By the time an employee hands in their notice, the decisions that will make their departure clean or messy have already been made. They were made in the first weeks of the person’s tenure, when nobody was paying close attention because the new hire had just arrived and there were a hundred other things to do. A shared login here, a quick SaaS sign-up there, a personal laptop used until the company hardware arrived. By month six, none of those feel like decisions at all. They feel like how things are.
This post covers what’s really going wrong when offboarding takes three weeks, the four onboarding shortcuts that guarantee a painful exit, how to retrofit hygiene on the team you already have, and what your IT provider should be doing at onboarding that probably isn’t happening.
What’s really going wrong when offboarding takes three weeks
A clean offboarding takes about 90 minutes of IT time. An account is disabled in your identity provider, which cascades access revocation across every tool connected via single sign-on. The device is remotely wiped or collected and wiped on-site. Email is forwarded to a manager or converted to a shared mailbox. The departing person’s accounts in your CRM and project tools are reassigned. A handover note, already templated because it was templated at onboarding, gets filled in and filed.
The messy version of the same process can take three weeks. It starts with a manual list of tools nobody can fully remember, which usually means asking the departing employee to help reconstruct it. You find a Figma account, a Loom workspace, a Notion instance, and an Airtable base, all set up independently, all with passwords sitting in the departing employee’s personal password manager. The laptop is at their house and they’re not in any rush. A client emails to say they received a strange message from a personal address. Six weeks later, a vendor charges the company card for a seat you thought you cancelled.
Whether your offboarding is clean or chaotic depends on what was set up during onboarding.
In the identity management world, this is called the “joiner, mover, leaver” lifecycle. Microsoft and most identity vendors use the same three-phase model. A rushed joiner phase compresses months of identity cleanup into the two weeks after the resignation lands.
Four onboarding shortcuts that guarantee a messy exit
Letting new hires sign up for SaaS tools on their own
When a staff member signs up for a tool independently, using their work email and a password only they know, that account is functionally theirs. You can’t reset it without triggering a notification to them. You may not even know the account exists until a vendor invoice shows up, or until the account goes dark after they leave and a client project breaks.
This is the most common source of the “we can’t find half the logins when someone leaves” problem. The fix is provisioning every tool through a central identity system, where any new SaaS application gets connected to your single sign-on before the first user logs in.
Tolerating personal devices “just until we get them sorted”
Personal devices that get used for work don’t stay temporary. The employee installs apps, connects to client systems, downloads files, and what was a temporary fix becomes how they work permanently. When they leave, you have no ability to wipe company data from a device you don’t own and never enrolled in a management system. You’re relying on their goodwill, which is usually fine, but it is not a security control.
The fix is to issue company-owned devices on day one and enroll them in mobile device management. When you do allow a personal device, require managed app access for company email and files. Browser-saved credentials are not a substitute.
Shared logins for tools you didn’t want to pay per-seat for
Shared credentials are the worst offender at offboarding. When five people use the same login for a tool, you can’t remove one person’s access without changing the password for everyone. You usually find this out at the worst possible time, when the person leaving is the one who set up the account and nobody else remembers the password at all.
Per-seat is the cost of doing this properly. The savings from shared logins reappear during offboarding as wasted hours and exposed access.
Letting client relationships live in one person’s inbox
This one is specific to agencies and professional services. When a senior account manager or consultant leaves, their client relationships often leave with them. The context, the email history, the preferences, and the half-finished threads lived in one person’s inbox. With the person gone, all of that becomes inaccessible or awkward to retrieve.
From the client’s side, your business just doesn’t know who they are anymore.
The fix is a shared inbox or CRM where client communication is logged. Even a Microsoft 365 shared mailbox with a clear expectation that client threads are CC’d to it is a meaningful improvement over what most small businesses have today.
How to retrofit hygiene on the team you already have
The cleanup most businesses need is for the team they already have, before the next hire arrives. You can’t go back and re-onboard your existing staff, but you can audit what’s there and close the gaps before the next departure.
The SaaS audit
Pull three months of credit card statements (every card that gets used for business expenses) and list every recurring SaaS charge. For each one, find out who set it up, who has the login, whether the account uses a personal or company email, and whether anyone else can access it if that person left tomorrow.
You’ll find tools nobody remembers signing up for, tools used by one person with no backup access, and accounts where the original owner has already left while you’re still paying for the seat. None of this is a technical exercise. All it takes is a spreadsheet and an afternoon.
