← Blog

When someone leaves: the 20-minute routine that prevents a breach

Tenant Strike3 min read

Disabling a laptop isn't enough when everything is in the cloud. Here's the complete access cleanup you should run every time someone leaves — whether it was their idea or yours.

When someone leaves your company — whether it's a resignation, a layoff, or a firing — there's a window where access cleanup matters and where most small businesses move too slowly.

The risk isn't dramatic. It usually isn't malicious either. But an active account belonging to someone who no longer works there is an open door. And in a cloud-based business, the account is the access.

Why 'taking the laptop' isn't enough anymore

Ten years ago, revoking a departing employee's access was mostly a physical problem. You took back their computer and their key card, and that was most of it.

Now, the things that matter are sitting in Microsoft 365. Email, files on SharePoint, Teams conversations, OneDrive — all of it is tied to an account that lives in the cloud. The laptop sitting in a drawer somewhere is irrelevant if the account is still active and the person still knows the password.

This is true even if the departure was friendly. Circumstances change, and an active account you forgot about is a liability you're carrying for no reason.

The routine — run it before the last day if you can

This doesn't require technical knowledge, but it does require someone to own it. The steps below work for Microsoft 365, which is where most small businesses have their access concentrated.

  1. Disable the account — don't just delete it. Deleting an account immediately can cause you to lose email, files, and calendar data. Disable it first. This blocks sign-in immediately while preserving access to the person's content.
  1. Revoke active sessions. Disabling an account stops future logins, but it doesn't always kill sessions that are already open. In the Microsoft 365 admin center, you can explicitly sign out all active sessions for an account. Do this right after disabling it.
  1. Revoke app passwords and MFA methods. If the person had set up app-specific passwords or registered personal devices for MFA (multi-factor authentication — the extra code or prompt after a password), clear those out. Otherwise they may still work.
  1. Transfer their email and files. Before the account is eventually deleted, make sure a manager or the owner can access their mailbox and their OneDrive. Microsoft 365 makes this straightforward. A departing employee's email often has contracts, vendor conversations, and client history that the business needs.
  1. Remove them from shared sites and distribution lists. SharePoint sites, team channels, email distribution lists — membership here often persists after an account is disabled. Clean it up so there's no confusion about who should be receiving what.
  1. Reclaim devices. Laptops, phones with company email configured, any hardware the company owns. If the device had company apps installed on a personal phone, those should be wiped remotely if your setup allows it.
  1. Rotate any shared passwords they knew. This one gets skipped most often. If the person had access to any shared accounts — a company social media login, a vendor portal, a shared admin account — change those passwords. You can't be sure what they remember.

Make it a checklist, not a scramble

The biggest offboarding mistakes happen when the departure is sudden — a firing, an unexpected resignation — and the cleanup is done in a hurry or not at all. The best way to avoid that is to have a written checklist before you need it, with a named person responsible for working through it.

A 20-minute routine applied consistently is worth far more than a thorough cleanup you get around to two weeks later.

One thing that's easy to miss

Offboarding someone from the company is the obvious trigger. Harder to catch: the contractor who wrapped up a project six months ago and still has an active guest account in your Teams. Or the vendor who got added to a SharePoint site temporarily and never got removed.

Tenant Strike scans your Microsoft 365 environment in read-only mode and surfaces active accounts, guest access, and permission grants — including ones that may have been forgotten. A five-minute scan is usually enough to find accounts worth reviewing.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.