It usually gets handled reactively

Most businesses handle IT onboarding and offboarding as an afterthought. A new starter arrives and spends their first day waiting for accounts to be set up. Someone hands in their notice and IT access gets cancelled — eventually — once someone remembers to ask. In between, things get missed.

This isn't a criticism of how businesses are run. It reflects the reality that IT access tends to be managed by whoever has time for it, without a proper process in place. That works when a business is small enough for one person to hold all the context. It stops working as soon as the business grows, people change roles, or staff turnover increases.

What good onboarding actually looks like

IT onboarding is more than creating an email address. A well-run joiner process covers:

  • Accounts and licences — email, Microsoft 365 or Google Workspace, any line-of-business software the person needs. Licences allocated before day one.
  • Device setup — a configured laptop or desktop ready to use from the start, with the right applications installed and access to internal systems.
  • Access permissions — the right level of access to shared drives, project folders, and systems for that person's role. Not admin rights because it's easier, not access to everything because the template was set up that way.
  • Multi-factor authentication — MFA enrolled before the first login, not added as an afterthought a week in.
  • Communication and collaboration tools — added to the right Teams channels, distribution lists, and shared inboxes.

The goal is for a new starter to be productive on day one. Every hour of setup time during their first week is a cost — in their time, their manager's time, and the impression it creates of how the business operates.

Offboarding is where the bigger risks sit

Onboarding done badly is mostly an inconvenience. Offboarding done badly is a security problem.

When a member of staff leaves and their IT access isn't properly removed, several things can happen:

  • Their email account continues to receive messages that no one is reading — or that someone inappropriate is forwarding.
  • Their login credentials remain active in systems, including third-party tools, cloud services, and any personal devices that were used for work.
  • If they held admin rights, those rights remain in place until someone notices.
  • Files, emails, and customer data remain accessible through shared drives or personal accounts that were used for business purposes.

Most of the time, leavers don't do anything malicious. But the access is there, and the risk is real — particularly if the departure was acrimonious. The more sensitive your business data, the more this matters.

A former employee with active credentials is not a theoretical risk. It's an open door that most businesses don't know is still unlocked.

The Microsoft 365 offboarding problem

For businesses running Microsoft 365, offboarding has specific considerations that often get missed. Simply cancelling a licence doesn't remove access — it just puts the account in a state where it may still be accessible, depending on how the tenancy is configured. A proper Microsoft 365 offboarding process includes:

  • Blocking the user's sign-in before the licence is cancelled.
  • Revoking all active sessions so any existing logins are terminated immediately.
  • Converting the mailbox to a shared mailbox if the business needs to retain access to the email history.
  • Removing the user from distribution lists, Teams, and shared calendars.
  • Transferring ownership of any files or folders in OneDrive before the account is deleted — after 30 days, this data is gone.
  • Reviewing and revoking any app permissions that were granted under that account.

This is a checklist of around a dozen steps for a single leaver. Skipping any of them creates a gap. Done without a process, things get missed every time.

The device question

Devices add another layer of complexity. A business-owned laptop handed back at the end of employment needs to be wiped and reset before it's reissued — not just have the user's profile deleted. A personal device that was used for work email or business apps needs those accounts removed and any cached data cleared.

Remote wipe capability matters here. If a device is lost, stolen, or held by a former employee who isn't returning it, the ability to wipe it remotely is the difference between a manageable incident and a data breach. This requires mobile device management (MDM) to be in place before the situation arises — it can't be retrofitted after the fact.

What a proper process looks like

The practical fix is a documented checklist for both joiners and leavers, with clear ownership of each step. The process doesn't need to be complex, but it does need to exist, be followed consistently, and be reviewed as the business changes.

For most small businesses, this means:

  • A joiner checklist that HR or a line manager triggers when a start date is confirmed — not on the morning of day one.
  • A leaver checklist that starts when notice is handed in, covering access removal, device recovery, data transfer, and licence cancellation.
  • Clear ownership — someone specific is responsible for each step, not "IT" as a vague category.
  • A review point, typically annually, to check that the process still reflects how the business actually works.

If your IT support provider isn't involved in this process today, that's worth addressing. Onboarding and offboarding should be part of the managed service, not an additional task that falls through the cracks between IT and HR.

Process work, not just IT work

IT onboarding and offboarding sits at the intersection of IT, HR, and operations. Getting it right requires those functions to communicate — and to have agreed, in advance, who does what and when. The IT part is straightforward once the process is in place. The harder part is making sure the process exists and gets followed, every time, regardless of how busy things are when someone joins or leaves.

Most businesses that have had a problem in this area trace it back to a moment when the process was bypassed because something more urgent came up. The way to avoid that is to make the process simple enough that bypassing it is never the path of least resistance.