Checklist

The IT employee offboarding checklist

Every step to securely offboard a departing employee across Microsoft 365 and Google Workspace — and how Passage runs the whole list as one gated, provable workflow.

Run this checklist free Why a checklist isn't enough

The checklist

  1. Disable the account. accountEnabled=false (Entra) / suspended=true (Google). The login stops working now, not next business day.
  2. Revoke active sessions. revokeSignInSessions (Graph) / users.signOut (Admin SDK). Disabling alone can leave live tokens valid for a window — revoke them.
  3. Reclaim licenses. Remove paid M365 / Workspace seats so you stop paying for someone who left.
  4. Strip group and app access. Remove every group membership and app assignment — including app access granted through groups (the part manual offboarding misses).
  5. Handle the mailbox and data. Convert to shared, set delegation, or transfer ownership of Drive/OneDrive files per policy.
  6. Rotate shared secrets. Any shared passwords, API keys, or service credentials the person knew should be rotated.
  7. Deprovision SaaS seats. Slack, Zoom, GitHub, Salesforce, Atlassian — deactivate and reclaim paid seats.
  8. Return the device. Collect or remotely wipe assigned hardware. This should block completion until resolved.
  9. Record the evidence. Keep a timestamped, tamper-evident log of every action for SOC 2, HIPAA, NIST 800-171, and CMMC audits.

Why a paper checklist isn't enough

A checklist tells a human what to do; it doesn't do it, and it doesn't prove it was done. The failure mode is always the same: a step gets skipped under time pressure, an account stays enabled, and months later an audit — or a breach — finds it. Passage turns this exact checklist into a leaver run: automated steps execute the disable/revoke/reclaim actions, human steps (device, mailbox) are tracked to completion with an owner, and a closure gate refuses to mark the run complete until every critical step is done or explicitly waived with a reason. See offboarding software for the full picture.

Keep the proof

Each completed run emits a hash-anchored evidence record mapped to the access-control and termination controls auditors ask about — SOC 2 CC6.x, HIPAA §164.308(a)(3), NIST 800-171 3.1.x / 3.5.x, NIST CSF PR.AA, ISO 27001 A.5.18. You did the offboarding anyway; now it counts as audit evidence too. See the compliance mapping.

Checklist questions, answered

What is the most important offboarding step?

Disabling the account and revoking active sessions, done together. Disabling alone can leave existing tokens valid for a window; revoking sessions invalidates them so the user is truly locked out at once.

Should you delete or disable a departing user's account?

Disable first, delete later (if at all). Disabling preserves the mailbox, files, and audit trail while immediately blocking access. Many organizations convert the mailbox to shared and retain the disabled account for a retention period before deletion.

Run the checklist as one provable workflow.

Local-first, no card, no implementation call.

Start free