How Poor Employee Offboarding Creates Security Risks
Departures are the single most common source of unmanaged access and licensing leakage in SMBs. A practical look at what a real offboarding runbook covers.
Offboarding is the part of IT that most SMBs treat as administrative housekeeping. Someone leaves, HR sends a note, the office manager disables the email account a few days later, and life moves on. From a security and operations perspective this is one of the highest-risk processes in the business, and it is almost always under-engineered.
We routinely audit tenants where ex-employees still have active Microsoft 365 licenses 12 months after departure, where personal devices still sync corporate OneDrive, and where shared SaaS logins have not been rotated since the person who knew the password left. Every one of those is a slow-burning security risk - and a quiet drain on licensing spend.
What unmanaged offboarding actually looks like
In most SMBs without a documented runbook, offboarding consists of three steps: disable the email account, change the Wi-Fi password if leadership feels nervous, and move the laptop to the storage closet. Everything else - SaaS apps, shared mailboxes, personal device sync, license assignments, document ownership, Teams membership, vendor portals - is left in whatever state it was on the person's last day.
The compounding effect is severe. After a year or two of departures, a 60-person company can easily have 200 active accounts across its SaaS estate, 15 to 20 of which belong to people who no longer work there. Each is a potential credential-stuffing target, an audit finding, and a line on the monthly invoice.
The real risk: persistent access after departure
An ex-employee who left on good terms is rarely the threat. The threat is the credentials they used - reused on personal accounts, captured in a third-party breach, or sitting in a password manager on a personal device that gets sold on a marketplace two years later. If those credentials still work against your Microsoft 365 tenant or your CRM, the attacker does not need to be sophisticated.
The other threat is the departure that does not go cleanly. A frustrated employee with two weeks of notice, full SharePoint access and an unmonitored OneDrive can quietly exfiltrate the customer list. We have investigated several of these. The technical trace is always there in audit logs - if mailbox auditing was enabled, if DLP was watching, if anyone was reviewing the alerts.
What a real offboarding runbook covers
- Disable the user account in Entra ID within minutes of the agreed cutoff time - not the next day
- Revoke active sessions and refresh tokens (sign the user out of every session everywhere)
- Reset the password to a long random string before disabling, in case any service still authenticates as the user
- Convert the mailbox to shared and assign ownership to the manager - then remove the M365 license
- Transfer OneDrive contents to the manager or a defined inheritor before account deletion
- Remove the user from all Teams, SharePoint sites, distribution groups and security groups
- Wipe corporate data from personal devices via Intune mobile application management
- Retrieve and re-image the corporate laptop; document serial number, condition and disposition
- Rotate shared credentials in the password manager - and audit which shared logins the user could see
- Remove the user from every SaaS app: CRM, accounting, file sharing, project management, dev tools, vendor portals
- Disable physical access: door codes, alarm codes, building access cards, parking passes
- Log the offboarding in the ticket system with a checklist and a timestamped sign-off
Why this fails in most SMBs
The runbook above is not complicated. It fails because it is owned by no one. HR thinks IT is handling it, IT thinks the office manager is handling it, and the SaaS apps that finance, marketing and sales each spun up independently are not on any inventory. By the time someone notices, the institutional memory of what the departed person had access to is gone.
The fix is ownership and inventory. One person or one team owns offboarding end-to-end. There is a single document - kept current - that lists every SaaS app the company uses and who pays for it. HR triggers the runbook from a ticket, not from a Slack message. The runbook closes only when every line is signed off.
The licensing angle
Beyond the security risk, unmanaged offboarding quietly inflates IT spend. Microsoft 365 Business Premium licenses, Adobe Creative Cloud seats, Salesforce users, Atlassian seats, Zoom Pro accounts - each at $20 to $200 per month. A 40-person SMB that has not cleaned up in two years is typically paying for 15 to 25 percent more licenses than it actively uses.
A clean offboarding process pays for itself in software cost recovery within the first year, before any security benefit is counted. This is one of the easier wins to demonstrate to leadership when justifying a more disciplined IT process.
Bottom line
Offboarding is one of those processes that quietly determines how secure and how expensive your IT environment becomes over time. The companies that do it well have a documented runbook, a named owner, and a habit of closing the loop. The companies that do not, find out the cost during an audit, an insurance renewal, or a breach investigation - none of which are good moments to discover the problem.