The Complete IT Onboarding & Offboarding Checklist for SMBs

Employee transitions are among the most common sources of both IT security incidents and productivity loss at small and mid-sized businesses. When a new hire starts without a properly configured workstation and the right access provisioned, they spend their first days waiting — a poor experience that costs real money. When an employee departs without a thorough IT offboarding, they may retain access to email, cloud applications, shared drives, and internal systems for weeks or months. Both scenarios are preventable with a documented, repeatable process.

Why IT Onboarding and Offboarding Are Security Events

Most businesses think of onboarding as an HR process and offboarding as an administrative task. IT sees them differently. Every new account created is an attack surface — a credential that could be phished, a mailbox that could be compromised, an endpoint that needs to be secured and monitored. Every departure is a potential data exfiltration event and an access revocation race: the window between an employee's last day and the moment their access is fully revoked is when insider threats and credential abuse most commonly occur.

According to the Verizon Data Breach Investigations Report, credential abuse is the leading cause of breaches. A significant portion of those credentials belong to former employees whose accounts were never properly deprovisioned. The fix is not sophisticated technology — it is a documented checklist executed consistently on every departure.

IT Onboarding Checklist

Start this process at least 3–5 business days before the employee's first day. Same-day provisioning leads to delays, errors, and a poor first impression.

• Hardware: Order or assign a workstation (laptop or desktop), monitor, keyboard, mouse, headset, and any role-specific peripherals. Confirm delivery date against start date.
• Workstation setup: Enroll the device in your MDM (Microsoft Intune, Jamf, or equivalent), apply security baseline policies, install required software, configure disk encryption (BitLocker or FileVault), and join to domain or Azure AD.
• Microsoft 365 account: Create the M365 account, assign the appropriate license tier, configure the mailbox, add to relevant distribution groups and shared mailboxes, and set up the email signature.
• Multi-factor authentication: Enroll the user in MFA before their first login. Do not allow the first login without MFA configured — this is the highest-risk window for account compromise.
• Application access: Provision access to all required business applications (CRM, ERP, project management, accounting, etc.) with the principle of least privilege — only the access the role requires.
• Network access: Create VPN credentials if applicable, configure Wi-Fi access, and assign appropriate network segment access based on role.
• Password manager: Add the user to the company password manager (1Password, Bitwarden, etc.) and share only the vaults relevant to their role.
• Security awareness training: Enroll the new hire in your security awareness training platform and require completion within the first 30 days.
• IT orientation: Walk the employee through IT policies, acceptable use, how to submit a helpdesk ticket, and what to do if they suspect a phishing email.
• Asset tracking: Record the assigned hardware (serial numbers, asset tags) in your IT asset management system, associated with the employee.
• Backup verification: Confirm the new workstation is enrolled in your endpoint backup solution.

IT Offboarding Checklist

Offboarding tasks should be completed on the employee's last day — ideally within the hour of their departure. For involuntary terminations, access revocation should happen simultaneously with or before the conversation.

• Disable the M365 account immediately: Do not delete — disable. Disabling preserves the mailbox and data while preventing login. Deletion is irreversible and should wait 30 days.
• Revoke MFA devices: Remove all registered MFA methods (authenticator apps, phone numbers) from the account to prevent bypass of the disabled account.
• Revoke all active sessions: Use the M365 admin center to sign out all active sessions and revoke refresh tokens. An active session can persist for hours after an account is disabled.
• Convert mailbox to shared mailbox: Assign access to the manager or a delegate so business-critical emails are not lost. Remove the M365 license to stop billing.
• Transfer OneDrive data: Grant the manager access to the departing employee's OneDrive for 30 days to retrieve any business files before the account is deleted.
• Revoke application access: Systematically remove the user from every business application — CRM, ERP, accounting, project management, cloud storage, and any SaaS tools. Maintain a list of all applications each employee has access to for exactly this purpose.
• Remove from password manager: Remove the user from the company password manager and rotate any shared credentials they had access to.
• Revoke VPN and network access: Disable VPN credentials, remove Wi-Fi certificates, and revoke any remote access.
• Retrieve hardware: Collect the assigned laptop, phone, access cards, and any other company equipment. Wipe and re-image the device before reassignment.
• Check for data exfiltration: Review the M365 audit log for unusual file downloads, email forwarding rules, or large data transfers in the 30 days prior to departure.
• Update asset tracking: Mark hardware as returned and available for reassignment in your asset management system.
• Schedule account deletion: Set a calendar reminder to permanently delete the M365 account and associated data after 30 days (or longer if the employee is subject to a legal hold).

The Shared Password Problem

One of the most overlooked offboarding risks is shared credentials. Many SMBs have a culture of sharing passwords for convenience — a shared admin account, a shared social media login, a shared vendor portal. When an employee with access to shared credentials departs, every one of those passwords needs to be rotated. If you do not have a complete inventory of which shared credentials each employee had access to, you cannot be confident your offboarding is complete.

The solution is a company password manager with vault-based access control. Each employee is granted access only to the vaults relevant to their role. When they depart, you remove them from those vaults and rotate the credentials in any vault they had access to. This turns a manual, error-prone process into a systematic, auditable one.

Automating the Process with an IT Runbook

The most effective onboarding and offboarding programs are documented as runbooks — step-by-step procedures that any IT team member can execute consistently, regardless of who is available that day. A good runbook includes the checklist items above, the systems used to complete each step, the person responsible, and a sign-off field for audit purposes. When integrated with your HR system (so IT is notified automatically of new hires and departures), the process becomes reliable and auditable.