Project Phases
Implementation Roadmap
Click any checkbox to track progress. Click phase headers to expand or collapse.
Phase 1: Access Revocation
0 / 6
Day 1
Not Started
- Disable user sign-in in Microsoft Entra ID (block sign-in toggle)
- Revoke all active sessions and refresh tokens via Entra ID portal
- Reset user password to a random complex string
- Remove all MFA methods from the user account
- Convert user mailbox to shared mailbox (retains data without license)
- Disable ActiveSync and OWA access on the mailbox
Phase 2: Data Preservation
0 / 5
Days 1-2
Not Started
- Export or archive mailbox contents per retention policy
- Transfer OneDrive for Business file ownership to manager or designated user
- Place litigation hold on mailbox if required by legal or compliance
- Document all shared mailbox and distribution list memberships before removal
- Back up any Teams chat data or channel files owned by the departing user
Phase 3: Device & License Recovery
0 / 5
Days 2-3
Not Started
- Initiate Intune remote wipe or selective wipe on company-owned devices
- Retire personal (BYOD) devices from Intune management
- Recover physical hardware (laptop, monitors, peripherals) and document serial numbers
- Remove all Microsoft 365 license assignments from the user account
- Unassign any third-party app licenses (Adobe, Zoom, etc.) tied to the user
Phase 4: Security Audit
0 / 6
Days 3-4
Not Started
- Review Entra ID sign-in logs for any suspicious activity in final 30 days
- Check for mail forwarding rules or inbox rules configured by the user
- Verify no external sharing links remain active in OneDrive or SharePoint
- Remove user from all Entra ID security groups and Teams memberships
- Remove user from all distribution lists and Microsoft 365 groups
- Check for any delegated access or app registrations tied to the user
Phase 5: Closure & Documentation
0 / 5
Day 5
Not Started
- Confirm all sign-in access is fully blocked (test with known credentials)
- Update internal asset inventory and hardware tracking spreadsheet
- Archive or delete user account per company retention policy timeline
- Send offboarding completion confirmation to HR and hiring manager
- File completed offboarding checklist in project documentation
Your Team
Dedicated Project Team
Professionals assigned to your offboarding project.
T1
Team Member
Identity Specialist
Account Disablement & Revocation
T2
Team Member
Data Protection Analyst
Mailbox & File Preservation
T3
Team Member
Endpoint Engineer
Device Wipe & Recovery
T4
Team Member
Security Analyst
Access Audit & Verification
T5
Team Member
IT Project Coordinator
HR Liaison & Documentation
Key Information
Project Guidelines
Success Criteria
- All user access revoked within 1 hour of notification
- Zero unauthorized access after offboarding completion
- All company data preserved and transferred to designated owner
- Hardware recovered and accounted for in asset inventory
- Offboarding documentation filed and confirmation sent to HR
- License reclaimed and available for reassignment
Risk Mitigation
- Immediate access revocation before any other offboarding steps
- Litigation hold applied before any mailbox modifications if legal flag exists
- Two-person verification on complete access removal
- Screenshot all sign-in log anomalies for security review
- Maintain 90-day soft-delete window before permanent account deletion
Communication Plan
- HR triggers offboarding via secure request form or email to IT
- IT confirms receipt and begins access revocation within 30 minutes
- Status updates sent to HR at each phase completion
- Final completion report emailed to HR and departing employee's manager
- Post-offboarding review if any security concerns identified