Employee Offboarding Checklist for Small Business IT Teams

When someone leaves, access should end on schedule, not "whenever we get to it." Small businesses usually handle pay, keys, and desk cleanup first. Then, a few days later, someone realizes the former employee still has email, Teams, the CRM, or a saved password vault.

That's why a solid employee offboarding checklist matters. It protects customer data, keeps work moving, and gives lean IT or admin teams a repeatable process. The goal is simple: remove access fast, keep needed data, and hand off work without breaking daily operations.

Offboarding looks simple until you list every system a person touched. There's the identity account, email, MFA, chat, cloud storage, phone system, VPN, finance apps, and maybe a few shared passwords. Miss one item, and you leave a window open.

The safest mindset is least privilege . If a person no longer needs access, remove it. Don't wait for the next billing cycle, the next IT visit, or a slow afternoon. Access should end at the agreed separation time, especially if the departure is involuntary.

Cloud tools also spread risk. A user may sign in through Microsoft 365 and still have direct logins to payroll, marketing tools, or a password manager. If your company relies on secure Microsoft 365 management , start offboarding with that identity first, then work outward to every connected app.

Small teams need one owner for the process. That might be the office manager, your IT provider, or a department lead. The owner doesn't have to do every task, but they do need to confirm every task gets done. Think of it like locking up a building at night. One unlocked side door defeats all the other locks.

Use the same order every time, because the sequence matters.

1. Before the last day, map everything they can reach.
   Start with identity, then email, file storage, chat, CRM, finance apps, phone system, VPN, remote desktop, and any apps bought on a company card. Also list physical assets, such as laptops, phones, badges, and USB drives. If the employee worked remotely, send a return box and prepaid tracked label before the final day.
2. At separation time, disable the main account and sign-ins.
   Turn off Microsoft 365 or Google Workspace access first. Then revoke SSO, VPN, remote desktop, and active app sessions. Remove the user from groups, shared mailboxes, and email lists. In 2026, MFA matters just as much as the password, so remove the old MFA device and re-register any shared admin methods.

3. Remove admin rights, shared credentials, and password-vault access.
   Take them out of 1Password, LastPass, or any other vault right away. Change every shared password they knew, especially admin accounts, vendor portals, and social media logins. If they had elevated rights, review each system for leftovers, such as delegated mailbox access, billing permissions, or local admin rights on a laptop.
4. Secure devices, especially for remote and hybrid staff.
   Collect company laptops, phones, tablets, access cards, and security keys. Use MDM tools, such as Intune, Jamf, or Kandji, to lock or wipe devices if return is delayed. Keep a few clean spare devices ready so the next employee can step in fast.
5. Preserve data before deleting anything.
   Back up email, files, and key folders. Transfer ownership of calendars, OneDrive or shared-drive content, client contacts, and active projects to a manager. Set email forwarding and update voicemail so customers don't hit a dead end. If you want a safer handoff, business backup protection helps keep files recoverable during the transition.
6. Reassign work and document the handoff.
   Who owns the client inbox now? Who approves quotes? Who receives alerts from their SaaS tools? Write it down. A short handoff note often saves more time than any complicated workflow.
7. Close the loop with proof.
   Mark each task complete, note the date and time, and save the record. Then review license counts, because unused seats keep costing money long after the person is gone.

Store this template in your HR folder, help desk system, or shared admin checklist.

| Timing | Task | Owner | Status | | | | | | | Before last day | List all apps, devices, shared accounts, and admin rights | Manager + IT | Open | | Separation time | Disable identity, email, SSO, VPN, MFA, and group access | IT/Admin | Open | | Same day | Rotate shared passwords and remove password manager access | IT/Admin | Open | | Same day | Collect or lock devices, then confirm return tracking | Manager + IT | Open | | Within 24 hours | Back up data, transfer ownership, set forwarding, document completion | Manager + IT | Open |

The point isn't paperwork. It's consistency. On a five-person team, one owner may handle every step. On a 25-person team, HR may trigger the process, the manager may handle the work handoff, and IT may remove access. The list stays the same.

A quick example helps. If a sales rep leaves, transfer the CRM record owner, booking links, mailbox alias, call routing, and proposal templates before deleting the account. If a bookkeeper leaves, lock banking access and rotate MFA before you pack the desk.

Common misses still trip up small teams:

• Saved browser passwords on a returned laptop
• Old MFA prompts still tied to the employee's phone
• Shared social media or vendor logins that never got rotated
• Calendar invites and forwarding rules still sending business data out

A good offboarding process isn't about distrust. It's about control , continuity, and clean handoffs. If your current process lives in someone's memory, put it into writing before the next departure. The best time to build a repeatable employee offboarding checklist is before you need it in a hurry.