A 60-minute runbook, and the four steps everyone gets in the wrong order.

Standard IT offboarding assumes a departing employee is indifferent. They hand in the laptop, you disable the account, you reclaim the license, everyone moves on.

That assumption does not hold when the person leaving carries the firm's research in their head and, potentially, in their OneDrive. It especially does not hold when they are leaving for a competitor, and it collapses entirely when they know they are leaving before you do.

The technical steps are not complicated. The sequence is where firms lose. Below is the runbook, in order, with the reasoning for the order.


Before the conversation happens

If the departure is contentious or the employee had access to material non-public information, legal hold goes on before anything else touches the account. Not after. Not the same afternoon.

Apply a Litigation Hold or a Purview retention policy to the mailbox and the OneDrive while both are still live and intact. Once you start deleting, wiping, or converting, you are working against a clock you do not control, and a deleted OneDrive has a default retention window that is far shorter than most people assume.

This is the step that generates a phone call from counsel eight months later. Get it right on day zero and there is no phone call.

Second, and while the account is still live: audit before you disable. Once you kill the account, some of this gets meaningfully harder to reconstruct. Look at:

  • Recent file activity in the unified audit log. Bulk downloads, bulk sharing, sync client activity on a device you do not manage
  • Sharing links the user created, particularly anonymous ones and anything shared to a personal address
  • Inbox rules and mail forwarding, both the obvious ones and the SMTP forwarding on the mailbox object
  • OAuth application consents they granted. A third-party app with mail.read permission survives a password reset and is invisible to most offboarding checklists
  • Any personal device registered in Entra
  • External and shared channel memberships in Teams

Do this quietly, do it first, and do it before the person suspects.


The 60 minutes

Once the conversation has happened, the order below matters.

1. Revoke sessions, then disable

Everyone disables the account first. It feels decisive and it is insufficient.

Disabling the account in Entra stops new sign-ins. It does not immediately invalidate the access token already sitting in Outlook on their phone, which has a default lifetime of roughly an hour. That is an hour of continued mailbox access after you thought you had cut them off.

Use Revoke Sessions, which invalidates refresh tokens. Where Continuous Access Evaluation is supported (Exchange Online, SharePoint Online, Teams), the app is signaled in near-real time and access dies in seconds rather than at the next token refresh. CAE is one of the highest-value and least-discussed features in the stack, and this is exactly the scenario it exists for.

Sequence: revoke sessions, reset the password to something random, then disable the account.

2. Reset MFA methods

A registered authenticator on a phone you do not control is a live re-entry path if the account is ever re-enabled for a data-recovery reason. Remove the methods.

3. Kill the device

Two options in Intune, and the choice depends on ownership.

  • Corporate device: remote wipe if it is not coming back physically, or block and retire if it is being returned and you want the disk intact. If there is any chance of a dispute, image the machine before you wipe it. You cannot un-wipe.
  • Personal device under MAM: selective wipe. This removes corporate data from the managed apps and leaves their personal content alone. This distinction is not merely courteous, it is the thing that keeps you out of a separate legal problem.

Also block the device in Entra so it cannot re-register.

4. Strip privilege before you strip access

Reverse of intuition, and this is the step most commonly missed. Remove:

  • Azure RBAC role assignments
  • PIM eligible assignments, not just active ones. An eligible assignment is a dormant path back to privilege and it does not appear in a standard role review
  • Group memberships that carry access, including dynamic group criteria that might silently re-add them
  • Ownership of service principals, applications, and enterprise apps. This is a big one. A departed engineer who still owns an app registration owns a credential you do not know about
  • Ownership of Teams, SharePoint sites, and distribution groups. Orphaned sites are how the previous article's problem starts

5. Preserve the data, then reclaim the license

Convert the mailbox to a shared mailbox and it stays accessible without consuming a license (under the size threshold). Transfer OneDrive ownership to the manager, or extend retention explicitly. Do this before you delete the account, because deletion starts a retention countdown, and "we'll get to it" is how firms discover the countdown expired.

Only then reclaim the license.

6. Everything that is not Microsoft

The M365 tenant is the part you control. It is rarely the part that hurts.

Bloomberg, the OMS, the research platforms, GitHub, the VPN, the password manager, physical building access, the shared credentials in a spreadsheet that predates the password manager. If these are federated through Entra with SCIM provisioning, disabling the account handles most of them, which is the entire argument for federating them in the first place.

If they are not federated, you are working from a list, and the quality of that list is the actual quality of your offboarding.


The 24-hour follow-up

Come back the next day and check:

  • Did any new inbox rule or forwarding rule appear in the hours before the account was disabled
  • Do the audit logs show any sign-in attempt after revocation, and from where
  • Did any sharing link created by the user survive the account deletion. Some do
  • Is there a personal device still showing as registered

What this really tests

An offboarding is a compressed audit of everything you did or did not build in the preceding two years.

If your SaaS is federated, if your privileged access runs through PIM, if your devices are enrolled and your sharing is governed, then a hostile departure is a 60-minute procedure that you can execute calmly while the person is still in the room.

If it is not, then the offboarding is where you find out, at the exact moment you can least afford to.


Hostile offboardings a concern?

KYA Consulting builds identity, device, and access architecture for firms where a departing employee's access is a material risk. If your offboarding runbook lives in someone's head, get in touch.

Get in Touch