Skip to content
Intro
6 min

User Offboarding, Access Reviews, and Security

Offboarding prevents the access that shouldn't persist.

Last updated: March 20, 2026

Your bookkeeper quit. She was with you for seven years. She knew everything — the accounting software, the banking passwords, the vendor logins.

Did you disable her accounts?

If you're not sure, you have a problem. Former employees with active access are one of the most common sources of insider threats and security breaches.

What this solves

Prevents unauthorized access. Former employees can't access what they've been removed from.

Protects sensitive data. Customer lists, financial data, proprietary information — limit who can reach it.

Reduces compliance risk. SOC 2, HIPAA, and cyber insurance all expect documented access controls and offboarding.

Maintains audit trails. When someone left, what did they have access to, and when was it removed?

Prevents credential misuse. Old passwords for SaaS apps, VPN access, cloud consoles — all should be disabled.

What can go wrong

No formal offboarding process. Accounts stay active "just in case" or because nobody remembered to disable them.

Disabled account, active mobile apps. You disable the Office 365 account, but they still have the Outlook app on their phone with cached credentials.

Shared accounts. Three people used the admin password for the legacy system. One leaves. Now what?

No inventory of what they had access to. Did she have access to the payroll system? The CRM? The vendor portal? Nobody knows.

Offboarding happens days later. She gave two weeks notice. Her access stayed active for 14 more days. That's a long time.

Rehires. Someone leaves and comes back six months later. Do you create a new account? Reactivate the old one? Track continuity?

What to offboard

Disable the account first, then notify IT second. Don't give IT warning so they can prepare. Do it immediately when you know.

Email and communication tools. Microsoft 365, Google Workspace, Slack, Teams, whatever you use.

VPN access. Remote access to your network.

SaaS applications. CRM, accounting, project management, vendor portals, anything with login credentials.

Physical access. Building keys, key cards, garage openers.

Devices. Laptops, phones, tablets. Get them back or wipe them.

Software licenses. Reclaim the license for another employee.

Shared credentials. If they knew shared passwords, change those passwords.

What it costs (honest ranges)

Manual offboarding: $0 if IT handles it. But depends on documentation and consistency.

Automated offboarding (Okta, Azure AD, OneLogin): $2-$8 per user per month. When you offboard someone, integrations automatically disable access across all connected apps.

MSP-managed offboarding: Usually included in managed services. If not, $50-$200 per offboarding event.

Security incident from former employee: Depends on what they did. Data theft, fraud, sabotage — costs range from thousands to millions.

Minimum viable implementation

  1. Create an offboarding checklist. List every system, who disables access, and when. Template below.

  2. Automate what you can. If someone leaves, disable their account. Use directory sync between your HR system and IT.

  3. Conduct an access review before offboarding. Before they leave, review what they had access to. Find anything unexpected.

  4. Do it immediately. The moment someone gives notice or you decide to terminate, disable access. Don't wait.

  5. Document everything. Who was offboarded, when, and what was disabled. Keep this record.

Access review schedule

Quarterly: Review all active accounts. Find anyone who shouldn't be there. Former employees, contractors who finished, temporary staff.

Before major changes: When an employee changes roles, review their old access. Remove what they no longer need.

Annual comprehensive review: Deep dive into admin accounts, shared accounts, and service accounts.

Vendor questions (copy/paste)

Ask your IT vendor or MSP:

  • Do you have an offboarding checklist or process?
  • How quickly is access disabled when someone leaves?
  • Can you show me a list of all active accounts?
  • Do you conduct periodic access reviews?
  • What happens to shared accounts when someone leaves?

Ask your SaaS vendors:

  • Can we see who has admin access?
  • Is there an API to programmatically disable users?
  • Do you support directory sync (SCIM)?

Offboarding checklist template

Employee: _______________
Last Day: _______________
Reason: [Resignation / Termination / Contract End]

Immediate Actions (Before End of Day):
☐ Disable account in directory (AD/Azure/Google)
☐ Disable email access
☐ Disable VPN access
☐ Revoke mobile app access (if applicable)

Within 24 Hours:
☐ Disable CRM access
☐ Disable accounting software access
☐ Disable project management access
☐ Disable any other SaaS applications
☐ Change any shared passwords they knew
☐ Retrieve company devices

Within 1 Week:
☐ Remove from security groups and permissions
☐ Disable software licenses (reclaim for others)
☐ Review audit logs for activity before offboarding
☐ Document any access they had that's not captured above

Completed by: _______________
Date completed: _______________

Former employees are former trust relationships. Treat offboarding with the same seriousness you treat onboarding, and you'll close one of the most common security gaps in SMB environments.

Need Help Implementing This?

If you'd like guidance tailored to your specific infrastructure, we offer focused consultations. No sales pressure, just practical next steps.

Get in Touch