When Someone Leaves

People leave jobs. It happens at every firm, and it's usually fine. A professional transition, a two-week notice, a farewell lunch. The IT side of that departure, though, is one of the highest-risk moments in the lifecycle of a small professional services firm, and most firms handle it with something between a checklist on a Post-it note and nothing at all.

Here's what I see when I come into a firm that's never had a formal offboarding process: email accounts still active weeks after a departure. Shared passwords that the former employee knows and that nobody has changed. Personal devices with client data on them that were never wiped. Access to the client portal, the billing system, the e-signature platform are all still live, because those vendor portals aren't connected to your M365 offboarding flow and someone forgot to log in and remove the account manually.

None of that is malicious, usually. Most former employees aren't trying to do anything with that lingering access. But "not malicious" and "not a risk" are different things.

The M365 side is the part most firms at least attempt. Disable the account, set up an out-of-office, maybe convert to a shared mailbox so a colleague can monitor it. That's the right instinct, but the execution often has gaps.

The complete M365 offboarding sequence is straightforward, but it needs to be executed deliberately: block sign-in in Entra ID, revoke sign-in sessions, review and revoke any app permissions the account had granted to third-party applications, remove from distribution lists and shared mailboxes, handle mailbox continuity, and make a plan for the user's OneDrive before the account is deleted. Missing one of those steps is how access lingers.

The session revocation step gets skipped more than it should. Blocking sign-in does not necessarily invalidate every existing token immediately. Revoking sessions is the part that forces reauthentication more aggressively across the Microsoft side of the house. They're two separate actions in Entra ID, and both matter.

On OneDrive specifically: admins can grant access to a former employee's files, but that access window is time-bound once the account is deleted. Don't assume the data is safe to ignore until you get to it.

The vendor portals are where most firms have the largest exposure, and the hardest problem.

Your practice management system, billing platform, e-signature tool, document storage, client portal; it’s likely none of these automatically knows that someone left your firm unless you have Single Sign On enabled. They only know what you tell them. If you don't log into each one and remove the account, access persists indefinitely.

This is exactly why the vendor inventory from the vendor attack surface article matters in a different way here. You can't offboard someone from a tool you forgot you have. The same list you build to assess vendor risk is the list you work through on every departure.

The standard I recommend: treat vendor offboarding as a checklist that gets completed within 24 hours of a departure, not within the same week, and not "when someone gets to it." For the highest-sensitivity platforms — anything with client financial data, executed agreements, or communications — it needs to happen the same day.

The device question is awkward but necessary.

If the departing employee had a company-managed device, that's straightforward: wipe it through Intune before or during their last day. If they were using a personal device under a real BYOD policy, you can usually remove corporate data from managed apps without touching their personal content. What Intune cannot do is claw back files that were saved outside the managed environment.

The harder conversation is the personal device that was never enrolled at all. If someone was accessing client email or documents on their personal phone without any MDM enrollment, you have no remote wipe capability. The Microsoft 365 data those apps cached lives on a device you don't control. This is the BYOD policy gap in practical terms, and it's one of the reasons the "we'll deal with device management later" conversation has a real cost.

The data question is the one firms are most reluctant to address directly, because it feels adversarial.

Microsoft Purview audit logs can help you review what was accessed, downloaded, shared, or otherwise acted on around the time of a departure. Running that review isn't accusing anyone of anything. It's basic due diligence, and most of the time you'll find nothing notable and move on. For the ones where you don't, you'll be glad you looked.

The firms that handle this well aren't doing anything exotic. They have a written offboarding checklist that covers M365, vendors, devices, and data review. They assign one person responsibility for completing it. They complete it within 24 hours of a departure, or same day for unplanned ones.

That's it. The gap between firms that handle departures cleanly and firms that discover access problems six months later usually isn't resources or technology. It's whether someone wrote down the steps and made them someone's job to execute.

If you're an Athencia One client, this checklist already exists for your firm, simply reach out and we'll review it with you. If you're not yet a client and want a starting point, you can find our professional services page to learn more about how we can help you build one.