Most small businesses think of employee onboarding as an HR process and offboarding as an administrative task. IT sees them very differently. Every new account created is a potential attack surface — a credential that could be phished, a mailbox that could be compromised, an endpoint that needs to be secured and enrolled. Every departure is a race to revoke access before a former employee, a disgruntled ex-contractor, or a threat actor with a stolen password can use it.
The window between an employee's last day and the moment their access is fully revoked is one of the highest-risk periods a small business regularly faces. And according to multiple data breach reports, credential abuse involving former employee accounts is among the most common and preventable causes of incidents at organizations under 200 employees.
The fix is not sophisticated technology. It is a documented, repeatable checklist — executed consistently, every time.
Why informal processes fail (even at small companies)
At a 10-person company, it is tempting to assume that everyone knows what to do when someone joins or leaves. In practice, that assumption fails regularly. The person who remembers to disable the email account may not know about the shared Google Drive folder. The manager who submits the HR paperwork may not think to notify IT about the third-party vendor portal the departing employee had access to. And in a fast-moving small business, these gaps persist for days or weeks before anyone notices.
The consequences range from minor to severe. A new hire who cannot access the tools they need on day one loses trust in the organization before they have even started. A former employee who retains active Slack credentials and cloud storage access is a liability that cyber insurance underwriters specifically ask about on renewal applications. Neither outcome is acceptable, and both are easily prevented with a written process that someone owns.
The IT onboarding checklist: what to do before day one
Effective IT onboarding starts before the new hire's first day, not on it. The goal is to eliminate the "waiting for IT" experience entirely. Here is what a complete onboarding process covers:
Account provisioning (complete 24–48 hours before start date):
- Create Microsoft 365 / Google Workspace account with role-appropriate license
- Assign to correct groups, distribution lists, and shared mailboxes
- Provision access to core business applications (CRM, project management, accounting, HR platform)
- Set up multi-factor authentication enrollment — enforce on first login, not optionally
- Create accounts in third-party SaaS tools the role requires (document every platform in your access log)
Endpoint setup:
- Configure and enroll the device in your MDM (Microsoft Intune, Jamf, or equivalent)
- Apply security baseline policies: disk encryption, screen lock, automatic OS updates, EDR agent installed
- Install role-required software and configure VPN or Zero Trust Network Access if applicable
- Confirm device compliance status before handing off
Day-one walkthrough:
- Walk the new hire through MFA setup in person or via guided session
- Confirm access to all required systems — do not assume provisioning worked until verified
- Share your acceptable use policy and security awareness expectations
- Provide IT contact information and the process for submitting support requests
Documenting each step as completed — with a timestamp and the name of who completed it — creates the audit trail that compliance frameworks require and that your future self will thank you for.
The IT offboarding checklist: what to do the moment you know someone is leaving
Offboarding timelines vary. A planned departure gives you two weeks of runway. An involuntary termination may require immediate action. Your process needs to work in both scenarios. The critical constraint is this: access revocation should begin within minutes of a departure decision for involuntary terminations, and be fully complete within 24 hours for planned ones.
Immediate actions (within 1 hour for terminations, same-day for resignations):
- Disable Microsoft 365 / Google Workspace account (disables email, Teams, SharePoint, OneDrive access simultaneously)
- Revoke active sessions and sign out of all devices remotely via your MDM
- Change shared passwords the employee had access to (Wi-Fi, shared accounts, admin panels)
- Remove from any distribution groups or shared mailboxes where their visibility would be inappropriate
Within 24 hours:
- Revoke access to all third-party SaaS applications — work from your access log, not from memory
- Transfer ownership of files, projects, and data to their manager or successor
- Set up email forwarding or an out-of-office message as appropriate
- Collect and wipe the company-issued device, or perform a remote wipe if not returned
- Remove from physical access systems (key fobs, door codes, parking permits)
- Notify any vendors or clients who interacted directly with the employee, as appropriate
Within 1 week:
- Archive the departing employee's mailbox and files per your data retention policy
- Review their access log and confirm all systems are deprovisioned — no exceptions
- Update your IT asset inventory to reflect any returned hardware
- Document the completed offboarding with date, systems deprovisioned, and who confirmed each step
The access log: the one document every small business needs
The single biggest enabler of clean onboarding and offboarding is a current, accurate access log — a simple record of every system, application, and credential each employee or contractor has been granted. Without it, offboarding becomes a guessing game. With it, offboarding becomes a checklist you can complete in under an hour.
Your access log does not need to be sophisticated. A shared spreadsheet with columns for employee name, system name, access level, provisioning date, and deprovisioning date is sufficient for most small businesses. What matters is that it is maintained in real time — updated when access is granted, not reconstructed after the fact when someone leaves.
Organizations that go through SOC 2, HIPAA, or cyber insurance audits are routinely asked to produce access review records. The businesses that struggle most in those processes are the ones trying to reconstruct access history from email threads and memory.
Automating what you can, standardizing what you cannot
For businesses on Microsoft 365, a meaningful portion of this process can be automated. Microsoft Entra ID (formerly Azure AD) supports automated lifecycle workflows — triggered by an HR system or a simple date-based rule — that can provision accounts, add users to groups, and disable access on a defined schedule without manual intervention. If your organization is large enough that manual provisioning is error-prone, this is worth the configuration investment.
For smaller organizations, the priority is standardization, not automation. A written runbook that any team member can execute — not just the person who set up the process originally — is more resilient than an automation that breaks when the person who built it is unavailable.
The goal is consistency. Every new hire gets the same secure configuration. Every departing employee leaves with zero residual access. Neither outcome requires enterprise-grade tooling — it requires a documented process that someone owns and that gets followed every time.
If your business does not yet have a written IT onboarding and offboarding process, that is one of the highest-value gaps a managed IT provider can help you close quickly. At Perez Technology Group, we work with Central Florida businesses to build repeatable IT processes that protect operations and reduce security risk at every stage of the employee lifecycle. Reach out if you would like to talk through where your current process has gaps.