TL;DR: Inconsistent IT onboarding wastes new staff time and creates security gaps. Poor offboarding is a genuine security incident waiting to happen - former employees retaining access to company systems is one of the most common insider threat vectors. This checklist covers both processes end to end.
Why Most Businesses Get This Wrong
Ask any IT manager to describe their onboarding and offboarding processes and you will hear one of three things: “We have a checklist somewhere,” “We just do what the manager asks,” or “It depends on the person.” None of these is a process. All of them produce inconsistent results.
The consequences differ by direction. Poor onboarding mainly affects productivity - a new employee who spends two weeks without the right access or tools is frustrated and less effective. Poor offboarding is a security event. A former employee who can still access company email, SharePoint, accounting software, or client systems has the ability and (sometimes) the motive to do real damage.
Both checklists are provided here. Use them together - they are two halves of the same process.
Part 1: IT Onboarding Checklist
Before the First Day
Trigger: HR notifies IT of new hire with start date, role, manager, and department - minimum 5 business days before start.
- Create Microsoft 365 user account with correct name, display name, and username format
- Assign correct Microsoft 365 licence (Business Basic, Business Standard, or Business Premium as appropriate to role)
- Add user to correct security groups and distribution lists for their department
- Set up multi-factor authentication enforcement - user will complete setup on day one
- Create email signature template with correct name, title, and company details
- Set up Teams membership: company-wide channels plus relevant team channels
- Grant SharePoint access to appropriate document libraries and sites for their role
- Set up shared mailbox access if required (e.g., support@, accounts@)
- Create or configure VPN access if remote work is part of their role
- Order hardware if required - laptop, monitor, keyboard, mouse, headset
- Prepare device: Autopilot enrol or manually configure with company baseline
- Install required software: confirm with manager what applications the role requires
- Assign seat in office and confirm workstation is ready
- Prepare a new employee IT welcome email covering: login credentials, helpdesk contact, password policy, acceptable use policy link
Reference: See Top 10 IT Policies Template - new employees should receive and sign the Acceptable Use Policy and Password Policy before or on day one.
Day One
- Meet new employee at their workstation to complete setup walkthrough
- Walk through login: Microsoft 365 account, initial password change
- Complete MFA setup: register Authenticator app (primary) + backup phone number
- Confirm email is working (send and receive test)
- Confirm Teams is working (send a test message, join a test call)
- Log in to all required business applications - confirm access is working
- Show employee how to connect to company VPN if applicable
- Show employee printer locations and how to add them
- Provide helpdesk contact information and how to log a support ticket
- Confirm employee has received and acknowledged IT policies
First Week
- Confirm employee can access all required SharePoint sites and shared drives
- Confirm all software licences are assigned and applications are working
- Set up any additional application accounts (CRM, accounting software, project management)
- Add employee to relevant password manager team vault entries (shared credentials they will need)
- Confirm backup of their laptop is running and enrolling in device management
- Follow up with employee and manager - any access gaps or missing tools?
Role-Specific Access
Different roles require different access levels. Document and apply these consistently:
All staff (minimum):
- Microsoft 365 account with MFA
- Company Teams channels
- SharePoint common areas (policies, company information)
- Printer access
- VPN (if remote work applicable)
Finance/Accounts:
- Accounting software access (Xero, MYOB, QuickBooks)
- Financial SharePoint libraries with appropriate permissions
- Bank portal access (requires separate authorisation process)
Management:
- Additional SharePoint access to management documents
- Staff roster and HR system access
- Reporting dashboards
IT/Admin:
- Elevated permissions documented and approved
- Admin accounts separate from day-to-day accounts
- See Top 10 IT Policies Template for admin privilege policy
Part 2: IT Offboarding Checklist
When Triggered
The offboarding process must be triggered the moment a resignation is received or a termination decision is made - not the day before the person leaves, and certainly not after they walk out the door.
