TL;DR: Most IT onboarding failures and security gaps trace back to a broken IT-HR interface. IT does not get notified of new hires until the day they start. Offboarding notifications arrive after the person has already left. This guide defines exactly what IT needs from HR, when, and why - with a template for the IT-HR handover process.
Why the IT-HR Interface Breaks Down
In small businesses, HR and IT are often handled by the same person, or at least by people who sit near each other and talk regularly. The process works informally. The moment a business grows to the point where these are distinct functions - even if still part-time - informal communication breaks down.
The result is predictable. IT finds out about new starters on the day they walk in the door. Resignations are not communicated to IT until HR has finished their own offboarding process - sometimes days or weeks after the person’s last day. Role changes do not trigger access reviews. Contract changes are invisible to IT.
The consequences:
- New staff productivity loss: A new employee who cannot log in, access required systems, or use business tools on day one is a direct cost - their time, their manager’s time, and the credibility impact.
- Offboarding security gaps: A former employee who still has active accounts and access to business systems is an insider threat risk. This is not theoretical - the majority of insider threat incidents involve ex-employees with retained access.
- Role change gaps: A staff member promoted to a sensitive role may receive access appropriate to their new role but retain all access from their previous role - accumulating permissions over time rather than having access recalibrated with each role change.
None of these gaps require malice to cause harm. They just require the normal chaos of a growing business and a process that was never designed.
What IT Needs From HR: The Complete List
For New Hires
IT needs the following information, at minimum 5 business days before the new employee’s start date:
| Information | Why IT Needs It |
|---|---|
| Full legal name | Account creation - username and display name format |
| Preferred first name (if different) | Display name in email and Teams |
| Job title | Correct display in email signature, directory, Teams profile |
| Department | Determines group membership, SharePoint access, Teams channels |
| Manager | Determines manager relationship in directory; used for approval workflows |
| Start date | Account must be ready before this date |
| Work location | Office only, remote only, or hybrid - affects device and network setup |
| Mobile number (personal) | MFA setup - authenticator app registered on their phone |
| Employment type | Full-time, part-time, contractor, casual - affects licence selection and retention |
| Expected end date (if fixed term) | Plan for offboarding from the start |
| Hardware required | Laptop, desktop, phone, accessories - allow procurement lead time |
| Software required (role-specific) | Applications beyond standard suite - may need licence procurement |
| Office location (if multiple sites) | Ensures correct site access and equipment delivery |
Lead time matters: 5 business days is a minimum for a standard account setup. Hardware procurement may require 5–10 business days additional. New hires with complex access requirements (elevated privileges, specific application access) may require longer.
For Departures
IT needs the following information, at minimum 48 hours before the employee’s last day (ideally as soon as resignation or termination decision is confirmed):
| Information | Why IT Needs It |
|---|---|
| Employee name | Identify accounts to suspend |
| Last working day (exact date and time if possible) | Schedule account suspension for departure moment |
| Whether departure is voluntary or involuntary | High-risk departures may require earlier access revocation |
| Devices assigned | Recovery planning and device management |
| Access to sensitive systems | Prioritise revocation order |
| Whether any shared passwords are held by the employee | Change shared credentials before departure |
| Mailbox handling preference | Convert to shared, grant manager access, archive, or delete |
| Data handover requirements | OneDrive content, shared drives - who receives access? |
For involuntary departures: IT should be notified simultaneously with the employee receiving notice. Account suspension should occur at the moment the employee is notified, or as close to it as possible. An employee who has just been told they are being terminated and retains access to email, SharePoint, and other business systems is a significant data risk.
For Role Changes and Promotions
| Information | Why IT Needs It |
|---|---|
| Previous role | Understand what access to remove |
| New role | Understand what access to add |
| Effective date | Schedule access changes |
| Whether access from previous role should be retained | Principle of least privilege - remove unless there is a reason to retain |
| New manager (if changed) | Update directory relationships |
| New department (if changed) | Group and SharePoint access review |
Role changes are the most commonly missed IT-HR interface event. Most businesses have a process for onboarding and offboarding but no process for “Sarah has moved from Marketing to Finance - what changes?” The answer is: Finance access should be added, and some Marketing access that is no longer relevant should be removed.
The IT-HR Handover Template
Use this template to formalise what HR provides to IT for each event. Implement it as a Microsoft Form, a SharePoint form, or a printed document. The medium matters less than the consistency.
IT-HR STAFF CHANGE NOTIFICATION
Date submitted: _______________ Submitted by (HR): _______________
Type of change:
- New hire
- Departure
- Role change / Promotion
- Extended leave (parental leave, long service, medical)
- Return from extended leave
- Contractor / temporary staff (start or end)
Staff member name: _______________ Effective date: _______________ Employment type: Full-time / Part-time / Contractor / Casual
(New hire fields - complete for all new starters)
Job title: _______________ Department: _______________ Manager: _______________ Work location: Office / Remote / Hybrid Office address (if applicable): _______________ Personal mobile for MFA: _______________ Fixed-term end date (if applicable): _______________ Hardware required: Laptop / Desktop / Phone / None / Other: _______________ Special software required: _______________
(Departure fields - complete for all leavers)
Last working day: _______________ Departure type: Resignation / Termination / End of contract / Retirement Risk level: Standard / Elevated (involuntary, access to sensitive data) Devices to recover: _______________ Mailbox handling: Shared mailbox (grant to: _______________) / Archive / Delete after _____ days Shared passwords held by employee: _______________
(Role change fields)
Previous role: _______________ New role: _______________ New department: _______________ New manager: _______________ Previous access to retain: _______________ Previous access to remove: _______________
Notes for IT: _______________
Setting Up the Process
Step 1: Define the Process Owner
Decide who owns the IT-HR interface. In most businesses, HR initiates (they know about hires and departures first) and IT executes. Define this clearly - who sends the notification, who receives it, and who is accountable if it does not happen.
Step 2: Agree on Lead Times
Define minimum lead times in writing:
- New hire notification: 5 business days before start date
- Departure notification: As soon as resignation or termination is confirmed
- Role change notification: 3 business days before effective date
These times should be in your HR procedures, not just verbal agreement.
Step 3: Create the Notification Mechanism
Choose a consistent method for HR to notify IT:
- Microsoft Forms form (sends data to a shared IT mailbox and logs to SharePoint)
- Shared email to a specific IT mailbox (e.g., hr-to-it@company.com.au)
- Ticketing system integration (if your IT provider uses a ticketing system)
Whatever method you choose: it must be a defined process, not “email someone in IT.”
Step 4: Confirm Completion
IT should confirm to HR when each change has been completed - account created, access revoked, or access reconfigured. This closes the loop and creates an audit trail.
Extended Leave Considerations
Extended leave (parental leave, long service leave, medical leave) is often missed in IT-HR interface processes. When a staff member goes on extended leave, consider:
- Licences: A staff member on 12 months parental leave is paying for a Microsoft 365 licence they are not using. Depending on your HR policy, consider whether to suspend the licence (reducing cost) and what this means for their data access on return.
- Account security: Accounts that are not used for months are at higher risk - regular automated sign-in may be the only activity, which is a security signal if compromised. Consider whether to disable the account during the leave period.
- MFA device: If the staff member’s MFA is tied to a company phone they return during leave, MFA re-setup is required on return.
- Return date notification: IT needs advance notice of a return from leave to re-enable accounts and ensure equipment is ready.
If you would like help implementing an IT-HR handover process as part of a managed IT service, or want to automate onboarding and offboarding workflows using Microsoft 365 Power Automate, book a Right Fit Call with CX IT Services.
For related resources:
