The Hidden Security Risk When Employees Leave: Why IT Offboarding Can't Be an Afterthought

The Hidden Security Risk When Employees Leave: Why IT Offboarding Can't Be an Afterthought

According to research from the Ponemon Institute, nearly half of former employees still have access to corporate applications after they leave. A separate study by Beyond Identity found that one in four ex-employees could still log in to old work accounts. Let that sink in. There is a good chance someone who left your company months ago can still read your email, access your files, or poke around your systems right now.

Most small business owners think of offboarding as an HR function - collect the laptop, hand over the final paycheck, wish them well. The IT side of offboarding gets treated as a cleanup task that someone will "get to later." Later turns into never, and that is when problems start.

What Is Actually at Stake

A former employee with active credentials is not just a theoretical risk. Here is what can go wrong in very practical terms.

Data exfiltration. A departing employee - especially one who left on bad terms - can download client lists, financial records, proprietary documents, or intellectual property. If their account is still active, there is nothing stopping them from logging in remotely and taking whatever they want. You may not even notice until the damage is done.

SaaS subscriptions bleeding your budget. Every active user account tied to a paid SaaS license costs you money. If you are paying per-user fees for Microsoft 365, project management tools, CRM platforms, or any other cloud service, orphaned accounts are a direct line item you are paying for nothing. Multiply that by several departures over a year and the waste adds up fast.

Compliance violations. If your business handles healthcare data, financial records, or any information covered by regulations like HIPAA or state privacy laws, you are required to control who has access to that data. Former employees with active access is a compliance failure, full stop. If an auditor or regulator finds out, you are looking at fines and legal exposure.

Dormant accounts as attack vectors. Even if your former employee has no malicious intent, their old account is a target for attackers. Nobody is monitoring it. Nobody is responding to MFA prompts on it. If those credentials end up in a data breach on another service where the person reused a password, an attacker can walk right in through an account nobody is watching.

The Microsoft Stack Offboarding Checklist

If your business runs on Microsoft 365 - and most of the businesses I work with do - here is what a proper IT offboarding process looks like, step by step. This is not optional. Every one of these steps matters.

1. Block Sign-In Immediately in Entra ID

The moment an employee's departure is confirmed, their sign-in must be blocked in Microsoft Entra ID (formerly Azure AD). This is step one, not step five. Go to the user's profile in the Entra admin center and toggle "Block sign in" to yes. This prevents any new authentication - they cannot log into email, Teams, SharePoint, or any connected application.

Do this the same day, ideally the same hour as the employee's last moment on the job. Waiting until "IT gets around to it" is how breaches happen.

2. Revoke All Active Sessions

Blocking sign-in stops new logins, but the person may already have active sessions on their phone, laptop, or browser. Revoking sessions in Entra ID forces every existing session to terminate. Combined with the sign-in block, this ensures the former employee is fully locked out immediately - not when their current token happens to expire.

3. Convert the Mailbox to Shared

Do not delete the mailbox right away. Convert it to a shared mailbox. This preserves all email history - which you may need for legal, compliance, or business continuity purposes - while freeing up the Exchange Online license. A shared mailbox does not require a paid license and can be accessed by a designated manager or team member.

4. Transfer OneDrive Ownership

The departing employee's OneDrive likely contains work files your business needs. Assign OneDrive access to their manager or a designated person before the account is fully deprovisioned. Microsoft provides a 30-day retention window after account deletion, but do not rely on that as your backup plan. Transfer the data intentionally as part of the process.

5. Wipe or Retire Devices via Intune

If the employee used a company-managed device enrolled in Microsoft Intune, initiate a remote wipe for company-owned hardware. For personal devices that were enrolled in BYOD, use the "Retire" action instead - this removes company data and profiles while leaving personal files intact. Either way, your business data needs to be removed from any device that person used.

6. Reclaim Licenses

Once the mailbox is converted and data is transferred, remove all Microsoft 365 licenses from the account. This includes the core license (Business Premium, E3, whatever you are on) plus any add-ons like Power BI, Visio, or Project. Every unreclaimed license is money you are throwing away each month.

7. Remove from Groups and Distribution Lists

Go through the former employee's group memberships - Microsoft 365 groups, security groups, distribution lists, Teams memberships, and SharePoint site access. Remove them from everything. A stale member in a security group can mean lingering permissions to sensitive resources even after the account is blocked. Clean it up completely.

8. Review Sign-In Logs

Before you close the book on the offboarding, pull the user's recent sign-in logs from Entra ID. Look for anything unusual in the days or weeks leading up to departure - logins from unexpected locations, bulk file downloads, access to resources outside their normal scope. If something looks wrong, you want to know about it now, not six months later during a breach investigation.

Automate This with an Offboarding Playbook

If you are reading that checklist and thinking "there is no way my team will remember all of that every time someone leaves," you are right. That is exactly the problem. Manual processes get skipped, especially when someone leaves unexpectedly or during a busy period.

The solution is a documented, repeatable offboarding playbook - a step-by-step checklist that your team follows every single time, no matter the circumstances. It removes the guesswork, ensures nothing falls through the cracks, and gives you a record that the process was completed.

This is something we build for every GridLogic IT client. Our client playbooks include structured offboarding procedures tailored to your specific environment - your license types, your SaaS applications, your compliance requirements. The playbook covers who is responsible for each step, the timeline for completion, and verification checkpoints to confirm everything was done.

Stop Treating Offboarding as an Afterthought

Every business has turnover. People leave for new opportunities, retire, get let go - it is a normal part of running a company. What is not normal is leaving the digital door wide open behind them.

Proper IT offboarding takes less than an hour when you have a playbook and someone who knows what they are doing. Cleaning up after a data breach caused by a dormant account takes weeks and costs orders of magnitude more.

If you do not have an offboarding process in place - or if your current process is "we will figure it out when it happens" - that is a problem worth fixing today. GridLogic IT can set up your offboarding playbook and make sure your Microsoft environment is locked down from day one. Reach out at gridlogicit.com.