IT offboarding checklist: what you can automate

Offboarding is where most IT departments lose money and security. This is the checklist we use with customers, split between what you automate straight away and what stays manual.

TL;DR

• Most of the 15 standard offboarding steps can be automated, though not all by one tool.
• Order matters: in Microsoft, OneDrive cleanup only starts when the account is deleted, so plan the timing around that retention window.
• Don't forget: SSO sessions, refresh tokens, shared mailboxes, distribution lists.
• The access part is where ServiceChanger fits: when the account is disabled or an attribute changes, attribute-driven group and role memberships fall away with it.
• A few steps stay with native Microsoft tooling or your service desk on purpose.

The full 15-step checklist

1. Disable account in Entra ID
2. Revoke all active sessions (sign-in tokens)
3. Invalidate refresh tokens
4. Reset password (not for the user, for the audit)
5. Remove MFA methods
6. Revoke app access (conditional access policies)
7. Block the M365 license, do not delete yet (grace period)
8. Review Teams, SharePoint, OneDrive access
9. Shared mailboxes: transfer owner role
10. Distribution lists: phase out
11. Device enrollment: unenroll in Intune
12. Certificates: revoke
13. External apps (SaaS): SCIM deprovisioning
14. Write audit log entry
15. After 30 days: permanently delete license and account

What can be automated, and by what

Many of these steps can be automated, but it helps to be precise about which tool does what.

Native Entra ID and Microsoft 365 can already disable an account, revoke sessions and refresh tokens, remove MFA methods, apply conditional access, and unenroll a device in Intune. Those are platform actions, often driven through Graph or your own scripts and policies.

Where ServiceChanger fits is the access layer (steps 8 and 10 in particular, and the access side of the others): it manages group and role memberships in Entra ID and on-prem AD based on rules. When the account is disabled or the relevant attribute changes, the attribute-driven memberships fall away with it, so the person loses the access that hung on those rules without anyone opening a ticket.

What ServiceChanger does not do: it does not orchestrate the full HR-driven offboarding, does not assign or revoke license SKUs, and does not deprovision external SaaS over SCIM. The Intune-based device side is on the roadmap, not in production today. It keeps access in line with the attributes in your Entra ID; the rest of the checklist runs through Microsoft's own tooling and your service desk.

What to keep manual

Some steps you don't want to automate because they need a human decision:

• Step 4: password reset for audit is standard, but the specific password is sometimes requested by legal.
• Step 8: review SharePoint content access. You want to know which documents the person had before you hand them to someone else.
• Step 9: transfer shared mailbox owner. Which colleague inherits it?
• Step 12: revoke certificates. Customer-facing certificates sometimes need extra confirmation.

Those stay in the service desk workflow.

Why order matters

Order decides whether you lose data or leave security gaps.

Disable account first. Every second the account stays active after leaving is a risk.

Mind what actually triggers OneDrive cleanup. Removing the license does not start the clock; Microsoft begins the OneDrive retention countdown only when the account is deleted. The default retention is 30 days (configurable from 30 to 3650 days in the SharePoint admin center). So keep the account in place while you still need its data, then delete it once you are sure, knowing the retention window runs from that deletion.

Write the audit log before the permanent cleanup. Once the account and license are gone, there is no actor left to log against.

Time saved

The figures below are an illustration of where manual offboarding time tends to go, not measured ServiceChanger benchmarks. Your own times depend on your tooling and how much is scripted already:

Step	Manual time	Automated time
Disable + revoke	5 min	seconds
License management	10 min	seconds
Group cleanup	15 min	seconds
Intune unenroll	5 min	seconds
Audit log	10 min	automatic
Total	~45 min	a few minutes

As an example, at 5 offboardings per month that is the difference between a few hours and a few minutes. The access cleanup is the part that follows from rules automatically; the device and SaaS steps still run through their own tooling.

Pitfalls

1. Respect the retention window. OneDrive cleanup starts at account deletion, and once retention lapses the data is gone. Know your configured retention (default 30 days) before you delete.
2. Shared mailbox owner. If you forget this, the mailbox dies and customers lose responses.
3. SCIM connections. External SaaS tools (Slack, Jira, GitHub) have their own deprovisioning. Don't forget them in your flow; ServiceChanger does not deprovision these for you.

FAQ

What happens if someone is offboarded by mistake? As long as the account is only disabled (not deleted), you re-enable it and re-assign the license, and access comes back. Once the account is deleted and its retention window lapses, the data is permanently gone.

Does this work for external contractors? Yes, for the access part. Disable the account or change the attribute in Entra ID, and the attribute-driven memberships fall away automatically. ServiceChanger responds to the attributes in Entra ID, not to an HR system.

Do you get an audit report of access changes? Yes, the group and role membership changes ServiceChanger makes are logged with user, actor, timestamp, and result, exportable for your records. Actions taken in Microsoft's own tooling are logged by Microsoft.

Offboarding is one side of access management. For how to run access on rules at the front end, read Automate service desk access requests.

Next step

Want to run this offboarding process on your own Entra ID? Book a demo or read the offboarding workflow docs.