Technology

What to Do When an Employee Leaves — Secure Offboarding for 365 & Workspace

Healy

When an employee resigns or is terminated, the focus is often on knowledge transfer and finding a replacement. However, one of the most critical tasks is the digital offboarding process. In an era where business operations live in the cloud, failing to properly revoke access from platforms like Microsoft 365 and Google Workspace can expose your organization to significant data security risks. A former employee retaining access, even unintentionally, can lead to data breaches, compliance violations, and loss of intellectual property. A structured offboarding checklist is not just good IT hygiene; it’s a fundamental security measure.

Step 1: Immediately Revoke Access to Primary Accounts

The moment an employee’s departure is confirmed, their primary account access should be terminated. This is the single most important step in preventing unauthorized activity.

  • For Microsoft 365: The first action should be to block the user’s sign-in. This immediately cuts off access to all services, including Outlook, Teams, and OneDrive. You can do this from the Microsoft 365 admin center. Do not delete the account yet; just block it.
  • For Google Workspace: From the Admin console, suspend the user. Similar to blocking a sign-in, this prevents the user from accessing Gmail, Drive, and other Google services.

This initial step acts as a digital gate, locking the door while you sort out the contents inside.

Step 2: Secure and Transfer Data

With access revoked, the next priority is to secure and manage the data associated with the account. The departed employee’s mailbox and cloud storage contain valuable information, from client communications to project files.

  • Email Forwarding: Set up email forwarding from the former employee’s mailbox to their manager or a designated replacement. This ensures that incoming client or vendor emails are not missed. In Microsoft 365, you can convert the mailbox to a shared mailbox, which doesn’t require a license but preserves the data. In Google Workspace, you can set up email routing.
  • File Ownership Transfer: Transfer ownership of all files and folders in the user’s OneDrive (for M365) or Google Drive (for Workspace). This prevents critical documents from being orphaned or deleted. Assign ownership to the employee’s direct manager to ensure continuity.

Step 3: Manage App Integrations and Device Access

An employee’s primary account is often used to sign into dozens of third-party applications (e.g., Salesforce, Slack, Asana). You must sever these connections as well.

  • Review Connected Apps: In both Microsoft 365 and Google Workspace, you can review the third-party apps that have been granted access via the user’s account. Revoke permissions for all of them.
  • Wipe Company Devices: If the employee used a company-issued laptop or mobile phone, use your mobile device management (MDM) solution (like Microsoft Intune or Google Endpoint Management) to remotely wipe all company data from those devices. This ensures that no sensitive information remains on hardware that is no longer under your control.

Step 4: Reassign Licenses and Delete the Account

After a designated period—typically 30 to 90 days—and once you have confirmed that all necessary data has been transferred, you can proceed with deleting the account.

  • Reclaim the License: Before deleting the user, reassign their Microsoft 365 or Google Workspace license to a new employee or return it to your available license pool. This is a crucial cost-management step.
  • Final Deletion: Once the license is unassigned and you are confident no further data is needed, you can permanently delete the user account. Both platforms have a grace period (usually 30 days) during which you can restore the account if necessary, but after that, the deletion is permanent.

Conclusion: Make Offboarding a Repeatable Process

Secure offboarding should not be an ad-hoc scramble. Develop a formal, written checklist that is followed every single time an employee leaves. This process ensures consistency, minimizes the risk of human error, and protects your organization from lingering security threats. By treating digital offboarding with the same seriousness as collecting a keycard, you can maintain control over your digital assets and ensure that when an employee walks out the door, your data doesn’t go with them.