NavaSolutions logoNavaSolutions
All articlesCybersecurity

The Day an Employee Leaves: The Offboarding Checklist Most Businesses Get Wrong

NavaSolutions Team · July 1, 2026

When an employee or contractor leaves, most of the attention goes to the exit interview, the final paycheck, and collecting the laptop. The part that actually creates risk is quieter: the accounts, mailboxes, and file access that stay live long after the person is gone. Dormant accounts are one of an attacker's favorite ways in — still valid, still trusted, and no longer watched by anyone. Here's how offboarding goes wrong, and the checklist that closes the gaps.

Why a forgotten account is such a gift to attackers

An active account belonging to someone who no longer works for you is close to a perfect target. Nobody signs into it, so nobody notices when someone else does. Its password was often reused somewhere that has since been breached. And it usually still has access to email, files, and apps. Give an attacker a valid login that no one is watching, and they can read email, download files, and send convincing phishing from a trusted address for weeks before anyone connects the dots.

Three ways offboarding quietly goes wrong

The account that never got turned off. Picture a salesperson who leaves on good terms. HR processes the paperwork; IT is told to handle it "sometime next week." Three months later that account — still active, still licensed — is signed into from overseas using a password that leaked in an unrelated breach. Because no one was watching a mailbox no one used, the intruder quietly forwards a copy of every incoming email to themselves and starts reading. The first anyone hears of it is when a customer asks why "your former rep" just emailed them a fake invoice.

The contractor with keys nobody collected. A contractor wraps up a three-month project. Their main account gets disabled — but along the way they'd been added to a shared mailbox, two SharePoint sites, and a Teams channel, and given delegate access to a manager's calendar. None of that is tied to the disabled account, so it lingers untouched. Months later, that leftover access is exactly the foothold that turns a minor credential leak into a real incident.

The "clean" deletion that lost the data. Overcorrecting is a risk too. A well-meaning admin deletes a departing employee's account the same afternoon — and with it, the OneDrive files and mailbox that nobody had copied first. Now the company has lost a project's worth of documents and can't respond to a legal hold. Offboarding isn't only about cutting access fast; it's about preserving what matters before you do.

The offboarding checklist most businesses get wrong

Good offboarding is a repeatable checklist, run the moment someone's access should end — not an afterthought that happens whenever IT gets a chance. A complete one covers all of this:

  • Disable sign-in immediately — block the account the moment the person leaves. Don't wait, and don't delete it yet.
  • Kill active sessions — reset the password and revoke active sessions and tokens, so anyone already signed in is forced out. A disabled account with a live session is still a live session.
  • Remove MFA methods and app passwords — so old authentication methods can't be used to quietly get back in.
  • Hunt for forwarding rules and delegate access — the leftovers attackers hide behind. Check the mailbox for auto-forwarding and delegated permissions before you close it out.
  • Strip group, shared-mailbox, SharePoint, and Teams access — the access that isn't attached to the main account is exactly what gets forgotten.
  • Preserve the data first — convert the mailbox to shared or apply retention, and reassign OneDrive files, before you delete anything.
  • Reclaim and wipe the device — retire or wipe company data from laptops and phones, including personal (BYOD) devices.
  • Rotate shared secrets — any shared logins, Wi-Fi passwords, or service-account credentials the person knew.
  • Verify, then document — confirm the access is actually gone and keep a record. "Disabled" and "verified disabled" are not the same thing.

Dormant access is exactly what we look for

Lingering accounts, forgotten delegations, and stale device access are some of the most common things we find when we review a Microsoft 365 tenant — and they're precisely the gaps attackers exploit. Our free Microsoft 365 security review surfaces dormant accounts, risky mailbox delegations, and hidden forwarding rules in your environment — read-only, up to 25 users. If you'd like offboarding handled consistently every single time, that's part of what our managed cybersecurity service does. And if you want to see what an attacker actually does once they're inside one of those forgotten accounts, we broke it down in nine Microsoft 365 warning signs.

Already dreading your next support ticket?

Get a free IT second opinion. We will review your current setup and show you — no obligation — exactly where your provider is leaving you exposed, overcharged, or waiting too long.