itmystery.com

Employee Is Leaving: Lock Them Out Everywhere

A person handing another person a key ring.
Key takeaway: Microsoft 365 or Google Workspace first, VPN and remote access second, shared credentials third — in that order, on the last day of employment or before it for involuntary departures. Document what you revoked and when.

Most small business data breaches attributed to former employees weren’t attacks — they were access that simply never got revoked. The employee left, nobody changed the passwords, and a shared login or forgotten account sat open for months.

This checklist is meant to be run on the last day of employment, or before, when the departure isn’t on good terms. Work through it in order. The accounts at the top are the most critical.


Before you start: know what you’re revoking

Pull together the accounts this employee had access to. For most small businesses, this falls into four categories:

  1. Email and identity (Microsoft 365, Google Workspace)
  2. Business applications (accounting, CRM, project management, HR)
  3. Infrastructure and IT (VPN, remote access, network equipment, servers)
  4. Shared credentials (Wi-Fi passwords, shared admin accounts, vendor portals)

If you don’t have a list, your first task after this offboarding is to start one.


1. Microsoft 365 / Google Workspace (do this first)

These accounts are the keys to almost everything else. Revoking them also revokes SSO access to any app the employee signed into with “Sign in with Microsoft” or “Sign in with Google.”

Microsoft 365:

  1. Go to admin.microsoft.com → Users → Active users
  2. Select the user → Sign out of all sessions (under the account’s ellipsis menu or “Initiate sign-out”)
  3. Reset the password immediately to something long and random (this invalidates existing sessions on clients that don’t respond to the sign-out)
  4. Enable MFA on the account if it wasn’t already (prevents any recovery attempt using the old phone number)
  5. Remove the Microsoft 365 license if you’re paying per-seat — this saves money and prevents access
  6. Set up email forwarding or auto-reply if the business needs to receive messages sent to this address, then decide how long to keep the mailbox active

Google Workspace:

  1. Go to admin.google.com → Directory → Users
  2. Select the user → Reset sign-in cookies (revokes all active sessions)
  3. Reset the password
  4. Suspend the account rather than deleting it immediately — suspended accounts can’t log in but their data remains accessible to admins while you sort out what to transfer
  5. Set up a vacation responder or forwarding as needed

2. VPN and remote access

If the employee had VPN access, remote desktop access, or any other remote entry point to your network, revoke it before the end of their last day.

VPN: Remove the user from your VPN user list (location varies by vendor — check your VPN admin console). If VPN access was via the same Microsoft 365 or Google credentials, revoking those handles this. If it’s a separate credential, it needs a separate revocation.

Remote Desktop / RDP: If the employee had direct RDP access to any machine, remove their account from the Remote Desktop Users group on each machine (Computer Management → Local Users and Groups → Groups → Remote Desktop Users).

Remote monitoring software: If your office uses RMM tools (ConnectWise, NinjaRMM, etc.) and the employee was a technician or manager with access, remove their login from the admin portal.


3. Business applications

Work through each application the employee used. Common ones:

  • QuickBooks / accounting software: Remove the user account or downgrade to read-only. Change any shared passwords.
  • CRM (HubSpot, Salesforce, etc.): Deactivate the user. Review recent exports — some CRMs let you see what data was downloaded and when.
  • Project management (Asana, Monday, ClickUp, etc.): Deactivate the user and reassign any open tasks.
  • HR/payroll software: Terminate access. This one often has direct deposit and payroll change capabilities.
  • E-commerce or point-of-sale: Remove the user and change the admin PIN or password.
  • Social media accounts: If the employee managed any business social accounts, change the passwords for those accounts now. Remove the employee’s personal account as an admin if the platform supports that (Facebook Pages, LinkedIn Company Pages).

4. Shared credentials (the ones most businesses forget)

Wi-Fi: If your office Wi-Fi password is something employees know, change it on departure for anyone with access to sensitive systems. This matters more for a small office where the Wi-Fi password is written on the wall than for larger offices with guest networks and per-device authentication.

Shared admin accounts: Any system where the team uses a shared login (“[email protected]” with a shared password) needs that password changed when anyone with access leaves.

Vendor portals: Domain registrar, web hosting, DNS, SSL certificate accounts — if the employee touched these, log in and confirm you still have access, then change the password and remove any secondary contacts that were their personal email.

Password manager: If you use a business password manager (LastPass, 1Password, Bitwarden Teams), offboard the user from the admin console and check whether they had access to any shared vaults. Change any shared credentials they had access to that aren’t covered above.


5. Physical access

  • Collect the employee’s laptop, phone, badge, and any other company equipment
  • If the laptop had local data you need, image it before wiping
  • Wipe and reset the device before reissuing or disposing of it — don’t skip this step even for employees who left on good terms
  • Change any physical key codes or keypad PINs the employee knew

6. Device cleanup

If the employee used a personal device for work (BYOD), any work accounts pushed to that device may still be there. If you use mobile device management (MDM — Intune, Jamf, Google Endpoint Management), issue a selective wipe to remove work data from the personal device. If you don’t have MDM and they had company email on their phone, resetting the account password (step 1) will require them to re-authenticate on their personal device — which will fail with the new password.


Document it

Write down what you revoked, when, and who did it. If a former employee accesses something they shouldn’t, you’ll want a record of what you addressed and when.

The same documentation becomes your starting point for the next offboarding — and eventually, an onboarding checklist that tells you what access to provision in the first place.


The gap most small businesses have

The reason offboarding gets missed or done halfway is that there’s no list of what was provisioned. The fix isn’t a better offboarding process — it’s keeping a simple access log during onboarding. A spreadsheet with one row per employee and columns for each system they have access to takes 10 minutes to set up and turns a chaotic offboarding into a one-hour checklist.

Frequently Asked Questions

Do we need to do this even for employees who left on good terms?

Yes. Access that isn’t explicitly revoked stays open indefinitely. Most credential-related incidents involving former employees aren’t malicious — they’re accidental access through accounts nobody thought to close.

What if we don’t know everything the employee had access to?

Start with the accounts you know about, prioritizing email and remote access above everything else. Then use this offboarding as the starting point for maintaining an access log during onboarding so the next one is faster.

How quickly should we revoke access?

For involuntary departures, before the employee is notified if possible. For planned departures, before the person leaves on their last day. Same-day revocation on the last day is the minimum for any departure.