What to do, technically, when an employee leaves

Offboarding is one of those tasks that feels obvious until you're doing it under time pressure on a Friday afternoon. Done in the wrong order, you lose access to a project folder, leave a mailbox open to abuse, or delete an account whose files nobody knew were important.

Here's the checklist I use, in the order it should happen.

Before the last day

• Agree the handover plan. Who picks up the leaver's projects, inbox and shared responsibilities? Put it in writing.
• Identify what they own. Shared mailboxes they manage, SharePoint or Drive folders, third-party tool admin accounts, domain registrar, Companies House, banking, Mailchimp, social media. The leaver is the best person to list these, ask them.
• Transfer ownership of files and folders to the new owner, not just access. Ownership matters when the account is later disabled or deleted.
• Schedule the access changes for a specific time, ideally the end of their last working day, not a vague "sometime next week".

On the last day

• Reset the password and revoke active sessions across Microsoft 365 or Google Workspace. This signs them out of every device immediately.
• Disable the account, don't delete it yet. Deletion starts a clock you can't always reverse.
• Remove from all groups, distribution lists and Teams/Workspaces that should no longer include them.
• Convert the mailbox to a shared mailbox (Microsoft 365) or set up email delegation (Google Workspace) so colleagues can monitor incoming mail without paying for a full licence.
• Set up an auto-reply pointing senders to the correct colleague.
• Revoke access to third-party tools, password manager, design tools, accounting, CRM, hosting, anywhere they had a login. The shared password list you've been meaning to tidy up matters here.
• Collect or wipe the laptop and phone. With MDM in place, a remote wipe is a two-click operation. Without it, you're chasing hardware.
• Revoke building access, alarm codes, key fobs if relevant.

In the following weeks

• Audit shared drives and SharePoint for anything still owned by the leaver. Reassign ownership before the account is deleted.
• Check scheduled tasks, automations and integrations that may have been set up under their account. Power Automate flows, Zapier zaps, scripts that send reports, all of these break silently when the account is disabled.
• Watch the shared mailbox for the next 60 days for anything important.

After 90 days (or your policy window)

• Back up the mailbox and OneDrive to your independent backup platform if you haven't already.
• Delete the user account to free up the licence.
• Update your asset list to reflect the returned hardware.

The things that go wrong

• The leaver was the sole admin on the domain registrar, the website host, the Google Workspace tenant. Always have at least two admins on every critical platform, ideally one of them not a day-to-day user account.
• Personal accounts were used for business work. Their personal Dropbox or Gmail walks out the door with them. Centralising onto a business platform fixes this before it's an issue.
• Nobody remembered the Mailchimp login until the next newsletter was due. A shared password manager solves this once.

If you'd like a leaver checklist tailored to your setup, or help recovering access after an offboarding that didn't go to plan, get in touch.