Immediate action on notification of departure:
- IT notified with exact last day, whether departure is voluntary or involuntary, and whether notice period applies
- If involuntary or high-risk departure: access revocation scheduled for departure time, not end of notice period
- Manager confirms any shared accounts or passwords the employee has sole knowledge of - document these immediately
Final Day - At Departure Time
Account Suspension (not deletion - suspend first to allow data recovery if needed):
- Disable Microsoft 365 account (do not delete yet - retain for 30 days minimum)
- Block sign-in to Azure AD / Microsoft Entra ID
- Revoke all active sessions and tokens (forces sign-out from all devices immediately)
- Convert mailbox to shared mailbox with manager access - do not delete
- Set out-of-office on mailbox directing correspondence to relevant team member
- Disable VPN access
- Remove from all distribution lists and Teams channels
- Disable any individual accounts in business applications (CRM, accounting software, etc.)
- Change any shared passwords the employee had access to (email this to manager)
This step is non-negotiable: Active sessions can persist after account disable unless explicitly revoked. Use the Microsoft Entra ID admin console to revoke all refresh tokens. This forces the user off all devices immediately.
Device Recovery
- Collect all company-owned hardware: laptop, phone, tablet, access cards
- If device cannot be collected immediately, use Microsoft Intune to remotely lock the device
- If device is not returned within 5 business days, initiate remote wipe via Intune
- For BYOD devices: initiate selective wipe of company data via Intune MAM (does not wipe personal data)
- Check for any data that may have been transferred off managed devices in the days before departure (audit OneDrive sync logs, email forwarding rules)
Security investigation: Review the following for any departing employee, especially those in sensitive roles:
- Check for unusual email forwarding rules (auto-forward to personal email is a common exfiltration method)
- Check SharePoint audit log for large downloads in the final two weeks
- Check whether any new external sharing was enabled on files or sites
- Review OneDrive for any large sync activity to non-company devices
30-Day Review
- Confirm mailbox is no longer needed - delete if no new correspondence
- Delete Microsoft 365 account (frees licence)
- Remove from any remaining external system accounts not caught in initial offboarding
- Update IT asset register - remove device from employee record
- Update phone directory and organisational chart
- Check whether any ongoing projects had single points of failure on the departed employee’s knowledge - brief replacement accordingly
Automating the Process With Microsoft 365
Many of the steps above can be automated or significantly accelerated using Microsoft 365 tools your business may already have.
Microsoft Entra ID (Azure AD) Lifecycle Management: Entra ID supports automated provisioning and deprovisioning when integrated with HR systems. When an employee is marked as terminated in your HR system, accounts can be disabled automatically.
Microsoft Intune: Device wipe and corporate data removal can be triggered from the Intune admin console in under 60 seconds. For BYOD devices, selective wipe removes only company data without touching personal content.
Power Automate: A flow triggered by a form submission (e.g., HR submits an offboarding request form) can automatically initiate a sequence of tasks, send notifications to IT, and create a checklist in Planner. See Microsoft 365 Hidden Features Guide for Power Automate overview.
The Offboarding Security Risk Is Real
Australian businesses experience a significant number of data breaches caused by former employees - either through retained access they should not have had, or data exfiltration that occurred during a notice period. The OAIC (Office of the Australian Information Commissioner) receives notifications of these incidents regularly.
The most common scenario: an employee resigns, gives four weeks notice, IT is not notified until the last week, and during the notice period the employee forwards client data to a personal email or downloads large SharePoint libraries to a USB drive. By the time IT becomes aware, the data is already gone.
The solution is not complex. It requires:
- A defined process that triggers immediately on resignation or termination notice
- IT involvement from day one of the notice period, not day twenty-eight
- Monitoring of data movement during the notice period for sensitive roles
- Complete access revocation on the exact day of departure
Building a Repeatable Process
A checklist is only as good as the process that ensures it is used every time. For this to be reliable:
- The checklist must be built into your HR process, not optional
- IT must be notified by HR (not by the employee’s manager, and not by the employee themselves) as soon as departure is confirmed
- A defined handover exists between HR and IT specifying what information is provided and when
- The checklist is completed and signed off - not just filled in from memory
If you want to implement these processes as part of a managed IT service, book a Right Fit Call with CX IT Services. We can set up automated provisioning and deprovisioning workflows, configure Intune for device management, and give you a system that works consistently without relying on anyone’s memory.
For related resources, see:
- Top 10 IT Policies Template - Acceptable Use, Password, and BYOD policies
- Microsoft 365 Hidden Features Guide - Power Automate and Intune overview
- What IT Needs From HR - the broader IT-HR relationship
