AD account
Don't delete — disable. Deletion destroys the SID and you can never recover it. Disabling immediately revokes all Kerberos authentication while preserving the account for compliance and audit purposes.
Disable-ADAccount -Identity "jsmith"Reset the password
Even after disabling, reset the password to a random value. Some services cache credentials, and a disabled account with a known password is one re-enable away from compromise.
Set-ADAccountPassword -Identity "jsmith" -Reset `
-NewPassword (ConvertTo-SecureString `
([System.Web.Security.Membership]::GeneratePassword(24,4)) `
-AsPlainText -Force)Revoke all active sessions
Disabling the AD account doesn't kill existing sessions. The user can continue using Outlook, Teams, and SharePoint until their token expires — which could be hours. Force sign-out from Entra.
# Revoke all refresh tokens (requires Microsoft.Graph module)
Revoke-MgUserSignInSession -UserId "jsmith@contoso.com"Block sign-in in Entra ID
If you're hybrid (AD + Entra), wait for the sync or block directly in Entra. Cloud-only apps like third-party SaaS won't respect the on-prem disable until Entra Connect syncs — which might be 30 minutes away.
# Block sign-in immediately in Entra
Update-MgUser -UserId "jsmith@contoso.com" -AccountEnabled:$falseDisable VPN and remote access
If your VPN doesn't use AD authentication (some use local accounts or certificates), disable VPN access separately. Check your VPN appliance, RDP gateway, and any jump servers for local accounts.
Collect hardware
Laptop, phone, badge, security keys, MFA hardware tokens, USB drives. If the employee is remote, initiate the return shipping process immediately — every day you wait reduces the likelihood of getting hardware back.
Phase 2: Same-day actions
Complete these within the same business day. They're important but won't cause immediate security exposure if done a few hours after the employee's departure.
Convert mailbox to shared
Don't delete the mailbox. Convert it to a shared mailbox so the manager or replacement can access it. This preserves emails for compliance and ensures nothing falls through the cracks during transition.
# Convert to shared mailbox (Exchange Online)
Set-Mailbox -Identity "jsmith@contoso.com" -Type Shared
# Grant access to the manager
Add-MailboxPermission -Identity "jsmith@contoso.com" `
-User "manager@contoso.com" -AccessRights FullAccess -AutoMapping $trueSet up email forwarding or auto-reply
Set an auto-reply informing senders that the employee has left and providing an alternative contact. Optionally forward incoming mail to the manager for a transition period (30-90 days).
# Set auto-reply
Set-MailboxAutoReplyConfiguration -Identity "jsmith@contoso.com" `
-AutoReplyState Enabled `
-ExternalMessage "John Smith is no longer with Contoso. Please contact support@contoso.com." `
-InternalMessage "John Smith has left the company. Please contact their manager, Jane Doe."Remove from all distribution lists and security groups
The user shouldn't continue receiving team emails or retain group-based permissions. Remove from all groups except any needed for compliance holds.
# Remove from all AD groups (except Domain Users)
$User = Get-ADUser "jsmith" -Properties MemberOf
$User.MemberOf | ForEach-Object {
Remove-ADGroupMember -Identity $_ -Members $User -Confirm:$false
}Remove M365 licenses
Each unused license costs money. Remove all assigned licenses — but only after converting the mailbox to shared (shared mailboxes don't need a license for mailboxes under 50 GB).
# Remove all licenses
$Licenses = (Get-MgUserLicenseDetail -UserId "jsmith@contoso.com").SkuId
Set-MgUserLicense -UserId "jsmith@contoso.com" `
-RemoveLicenses $Licenses -AddLicenses @()Transfer OneDrive files
OneDrive data is deleted 30 days after the account is deleted (or the license is removed in some configs). Transfer ownership to the manager immediately. Don't wait for someone to ask "where are John's files?"
Reassign Teams ownership and channels
If the user was an owner of any Teams, transfer ownership before removing them. A Team with no owners becomes unmanageable — no one can add members, change settings, or delete it.
Revoke app-specific passwords and API keys
Check for app passwords (legacy MFA), OAuth app consents, and any API keys or service connections the user may have created. These don't get revoked when you disable the AD account — they're separate credential stores.
Phase 3: Within 48 hours
Administrative cleanup that should happen within two business days.
Revoke third-party SaaS access
Salesforce, Slack, Zoom, Jira, Confluence, GitHub, AWS, and every other SaaS app the user had access to. If you're using SSO through Entra, disabling the account handles most of these. But check for local accounts — many SaaS apps allow username/password login that bypasses SSO.
Remove MFA registrations
Delete registered authentication methods — authenticator app, phone numbers, FIDO2 keys. A disabled account with MFA intact can be re-enabled by a malicious insider and immediately used with the original MFA device.
Remove from conditional access exclusions
Check if the user was in any CA policy exclusion groups. Users sometimes get excluded from MFA requirements or location-based policies for troubleshooting and never get removed. Clean those up.
Wipe managed mobile devices
If the user had company data on a personal phone (BYOD with Intune MAM), trigger a selective wipe to remove company data. For company-owned devices, do a full wipe. Don't forget tablets.
