HR manager and IT staff reviewing onboarding checklist for new employee
Managed IT

Employee Onboarding and Offboarding IT Security Checklist

PN
Peter Nelson
· · 6 min read

Secure your business during staff transitions. Use our IT security checklist for seamless and secure employee onboarding and offboarding.

Staff transitions are one of the highest-risk periods for business IT security. When a new employee joins, they need access to the right systems quickly — delays cost productivity. When someone leaves, especially on bad terms, failure to revoke access promptly creates a serious security exposure.

This checklist covers both directions: what to do when someone starts, and what to do when someone leaves.

Why Staff Transitions Create Security Risk

Onboarding risk: Provisioning too much access, too quickly, without documented approval. The principle of least privilege — users should have access only to what their role requires — is frequently violated during rushed onboarding.

Offboarding risk: Departed employees retaining active credentials, with ongoing access to company email, cloud storage, financial systems, and CRMs. In a 2024 study, 56% of IT professionals reported that former employees still had access to company systems after departure. This is not theoretical — the majority of insider threat incidents involve former employees with un-revoked access.

IT Onboarding Checklist

Before Day One

  • Create user account in Microsoft Entra ID (Azure AD) — do not reuse a former employee’s account
  • Assign Microsoft 365 licence appropriate to role
  • Add to the correct security groups (controls SharePoint, Teams, and application access)
  • Provision email address and confirm mailbox is active
  • Configure MFA enforcement — the account should require MFA from first login
  • Add to relevant Teams channels and SharePoint sites
  • Create accounts in line-of-business applications (CRM, accounting software, practice management, etc.) with approval from the responsible manager
  • Prepare hardware: laptop or desktop configured, enrolled in Intune, compliance policies applied, corporate apps deployed
  • If applicable: provision desk phone extension or Teams Phone licence
  • Configure VPN access if required for role

Day One

  • Provide hardware to employee
  • Walk through IT security policies (password requirements, MFA setup, acceptable use)
  • Set up Microsoft Authenticator (or equivalent MFA app) on employee’s mobile device
  • Confirm email is working and correctly configured on all devices
  • Confirm access to required SharePoint sites and Teams channels
  • Confirm access to line-of-business applications
  • Complete mandatory security awareness training (if your organisation uses a platform like KnowBe4)
  • Add to security awareness training programme

Access Documentation

For each new employee, maintain a written record of:

  • Systems they have been granted access to
  • Permission level (admin, standard user, read-only)
  • Date access was granted
  • Approving manager

This record becomes the offboarding checklist when they leave.

IT Offboarding Checklist

Immediately on Notice or Termination

For involuntary terminations or high-risk departures, these steps should happen before or simultaneously with the employee being notified:

  • Disable Microsoft Entra ID account — this immediately blocks all Microsoft 365 access (email, SharePoint, Teams, OneDrive)
  • Revoke all active Microsoft 365 sessions (sign out of all devices in Entra ID admin centre)
  • Disable or change VPN credentials
  • Disable accounts in all line-of-business applications

Within 24 Hours

  • Preserve the departed employee’s mailbox contents — do not delete immediately. Configure as a shared mailbox or place on litigation hold for a period appropriate to your retention policy (minimum 90 days for most businesses)
  • Set up email forwarding or auto-reply as required
  • Transfer ownership of OneDrive files to the manager or a designated colleague
  • Remove from all Teams channels and SharePoint sites
  • Review shared accounts — if the departed employee knew credentials for any shared accounts, change those passwords immediately
  • Reclaim the Microsoft 365 licence if it will not be immediately reassigned

Within One Week

  • Collect hardware — laptop, phone, accessories
  • Wipe the device using Intune (remote wipe) before reassigning
  • Review the access log for any unusual activity in the days before departure
  • Remove from security awareness training programme
  • Update IT asset inventory

Final Review (30 Days After Departure)

  • Confirm no active authentication tokens remain (check Entra ID sign-in logs)
  • Confirm email forwarding is working as intended or has been removed
  • Confirm no accounts were missed — cross-check the access record created during onboarding
  • Archive or delete the employee’s account according to your data retention policy

Common Gaps to Audit

Personal email used for business systems: When SaaS applications are signed up with a personal email rather than a corporate address, the company has no visibility or control. Conduct a SaaS audit — ask staff what tools they use, and confirm all business systems are provisioned under corporate credentials.

Shared credentials: Applications where the whole team shares a single login create an offboarding problem — the departed employee cannot be removed without changing the password for everyone. Move to individual accounts wherever possible.

Admin accounts: If the departed employee had local admin rights or admin access to cloud services, audit and revoke these specifically — standard account access and admin access are separate revocations.

Client-facing accounts: In businesses where staff have direct client relationships — email aliases, CRM contacts, shared inboxes — ensure client communications are transitioned before the account is disabled.

Physical access: IT offboarding does not end with digital accounts. Collect physical keys, access cards, and any hardware not already returned.

Automating Onboarding and Offboarding

Manual checklists are better than nothing, but they rely on the checklist being followed every time. A managed IT provider can automate significant parts of the process:

Intune-based provisioning: New devices enrolled in Intune automatically receive the correct apps, policies, and configurations based on the user’s Entra ID group membership.

Entra ID group-based access: Assigning a user to the correct groups on day one automatically provisions access to all SharePoint sites, Teams channels, and applications that use Entra ID authentication. Removing them from groups on departure automatically revokes access across all integrated systems.

Lifecycle workflows: Microsoft Entra ID Governance supports automated lifecycle workflows — tasks triggered on hire date or termination date that provision or deprovision accounts without manual intervention.

CX IT Services manages IT onboarding and offboarding for Melbourne businesses, including automated provisioning, access audits, and hardware lifecycle management. Book a Right Fit Call to discuss securing your staff transition process.

Related Articles

Free Clarity Call

Want to Talk Through What This Means for Your Business?

Book a free 15-minute Right Fit Call. No obligation - just a straight conversation about your IT situation.

  • No lock-in contracts - ever
  • Valued at $250 - completely free
  • 4.5-star Google rated
  • Answer in 60 seconds or less

See If You Qualify

Takes 2 minutes · No obligation · Free

Apply Now
4.5 Google Rated No Lock-In Contracts