The short version: when someone leaves, check their identity account and sessions, email rules and delegation, files they own, shares they created, group and admin memberships, SaaS seats, client-side access, OAuth grants and API keys, automations they own, AI tools they connected, MFA devices, and every shared credential they knew. Transfer ownership before removing anything, and write down what you did.
1. Identity account
- Disable sign-in in Google Workspace or Microsoft 365. Do not delete the account yet; deletion destroys files, mail, and audit history you may need.
- Revoke all active sessions and app passwords, then reset the password.
- Remove the account from admin roles and note which roles it held.
- Check for secondary or service accounts the person controlled.
2. Email
- Check forwarding rules. Departing users with a forward to a personal address is one of the most common findings in any audit.
- Remove delegate and send-as access they held on other mailboxes, and that others held on theirs.
- Set up mail handling: delegate, auto-reply, or forward to a manager, per your policy.
3. Files and drives
- Transfer ownership of their files and any shared drives they own before the account is removed.
- Review shares they created, especially anything shared externally or to anyone with the link.
- Check personal-account syncing: Drive for desktop, OneDrive, or Dropbox clients on personal devices.
4. Groups, chat, and internal tools
- Remove them from groups and distribution lists, and reassign any groups they owned.
- Deactivate Slack, Teams, Notion, ClickUp, Asana, and other collaboration seats. Reassign owned pages, boards, and integrations.
- Check project tools for tasks, docs, or automations only they could edit.
5. SaaS seats and billing
- Work from your SSO or password manager list, not from memory. Every SaaS tool they used needs a decision.
- Reassign seats where their account owns data; cancel where it does not.
- Check whether they are the billing owner or admin anywhere. Billing owners are found the hard way when a card expires.
6. Client and external access
- List every client system they could reach: ad accounts, stores, CMSs, CRMs, analytics, hosting, repos.
- Remove their access from client systems, and notify the client where your agreement requires it.
- Check partner-granted access: Meta Business Manager roles, Shopify collaborator accounts, GitHub org membership.
7. OAuth grants, API keys, and automations
- Review third-party apps authorized under their account; revoking sign-in does not always revoke tokens, so revoke grants explicitly.
- Rotate API keys they created or knew, especially any keys in scripts, automations, or shared docs.
- List Zapier, Make, and n8n workflows running under their account. Recreate them under a service account before disabling anything, or workflows fail silently.
8. AI tools
- Check which AI assistants, agents, or meeting bots they connected to company email, drives, or CRMs.
- Remove their seats in AI tools and revoke connectors they authorized.
- Check for personal AI accounts used with company data; you cannot revoke those, but you can record the exposure.
9. Devices, MFA, and shared credentials
- Collect or wipe company devices, and remove company accounts from personal devices where policy allows.
- Remove their MFA devices and phone numbers from any shared or system accounts.
- Rotate every shared credential they knew: wifi, root accounts, social media, registrar, hosting. If it was in the password vault, assume they saw it.
10. Write it down
- Record what was checked, what was found, what was removed, and what was deliberately kept, with dates.
- Keep the record. It answers client, insurance, and legal questions months later.
Why offboarding fails: not because teams do not care, but because the list above lives in nobody's job description. The fix is a written checklist owned by one person and run the same way every time. If you want your version built from your actual stack, that is part of every Access and Offboarding Audit.
Dealing with a departure that already happened?
A Departure Lockdown sweeps all of the above fast, documents what was found, and closes access in an order that will not break your operations.
See Departure Lockdown