Protect Your Data When Employees Leave: The 2026 IT Checklist
Key Takeaways
- When someone leaves, your data can walk out with them — unless access is revoked fast and completely.
- The risk is not just malice; it is lingering access: old logins, personal-device copies, and forgotten app permissions.
- A clean offboarding revokes access in under an hour and accounts for every place company data lived.
- Do it the same way every time with a written checklist — memory is not a control.
When an employee leaves, you should be able to revoke every bit of their access in under an hour and know exactly what data they could still reach. Most small businesses cannot, and that gap is where departing-employee data loss happens — rarely through dramatic theft, usually through access nobody remembered to turn off.
The offboarding checklist
- Disable the identity first. In Microsoft 365, block sign-in immediately — this cascades to email, files, and most connected apps.
- Revoke active sessions and tokens. Disabling a password is not enough; sign them out of existing sessions and revoke app tokens that survive a password change.
- Reclaim and forward email. Convert the mailbox, set a forward or auto-reply, and preserve it for records.
- Recover and transfer files. Reassign OneDrive/SharePoint ownership so nothing is lost when the account is removed.
- Collect devices and check personal ones. Wipe company data from any personal phones or laptops that held it.
- Rotate shared credentials the person knew, and remove them from third-party apps and vendor portals.
Why “we’ll get to it” fails
The accounts that cause breaches are the ones left half-disabled for months. An old login with lingering access is an open door an attacker can use long after the person is gone — and you would never notice. Speed and completeness are the whole game.
Make it repeatable
The only reliable offboarding is the one that happens identically every time, from a written checklist, regardless of who runs it. For our managed clients, offboarding is a standard, logged procedure — access is gone the day someone leaves, and we can show exactly what was revoked.
Get a repeatable offboarding process for your business →
Frequently Asked Questions
What is the most important step when an employee leaves?
Disable their identity (sign-in) first and revoke active sessions and tokens. In Microsoft 365 this immediately cuts access to email, files, and most connected apps.
Is changing the password enough when someone leaves?
No. Existing sessions and OAuth app tokens can survive a password change. You must revoke sessions and tokens and block sign-in to fully cut access.
How fast should offboarding happen?
Access should be revoked the day the person leaves, ideally within an hour of their departure. Lingering access is the main cause of departing-employee data loss.
Related reading
- The complete M365 employee offboarding checklist
- The OAuth token that survived a password reset for 46 months