The device register
Build a simple list: who has what, when each device was issued, whether it’s enrolled in a management system, and what company data each device can access. If you don’t have one, build it now. Ask every staff member to confirm the devices they use for work, including personal ones. The goal is to map what you’re working with. Most employees are happy to confirm what device they use once they know nothing punitive will come of it.
For any personal device that has been used to access company systems, the minimum is making sure company email and file access happens through managed apps that can be remotely disconnected.
Client communication in shared places
Move client communication into shared places so the relationship belongs to the business when an individual moves on. Continuity is the goal. Set up a shared inbox or alias for client-facing communication, and use a CRM where contact history and notes are logged. Even a shared Microsoft 365 mailbox with a clear expectation that client threads are CC’d to it is a meaningful improvement over what most small businesses do today.
What your IT provider should be doing at onboarding
Most IT providers get called when someone resigns. They show up, disable the account, collect the laptop if they can find it, and do their best with whatever documentation exists. That’s the wrong end of the lifecycle to be involved in. If that’s the only time your IT provider is involved in staff transitions, you’re not getting much value from the relationship.
The model that works puts your IT provider at onboarding too. They set up the new account in your identity provider, enroll the device in your mobile device management system, and provision access through single sign-on so every tool the new hire uses is connected to a central identity that can be switched off in one action. They should also maintain a handover document for each staff member, updated periodically, listing every system the person accesses, every client relationship they own, and every credential tied to their identity.
When that’s in place, offboarding becomes a checklist and an hour rather than a three-week excavation. Ask your IT provider what they do at onboarding. If the answer is “not much” or “we usually just get called when someone leaves,” that’s worth a conversation.
A 60-day plan before your next round of departures
You don’t need to know the exact date of the next resignation to start. The work is more manageable when nothing is urgent.
Weeks 1 and 2: Run the credit card SaaS audit. Build a list of every tool, every account owner, and every login that only one person controls. Flag the ones where access would be lost or complicated if that person left this week.
Weeks 3 and 4: Build the device register. Confirm what every staff member uses for work. For personal devices with company access, implement managed app access at minimum. Enroll company-owned devices in a management system if they aren’t already.
Weeks 5 and 6: Audit client-facing communication. Identify any client relationships that exist primarily in one person’s inbox or on someone’s mobile phone. Set up shared mailboxes or CRM logging for the highest-risk accounts first.
Weeks 7 and 8: Write the onboarding process you wish you’d had. Use everything you found in the previous six weeks as the input. Apply it to your next hire from day one, and use it as the template for a handover document for every existing staff member.
Most of this is an operational task rather than a technology project. A spreadsheet, some honest conversations with your team, and a few hours of your IT provider’s time will cover the bulk of it.
Frequently asked questions
How long should offboarding take in a small business?
With proper onboarding hygiene and centralized identity, the IT side of offboarding takes about 60 to 90 minutes. Take that foundation away and the same task can stretch to two or three weeks of scattered cleanup.
How do I find SaaS tools my team signed up for without telling me?
The fastest way is a three-month review of every credit card statement used for business expenses. Most shadow SaaS shows up as a recurring charge somewhere on the card.
Can I wipe a personal device after someone leaves?
Only the company data, and only if you set that up while they were still employed. Mobile device management or managed app access lets you remove company email, files, and credentials from a personal device without touching the rest of it. If those tools weren’t in place during their employment, your options are limited.
What’s the role of single sign-on in offboarding?
Single sign-on means every tool a user accesses is tied to a central identity. Disabling that identity in one place revokes access everywhere. Without single sign-on, you have to manually log into each platform and remove the user.
Should I make my employees use only company devices?
Where practical, yes. For personal devices, enrolling them in a management system or requiring managed app access is the next best thing. A personal device with saved company credentials and no management is the highest-risk configuration for offboarding.
Sources and further reading
- Microsoft Learn: What are lifecycle workflows in Microsoft Entra? — Microsoft’s framing of the joiner / mover / leaver lifecycle and the workflows that automate it.
- Microsoft Learn: App Protection Policies overview (Intune) — how managed app access works for personal devices, including selective wipe of company data.
If your offboarding process feels harder than it should be, that’s a good signal that your onboarding needs attention. Your IT provider should be able to walk you through both ends of the lifecycle and help you tighten what’s loose. And if you don’t have an IT provider, feel free to reach out to us and we’ll help you sort it.
—