The complete IT offboarding checklist (with template)

When someone leaves the company, IT has 24 hours to revoke access, 14 days to reclaim assets, and 30 days to close the loop on every loose thread. Skip a step and you've created a security hole, a compliance finding, or a renewal surprise. Here's the checklist that closes them all.

IT offboarding is one of those processes everyone has, in some form, but few have written down. The result is uneven execution: power users get processed cleanly, the contractor in another time zone is forgotten, the manager who knew the most context didn't tell IT until day three.

The checklist below is the tested, sequenced version. Copy it as-is or adapt to your stack — but write it down somewhere your future self can find it.

• HR notifies IT of departure date and final business day.
• IT pulls the user's asset and access summary from the inventory.
• Manager identifies critical knowledge / data the user owns; transition plan written.
• Manager identifies handover for owned vendor relationships and contracts.
• Decision: forward email to whom, autoreply text, calendar handover, Slack DM forwards.
• Asset return logistics confirmed (in-office vs. courier kit for remote employees).

• Disable identity-provider account (Google, Microsoft, Okta) at end of working day. This must cascade to every connected SaaS automatically.
• Revoke MFA tokens, hardware keys (YubiKey), and authenticator app sessions.
• Force sign-out from active SaaS sessions (Slack, Notion, Salesforce, etc.).
• Reset shared-account passwords the user had access to.
• Revoke VPN, RDP, jump-box, and SSH key access.
• Remove from production access lists (AWS IAM, GCP IAM, Kubernetes RBAC, database accounts).
• Revoke admin access to Stripe, payment processors, hosting accounts, domain registrars.
• Set email autoreply with handover contact; configure forwarding to manager.
• Calendar transferred / meeting ownership reassigned.
• Asset return scheduled with confirmed pickup or shipping label sent.

• Hardware return tracked: laptop, monitors, peripherals, mobile, security keys, badges. Each item ticked off the asset register.
• Returned hardware data-wiped to certified-erase standard. Wipe certificate stored against the asset record.
• Devices either marked "in pool / available for reassignment" or "queued for retirement" based on warranty status.
• Paid SaaS seats reclaimed across every license the user held. This should happen automatically via IdP cascade — verify it did.
• Tier-licensed products (Microsoft E5, Salesforce Enterprise, Adobe Creative Cloud) explicitly downgraded or reassigned.
• Standalone-billed SaaS (the ones not on the IdP) cancelled or reassigned manually.
• Owned contracts reassigned to a new internal owner. Do not let any contract default to "IT@company.com".
• Email forwarding kept active for 30 days for missed correspondence.
• Personal data exported per local employment law (often 30 days to provide on request).

• Cross-check every system that could have had the user. Run a "find by email" sweep across the SaaS portfolio. Anything missed gets cleaned up here.
• Verify the user's email no longer appears in any active access matrix or shared-folder permission list.
• Confirm hardware fully retired or reassigned; nothing in "pending return" past 30 days.
• Final access-revocation report generated and stored against the user's offboarding record.
• Email forwarding turned off; mailbox archived per retention policy.
• Personal-data deletion run if user requested under GDPR / CCPA, with proof retained.
• Offboarding ticket closed with the audit trail attached.

The 5 offboarding metrics worth tracking

• Same-day access revocation rate. Target: 100% of IdP-connected access revoked end-of-day.
• 14-day asset return rate. Target: 90%+ for in-office, 80%+ for remote.
• Mean time to license reclaim. Target: same day for IdP-connected, 7 days for standalone.
• Ghost asset count. Devices assigned to deactivated users. Target: 0.
• Audit findings on offboarding. Target: 0 per audit cycle.

Special cases

Contractors and agencies

Often have shorter engagements but the same access. Mark contracts with end dates in the system; auto-trigger offboarding workflow at end-of-engagement, not just at termination.

Involuntary terminations

Access revocation runs before the meeting that delivers the news. Hardware retrieval planned in advance. Email autoreply set, but content reviewed by HR and legal.

Mergers / acquisitions / divestitures

Bulk offboarding requires the same playbook scaled up. Run pilot batches first; the corner cases at scale are the same as at unit but happen 100x in parallel.

Death of an employee

Treat with sensitivity. Most steps still apply but on a slower timeline. Coordinate closely with HR and family for personal-data handling.

Tooling that makes this work

The checklist runs on people without tooling, but the failure rate climbs at every step. The right setup:

• An IdP (Google / Microsoft / Okta) that cascades to every connected SaaS.
• An IT asset management platform that tracks hardware return SLAs.
• An offboarding ticket workflow that blocks closure until every step is checked.
• A monthly reconciliation that flags ghosts.

InventorIA covers steps 2 and 4 natively — the moment the IdP marks a user inactive, hardware reclaim, license reclaim, and contract reassignment workflows fire automatically. The audit trail writes itself.