IT Onboarding and Offboarding: A Security-First Checklist

Onboarding and offboarding are routine IT operations that carry outsized security risk when done carelessly. An employee who joins and gets too much access creates unnecessary exposure. An employee who leaves with active accounts and device access creates a potential incident.

Both are fixable with clear process and the right tooling.

Employee onboarding: the security-first model

The goal of IT onboarding is to give a new employee access to exactly what they need—and nothing more—from day one.

Pre-start tasks (before the employee arrives)

• Create the user account in Azure AD / Active Directory
• Assign role-based group memberships (which groups determine what the user can access)
• Provision Microsoft 365 license and assign email address
• Prepare and ship/stage the device (configured, encrypted, MDM-enrolled)
• Create accounts in key applications (HRIS, CRM, project management tools)
• Configure MFA for the account before the employee's first login

The worst onboarding experience—both from a user and a security perspective—is a new employee who can't access their email on day one, sets up MFA under pressure while being watched, and gets admin rights because no one had time to figure out what they actually need.

Day-one tasks

• Complete MFA enrollment with the employee present
• Walk through the IT policy (acceptable use, data handling, password manager setup)
• Confirm device enrollment in MDM and verify compliance status
• Verify application access is correct (not too much, not too little)
• Provide the IT support contact information and ticket submission process

Access governance

New employees should never receive broad access "to be figured out later." At minimum, define:

• What Microsoft 365 groups the role requires (determines SharePoint, Teams, and distribution list access)
• What applications require individual account provisioning
• Whether the role requires access to any financial, healthcare, or sensitive data systems (flag for additional review)

A simple role-based access matrix (a spreadsheet mapping job title to required access) speeds onboarding and makes access grants auditable.

Employee offboarding: the security-first model

Departures are higher-risk than arrivals. A disgruntled employee, a rushed handover, or a missed account deactivation can result in data loss, unauthorized access, or insider threats.

On the last day (or when departure is confirmed)

Immediately on confirmation of departure:

• Disable the user account in Azure AD (disables access to all Microsoft 365 services simultaneously)
• Revoke active MFA sessions and invalidate refresh tokens
• Remove from privileged access groups (admin roles, financial systems)

On the last working day:

• Collect the corporate device; verify it will be remotely wiped if not physically returned
• Redirect email to manager or designated recipient (time-limited—30–90 days)
• Transfer ownership of key files and calendar events
• Remove personal accounts from corporate devices before wiping

Within 30 days of departure:

• Permanently disable (and after retention period, delete) the user account
• Audit application access to ensure all third-party SaaS accounts are deactivated
• Review the former employee's access history for any unusual activity in the days preceding departure
• Return or wipe corporate devices

The third-party application problem

Every SaaS tool the employee used potentially has an active account. Your offboarding checklist needs to include the full application inventory, not just Microsoft 365.

Use a SaaS management tool (Okta, Torii, Productiv) or maintain a manual application registry. Organizations that don't track their SaaS applications routinely discover active accounts for departed employees months or years later.

MicroPro manages onboarding and offboarding IT workflows for Canadian businesses. A fast, consistent process reduces security risk and frees up time for IT staff. Get in touch to discuss how we support your team lifecycle.