When someone leaves your business, whether it’s with flowers, fireworks, or a passive-aggressive goodbye Slack message, your offboarding job isn’t done when you disable their email.

The truth is, offboarding is one of the most overlooked security risks in a company. One missed step can leave your data wide open.

Here’s what you actually need to do.

Step 1: Kill the Digital Keys

1. Disable accounts (Microsoft 365, Google, SSO)

  • Microsoft 365: Admin Center > Users > Active Users > Select user > Block sign-in > Delete or Archive as needed.
  • Google Workspace: Admin Console > Directory > Users > Select user > Click “More” > Suspend user > Delete or Archive.
  • SSO (Okta/Azure/JumpCloud/etc): Revoke access in the identity provider dashboard. Disable user profile, revoke tokens.

2. Log out all active sessions

  • Microsoft 365: Admin Center > User > Sign out of all sessions.
  • Google: Admin Console > User > Security > Sign out of all sessions.
  • SSO: Look for session termination options in provider.

3. Remove from MFA devices

  • Microsoft 365: Azure Portal > Users > MFA > Manage user settings > Clear registered devices.
  • Google Workspace: Admin Console > User > Security > Remove 2-Step Verification.
  • Auth Apps: Disable accounts from Authy, Google Authenticator, etc.

Step 2: Revoke Access to Tools

1. Chat apps

  • Slack: Admin > Users > Deactivate.
  • Microsoft Teams: Same as M365 user deactivation.
  • Discord: Remove from server manually if used casually.

2. Project Management

  • Jira/Atlassian: Admin > User Management > Deactivate.
  • Asana/Trello: Remove user from each workspace or team.

3. File Storage

  • Google Drive: Transfer ownership of shared files, remove sharing permissions.
  • Dropbox: Admin Console > Members > Remove access.
  • OneDrive: Transfer files, disable user via Microsoft 365.

4. CRM / Niche Tools

  • Log in to each tool > Admin > Users > Remove or deactivate.

⚡ TIP: Maintain a master tool list (with owners) so you’re not playing detective every time.

Step 3: Reset Shared Stuff

1. Shared Inboxes

  • Microsoft 365/Google: Change passwords, update rules and delegates.

2. Social Media

  • Change passwords immediately.
  • Remove ex-user as page admin (especially on Facebook/LinkedIn).

3. Password Managers

  • LastPass/1Password: Remove user from shared vaults or team.
  • Spreadsheets: Update all entries, change passwords, and move to a secure manager.

Step 4: Clear the “Oh Right” Pile

1. Personal Devices

  • Use MDM (e.g., Intune, Kandji, Jamf) to wipe company apps/data.
  • Revoke OAuth tokens linked to mobile apps.

2. Saved Passwords in Browsers

  • Shared browser? Clear saved credentials under settings.
  • Google Account: Security > Third-party access > Remove.

3. Shared Calendars, Notes, Docs

  • Remove from shared calendars in Outlook/Google.
  • Revoke doc access or transfer ownership in Google Drive/Notion/Confluence.

4. API Tokens/Integrations

  • Go into dev settings in each SaaS tool, disable tokens tied to user.
  • Rotate sensitive API keys that may have been exposed.

5. Email Rules/Forwarding

  • Audit forwarding rules and auto-login setups in email clients.
  • Microsoft: Admin Center > Mailflow > Rules.
  • Google: Gmail Settings > Filters and Forwarding.

Step 5: Physical & Human Follow-Up

1. Physical Access

  • Retrieve keys, ID cards, fobs, badges.
  • Disable door codes and alarm codes (yes, even Bob’s “1234”).
  • If using smart locks or building access systems (SALTO, Kisi, etc.), remove their user profile.

2. Human Wrapping-Up

  • Announce their departure: Internally and clearly. Silence = chaos.
  • Assign access transfers: Shared inboxes, files, workflows — make sure someone owns them now.
  • Review remaining loose ends: Any scheduled meetings? Calendar invites? Team dependencies?
  • Remove from informal comms: WhatsApp, Signal, Telegram, memes-only Slack channels.
  • Exit interview follow-up (optional): Even for IT, some feedback is gold.

Final Wrap-Up:

  • Confirm offboarding steps with IT lead
  • Confirm access updates with HR
  • Confirm all tools have been audited
  • Confirm gut feeling: If it feels like something’s still open, it probably is

TL;DR: Offboarding is your last line of defence

It’s not just an HR task, it’s not just an IT chore, it’s how you stop a “quick goodbye” from turning into a six-month data breach with your name on it.

If you need help building a proper offboarding process we can help.

Get in touch with us at Commercial Networks and we’ll help you close the loop without losing sleep.

Further Reading

Love that you’re thinking SEO-smart, Michelle. 🧠✨ Adding outbound links to relevant, high-authority sources not only boosts credibility but also tells the algorithm, “Hey, we’re not gatekeeping knowledge.”

Here are some stellar outbound link ideas for your offboarding blog post:

1. Official Microsoft Offboarding Guidance

👉 https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/remove-former-employee

2. Google Workspace: Delete or Suspend a User

👉 https://support.google.com/a/answer/33314

🔗 3. NCSC (UK): Offboarding & User Access Management Guidance

👉 https://www.ncsc.gov.uk/collection/device-security-guidance/implementing-offboarding

Commercial Networks Offboarding

You may also like

Office Scene to represent Privilege Elevation and Delegation Management (PEDM)What Is Privilege Elevation and Delegation Management (PEDM)? Smarter Software Installs Without Sacrificing Security Commercial Networks Patch ManagementWhat Is Patch Management (And Why Should You Actually Care?) hackerFree tool: Check how long it would take to crack your password Cyber Hygiene for Small BusinessCyber Hygiene for Small Business: 5 Simple Steps That Make a Massive Difference