What Happens to IT Access When an Employee Leaves Your Business

When an employee leaves your business, the priority is the handoff — knowledge transfer, client communication, final paperwork. IT access tends to get handled informally: someone disables the email account when they remember, the password to shared accounts gets changed eventually, their laptop gets wiped before the next hire.

This informal approach leaves gaps. A former employee who left on bad terms may still have access to your Google Drive or Dropbox. A past contractor may still have login credentials for your accounting software. An ex-employee's Microsoft 365 account may still exist — and the data in it isn't being monitored.

The risk isn't only malicious. A former employee who still has access to business email may respond to client inquiries. Files in their OneDrive may become inaccessible when the account is deleted. A shared password that wasn't changed means their device can still log in.

For any departure — voluntary or otherwise — the following should happen on the last day of employment, ideally before the employee leaves the building:

Microsoft 365 / Google Workspace account disabled. The primary email and productivity account should be disabled (not deleted yet) immediately. Disabling preserves mailbox data and files while preventing login.

MFA devices removed. Any authenticator apps, phone numbers, or hardware tokens registered to the account should be removed. If the account is re-enabled for data migration purposes, it shouldn't be accessible with the former employee's personal device.

All active sessions terminated. Microsoft 365 and most identity platforms allow you to revoke all active sessions — signing out all devices immediately. Do this at the same time as disabling the account.

Password reset for shared accounts. Any shared credentials the employee had access to — social media accounts, shared email addresses, vendor portals — should be rotated immediately.

Physical access revoked. Building key cards, alarm codes, and any physical access credentials should be deactivated.

Disabling an account preserves data — it doesn't delete it. You have time to review and migrate content before removing the account permanently.

For Microsoft 365: export the mailbox data if needed, assign someone to monitor the former employee's email for a transition period (typically 30–90 days), migrate OneDrive files to a shared location or the successor's account, and review any calendar items or contact lists that should be transferred.

For cloud storage (Dropbox, Google Drive, SharePoint): ensure business files are in shared folders or drives that the business owns — not in the former employee's personal folder where they control access.

A common mistake: Microsoft 365 accounts are deleted immediately and the data is gone. Microsoft retains deleted user data for 30 days, but after that it's unrecoverable without a backup. Disable first, then delete after a structured data migration.

The hardest part of offboarding isn't the primary accounts — it's all the downstream applications the employee had access to.

Most small businesses don't maintain a comprehensive list of what software their employees use. An employee may have signed up for tools using their work email that the business doesn't even know about — project management apps, file sharing services, customer portals, industry-specific software.

The practical approach: ask departing employees to list the software they use as part of the offboarding conversation. Review browser-saved passwords and any password manager accounts. Check your Microsoft 365 admin center for app permissions the user has granted to third-party applications. If you use a password manager like 1Password, audit shared vault access.

Long-term, the right solution is using Microsoft Entra ID (Azure AD) as a single identity provider for as many applications as possible. When you disable the Entra ID account, access to all connected apps is revoked automatically — no manual review required.

The goal is a written offboarding checklist that any manager or office administrator can execute consistently, regardless of whether there's an IT person available that day.

A basic IT offboarding checklist for small businesses should cover: disable Microsoft 365 / email account; revoke MFA devices and terminate active sessions; reset shared passwords; revoke physical access; notify key vendors and clients if needed; assign email monitoring responsibility; set calendar reminders for account deletion (30–90 days); and migrate OneDrive / mailbox data before deletion.

This process becomes especially important as businesses grow. A five-person business can track this informally. A twenty-person business needs a documented process — because a new office manager shouldn't have to figure out the right steps on the fly during an emotional or urgent departure.

Intragreat helps small businesses build IT offboarding processes as part of our managed IT services. We can also conduct a one-time access audit to identify former employees who still have active access in your environment — the results are often surprising.