← Back to blog
·8 min read

Employee Offboarding Checklist for Remote Teams

A complete IT offboarding checklist for remote teams. Revoke access in 15 minutes, not 15 days.

Someone leaves your company on Friday. On Monday, they can still read every message in your Slack, access your shared Google Drive, and log into your customer-facing tools. This happens at most remote companies and nobody notices until something goes wrong.

40% of ex-employees retain access to corporate apps after leaving. That's not a rounding error. That's a security risk sitting in plain sight.

Here's a complete offboarding checklist broken into three phases: what to do immediately, what to do the same day, and what to wrap up within a week.

Why this matters more for remote teams

In an office, there's a natural offboarding moment. Someone hands in their badge, returns their laptop, and walks out the door. The physical act of leaving triggers the process.

Remote teams don't have that. Someone's last day can feel like any other day. They close their laptop, and unless you have a process, all their access stays active indefinitely.

The risks are real. A disgruntled ex-employee with active access to your Notion, customer Slack channels, or shared credentials can do serious damage. Even without malicious intent, orphaned accounts are a compliance liability and a vector for credential stuffing attacks.

Phase 1: Immediate (within 15 minutes)

These actions should happen the moment the employee's departure is confirmed. Not at the end of the day. Not tomorrow morning. Right now.

Disable SSO / identity provider account

If you're using Google Workspace, Microsoft 365, Okta, or any other identity provider, suspend or disable the user's account immediately. This is the single most important step because it cuts off access to every app connected via SSO.

Google Workspace: Admin console > Directory > Users > Select user > Suspend user.

Okta: Admin > People > Select user > Deactivate.

Don't delete the account yet. You may need to transfer files and data. Suspension blocks login while preserving the account contents.

Revoke email access

If email isn't connected to SSO (it should be, but sometimes it isn't), disable the email account separately. Set up a forwarding rule to the employee's manager or a shared inbox so nothing falls through the cracks.

Remove from Slack and Teams

Remove the user from your Slack workspace or Teams tenant. In Slack, go to Settings > Manage Members > Deactivate. This removes them from all channels, including private ones and shared channels with external partners.

Suspend MDM-managed device

If the employee's device is enrolled in MDM, lock it remotely. Don't wipe it yet. You may need data from it. But locking it prevents further use while you sort out the rest.

Revoke VPN and remote access

If you use a VPN, remove the user's credentials or certificates. Same for any remote desktop or SSH access.

Phase 2: Same day

Once the immediate risks are contained, work through these items before end of business.

Rotate shared credentials

Check your password manager for any credentials the departing employee had access to. This includes shared team vaults, service accounts, API keys, and any credentials that were shared outside the password manager (which shouldn't happen, but often does).

Change these passwords. All of them. If the employee had access to admin credentials for any critical service, those need to rotate first.

Transfer file ownership

In Google Workspace, use the data transfer tool (Admin > Directory > Users > Select user > Transfer ownership) to move Drive files, Calendar events, and other data to their manager or a designated successor.

For other tools (Notion, Figma, Dropbox), transfer ownership of shared resources and remove the user as an owner or editor.

Recover software licenses

Check which paid tools the employee had seats for. Reclaim those licenses so you're not paying for unused seats. Common ones to check: Slack, Zoom, Figma, Adobe Creative Cloud, GitHub, Notion, Linear, and any industry-specific tools.

Remote wipe the device

Once you've confirmed there's no data that needs to be recovered, issue a remote wipe through your MDM platform. This restores the device to factory settings and removes all company data.

If the device belongs to the company, arrange for it to be shipped back. Include a prepaid shipping label with the offboarding communication.

If it's a BYOD situation, remove the managed profile instead of wiping the entire device. This removes company data and configurations while leaving personal data intact.

Disable MFA tokens

Remove the user's MFA tokens and authentication app registrations. If they were using hardware security keys (YubiKeys), arrange for those to be returned.

Remove from shared calendars and groups

Remove the user from distribution lists, shared calendars, email groups, and mailing lists. These are easy to forget and can leak information for months.