Move AD account to Disabled Users OU
Move the disabled account to a dedicated "Disabled Users" OU. This OU should have a GPO that blocks all logon rights, and it keeps your active OUs clean. It also makes it easy to audit how many disabled accounts you're carrying.
Move-ADObject -Identity (Get-ADUser "jsmith").DistinguishedName `
-TargetPath "OU=Disabled Users,DC=contoso,DC=com"Update the AD description field
Stamp the account with the departure date, who processed it, and a ticket number. Six months from now when someone asks "is this account still active?", you'll have the answer without digging through email.
Set-ADUser -Identity "jsmith" -Description "Offboarded 2026-03-05 by IT | Ticket #4521"Phase 4: Within one week
Data retention, compliance, and documentation.
Place litigation hold (if required)
If legal or HR requires data preservation (terminations for cause, pending lawsuits, regulatory investigations), place the mailbox and OneDrive on litigation hold before removing licenses. This ensures data is preserved indefinitely regardless of other retention policies.
Archive home drive and profile data
Copy the user's home drive (H:), roaming profile, and any department-shared data they owned to an archive location. Compress and label it with the username and departure date. Set a calendar reminder to delete it per your retention policy (typically 90 days to 1 year).
Update shared credentials and service accounts
If the departing employee knew any shared passwords (conference room accounts, service accounts, shared admin credentials, Wi-Fi PSK), rotate them. This is the step everyone forgets, and it's the one that comes back to bite you.
Remove from phone system and voicemail
Reassign or remove their DID, update the auto-attendant or call queue, and clear voicemail. Nothing says "we don't have it together" like a customer calling and reaching a terminated employee's voicemail six months later.
Update physical access (badge, alarm codes)
Deactivate the employee's badge in your access control system. If they had alarm codes, door codes, or safe combinations, change them. Coordinate with facilities if physical access is managed by a different team.
Reimage the laptop
Once hardware is returned and any needed data is archived, wipe and reimage the device. Add it back to your deployment pipeline so it's ready for the next new hire. Update your asset management system with the new status.
Generate compliance report
Document everything you did: what was disabled, when, who processed it, what was archived, and what was deleted. This report is your proof of due diligence. When the auditor asks "how do you handle offboarding?", you hand them this.
Schedule account deletion
Set a reminder to delete the disabled AD account after your retention period expires (typically 90-180 days). Disabled accounts sitting in AD for years create clutter, confuse auditors, and can be weaponized if someone re-enables them. Automate this with a scheduled task that purges accounts past their retention date.
Why you should automate this
Twenty-seven steps. Even if you're fast, that's 45-60 minutes of manual work per departure. And that assumes you remember every step, every time, under pressure, at 5 PM on a Friday.
You won't. Nobody does.
In a manual process, the most commonly missed steps are: revoking active sessions (step 3), removing from distribution lists (step 9), revoking third-party SaaS access (step 14), and rotating shared credentials (step 22). These are also the steps with the highest security impact.
Automating steps 1-13 with PowerShell takes offboarding from a 45-minute manual process to a 2-minute script execution. The script handles the AD disable, password reset, session revocation, mailbox conversion, group removal, license removal, and compliance report generation in a single run. You feed it a CSV of departures, press Enter, and get a compliance report at the end.
Steps 14-27 are harder to fully automate because they involve systems outside your scripting environment (physical access, hardware logistics, SaaS admin panels). But you can automate the tracking — generate a task list for each departure with due dates for each phase, and use your ticketing system to ensure nothing gets missed.
Offboarding pitfalls that will burn you
Deleting the account instead of disabling it
Once an AD account is deleted, the SID is gone forever. You can create a new account with the same username, but it won't have the same SID — so it won't have access to any resources the original account owned. If legal later needs that user's data or access history, you're stuck. Always disable first, delete on a schedule.
Forgetting about service accounts they created
IT staff and developers create service accounts, scheduled tasks, and Azure app registrations tied to their identity. When they leave, those automations keep running — until the account gets deleted and everything breaks at once. Audit service accounts and app registrations for the departing user's ownership.
Not coordinating with HR on timing
If HR terminates the employee at 2 PM but doesn't tell IT until 5 PM, there's a 3-hour window where a terminated employee has full access. Establish an SLA with HR: IT gets notified at least 2 hours before the employee's departure for voluntary exits, and simultaneously for involuntary terminations. Build this into your HR system if possible — automated ticket creation on status change.
The "we'll clean it up later" trap
You disable the account and promise yourself you'll handle the mailbox, groups, and license removal tomorrow. Tomorrow becomes next week. Next week becomes never. Now you have 47 disabled accounts still consuming licenses at $22/month each. That's $12,408/year in wasted M365 licenses. Automate or batch-process the cleanup within 24 hours.
Skip the manual work. Automate offboarding today.
Our User Offboarding Script automates steps 1-13 of this checklist in a single PowerShell run. Disable accounts, reset passwords, convert mailboxes, strip licenses, remove group memberships, and generate a compliance report — all from a CSV of departures.
- Bulk offboarding from CSV — process 50 departures in 2 minutes
- Compliance report generated automatically for every run
- Dry-run mode to preview changes before executing
Need the full lifecycle? The Employee Lifecycle Kit ($69) bundles onboarding, name changes, and offboarding scripts together — everything you need from Day 1 to last day.