A 60-minute runbook, and the four steps everyone gets in the wrong order.
A 60-minute runbook, and the four steps everyone gets in the wrong order.
Standard IT offboarding assumes a departing employee is indifferent. They hand in the laptop, you disable the account, you reclaim the license, everyone moves on.
That assumption does not hold when the person leaving carries the firm's research in their head and, potentially, in their OneDrive. It especially does not hold when they are leaving for a competitor, and it collapses entirely when they know they are leaving before you do.
The technical steps are not complicated. The sequence is where firms lose. Below is the runbook, in order, with the reasoning for the order.
If the departure is contentious or the employee had access to material non-public information, legal hold goes on before anything else touches the account. Not after. Not the same afternoon.
Apply a Litigation Hold or a Purview retention policy to the mailbox and the OneDrive while both are still live and intact. Once you start deleting, wiping, or converting, you are working against a clock you do not control, and a deleted OneDrive has a default retention window that is far shorter than most people assume.
This is the step that generates a phone call from counsel eight months later. Get it right on day zero and there is no phone call.
Second, and while the account is still live: audit before you disable. Once you kill the account, some of this gets meaningfully harder to reconstruct. Look at:
Do this quietly, do it first, and do it before the person suspects.
Once the conversation has happened, the order below matters.
Everyone disables the account first. It feels decisive and it is insufficient.
Disabling the account in Entra stops new sign-ins. It does not immediately invalidate the access token already sitting in Outlook on their phone, which has a default lifetime of roughly an hour. That is an hour of continued mailbox access after you thought you had cut them off.
Use Revoke Sessions, which invalidates refresh tokens. Where Continuous Access Evaluation is supported (Exchange Online, SharePoint Online, Teams), the app is signaled in near-real time and access dies in seconds rather than at the next token refresh. CAE is one of the highest-value and least-discussed features in the stack, and this is exactly the scenario it exists for.
Sequence: revoke sessions, reset the password to something random, then disable the account.
A registered authenticator on a phone you do not control is a live re-entry path if the account is ever re-enabled for a data-recovery reason. Remove the methods.
Two options in Intune, and the choice depends on ownership.
Also block the device in Entra so it cannot re-register.
Reverse of intuition, and this is the step most commonly missed. Remove:
Convert the mailbox to a shared mailbox and it stays accessible without consuming a license (under the size threshold). Transfer OneDrive ownership to the manager, or extend retention explicitly. Do this before you delete the account, because deletion starts a retention countdown, and "we'll get to it" is how firms discover the countdown expired.
Only then reclaim the license.
The M365 tenant is the part you control. It is rarely the part that hurts.
Bloomberg, the OMS, the research platforms, GitHub, the VPN, the password manager, physical building access, the shared credentials in a spreadsheet that predates the password manager. If these are federated through Entra with SCIM provisioning, disabling the account handles most of them, which is the entire argument for federating them in the first place.
If they are not federated, you are working from a list, and the quality of that list is the actual quality of your offboarding.
Come back the next day and check:
An offboarding is a compressed audit of everything you did or did not build in the preceding two years.
If your SaaS is federated, if your privileged access runs through PIM, if your devices are enrolled and your sharing is governed, then a hostile departure is a 60-minute procedure that you can execute calmly while the person is still in the room.
If it is not, then the offboarding is where you find out, at the exact moment you can least afford to.
Hostile offboardings a concern?
KYA Consulting builds identity, device, and access architecture for firms where a departing employee's access is a material risk. If your offboarding runbook lives in someone's head, get in touch.
Get in Touch