Phase 3: Within one week

These items aren't urgent but they need to happen to close out the offboarding completely.

Update internal documentation

Remove the employee from your org chart, team directory, and any internal wikis that reference them. Update documentation that listed them as a point of contact or process owner.

Remove from vendor and partner accounts

Check external tools and vendor portals where the employee had accounts. This includes AWS, cloud platforms, analytics tools, ad platforms, customer support tools, and any third-party services.

These are the hardest to catch because they often aren't connected to SSO. Keep a running list of all vendor accounts as part of your IT documentation so you know where to look.

Remove from customer-facing systems

If the employee had access to customer environments, CRM systems, or partner portals, revoke that access. Notify relevant customers or partners if required.

Confirm with the manager

Send the employee's manager a checklist summary. Ask them to confirm there are no other tools, accounts, or access points you might have missed. Managers often know about shadow IT that isn't officially documented.

Delete the account (after retention period)

After a reasonable retention period (typically 30-90 days depending on your policy and any legal requirements), delete the suspended account. Before deletion, make sure all necessary data has been transferred and backed up.

The template

Copy this and adapt it for your team. Every offboarding should follow the same process, regardless of whether the departure is voluntary or involuntary.

Immediate (within 15 minutes)

  • Suspend SSO / identity provider account
  • Disable email access and set up forwarding
  • Remove from Slack / Teams
  • Lock device via MDM
  • Revoke VPN and remote access

Same day

  • Rotate all shared credentials the employee had access to
  • Transfer file ownership (Drive, Notion, Figma, etc.)
  • Reclaim software licenses
  • Remote wipe company device (or remove managed profile for BYOD)
  • Disable MFA tokens and recover hardware keys
  • Remove from shared calendars and distribution groups

Within one week

  • Update internal documentation and org chart
  • Remove from vendor and partner accounts
  • Remove from customer-facing systems
  • Confirm completion with manager
  • Schedule account deletion after retention period

Building this into a repeatable process

A checklist only works if people actually use it. Here's how to make offboarding consistent:

Store the checklist where it can't be missed. Put it in your HR system's offboarding workflow, your Notion runbook, or wherever your team manages processes. Don't bury it in a Google Doc nobody opens.

Assign a single owner. One person should be responsible for executing the IT side of every offboarding. If you have a dedicated IT person or fractional IT contractor, that's them. If not, designate someone on the ops team.

Automate what you can. If your HR system (Rippling, BambooHR) integrates with your identity provider, set up automated triggers. When HR marks someone as terminated, IT gets notified automatically. Some platforms can even handle the SSO suspension and license reclamation without manual intervention.

Run quarterly access reviews. Even with a solid offboarding process, things slip through. Once a quarter, review who has access to your critical tools and compare against your current employee list. You'll almost always find orphaned accounts.

Time it right. For voluntary departures, coordinate the IT offboarding with the employee's last day and time. For involuntary departures, execute the immediate phase before or simultaneously with the termination conversation. Don't wait.

What most companies get wrong

The biggest mistake isn't missing a step. It's not having a process at all. When offboarding is ad hoc, things get forgotten every single time.

The second biggest mistake is only offboarding from the obvious tools. Slack and email are easy to remember. The customer Notion workspace, the shared Figma account, the Chrome extension with access to company data: those are what get missed.

If you want someone to handle this for you, including building the process, maintaining the checklist, and executing every offboarding, that's a core part of what I do for remote teams. Book a call and we can talk through your current setup.

Related posts

·3 min read

Employee Offboarding Checklist for Remote Teams

A step-by-step offboarding process that ensures no access is left behind, no devices go missing, and no licenses go to waste.

offboardingsecurityremote teamschecklist
·6 min read

Your Ex-Employees Probably Still Have Access to Everything

Most companies never fully revoke access when someone leaves. Here's why it happens and how to fix it before it costs you.

securityoffboardingaccess managementsaas
·8 min read

The IT Mistakes Every Remote Startup Makes

The 10 most common IT mistakes remote startups make, why they happen, and exactly how to fix each one.

startupsit mistakesremote teamssecurity