← Back to docs
Recipe

Employee offboarding checklist

A repeatable workflow to revoke access, preserve data, and close the loop when someone leaves.

Phase 1 — Immediate lockout

  • Disable IdP account (Okta / Entra / Google Workspace)
  • Revoke all active sessions and OAuth tokens
  • Remove from emergency-access break-glass group
  • Suspend company email (convert to shared mailbox)

Phase 2 — Asset & data recovery

  • Collect laptop, YubiKey, and any hardware tokens
  • Transfer ownership of critical docs and repos
  • Export and archive mailbox for legal hold
  • Wipe device via MDM, retain inventory record

Phase 3 — Close the loop

  • Notify payroll and set final paycheck date
  • Remove from all SaaS tools via SCIM or manual audit
  • Update team roster, Slack channels, and on-call rotations
  • File offboarding ticket as closed with timestamp

Tip: Automate Phase 1 with a deprovisioning playbook triggered by your HRIS. Manual steps should be the exception, not the rule.