Every New Starter and Every Leaver Is a Security Event
When a new employee joins your business, they need access to email, files, applications, and devices. When someone leaves, all that access must be revoked — completely and immediately. Get this wrong, and you expose your business to data breaches, unauthorised access, and compliance failures.
For Australian SMEs, onboarding and offboarding are often informal. A manager sends a request to IT, accounts are created ad hoc, and when someone leaves, their access lingers for days or weeks. This is a significant security risk that grows with every employee transition.
The Cost of Getting It Wrong
Former employees with active accounts are a documented threat vector. Whether through malice or negligence, ex-staff with access to business systems can download client data, delete files, access financial information, or send emails on behalf of the company. Even without malicious intent, an orphaned account is a target for attackers — nobody monitors it, and the credentials may have been compromised without anyone noticing.
On the onboarding side, delays in provisioning mean new staff cannot work effectively on day one. They borrow colleagues’ credentials, use personal email for work communication, and create workarounds that bypass security controls.
IT Onboarding Checklist
A standardised onboarding process ensures every new starter is set up consistently and securely.
Before day one: Create user accounts in Microsoft 365 (or your identity platform). Assign appropriate licences based on role. Set up email with correct signature template. Configure group memberships and access permissions based on role. Enrol in MFA. Prepare and configure device (laptop, phone) with required software and security policies. Add to relevant Teams channels and SharePoint sites.
Day one: Hand over device with login credentials (temporary password requiring immediate change). Walk through MFA setup. Provide access to key systems (job management, accounting, CRM). Deliver security awareness briefing — cover phishing, password policy, and reporting procedures. Document all access granted.
First week: Verify all systems are working correctly. Address any access gaps. Confirm the new starter can work effectively from all required locations (office, home, field).
IT Offboarding Checklist
Offboarding must happen quickly — ideally within hours of the departure being confirmed.
Immediately on departure: Disable the user account (do not delete — you may need it for legal or compliance reasons). Reset the password. Revoke all active sessions and tokens. Disable MFA enrolment. Redirect email to a designated colleague or shared mailbox. Revoke VPN and remote access. Remotely wipe company data from personal devices (if using BYOD with MDM). Collect physical devices, access cards, and keys.
Within 24 hours: Review and reassign any shared resources or permissions the departing employee managed. Transfer ownership of files, Teams channels, and shared mailboxes. Remove from all group memberships and distribution lists. Revoke access to third-party SaaS applications (accounting software, CRM, job management).
Within 30 days: Archive the user’s mailbox and OneDrive for retention purposes. Review access logs for any unusual activity in the period leading up to departure. Document the offboarding for compliance records.
Role-Based Access Control
The onboarding and offboarding process is simpler and more secure when you use role-based access control (RBAC). Instead of configuring access individually for each person, define standard access profiles for each role in your business.
For example, an “Accounts Payable” role might include access to Xero, the finance SharePoint site, and the AP shared mailbox. When a new AP staff member joins, you assign the role — all access is configured automatically. When they leave, revoking the role removes all access in one action.
Microsoft 365 and Azure AD support dynamic groups and access packages that automate much of this process.
Third-Party Application Access
Do not overlook SaaS applications. Staff often have accounts in tools beyond your core IT systems — project management platforms, design tools, social media accounts, industry-specific software. Maintain a register of all third-party applications and which staff have access. Include these in your onboarding and offboarding checklists.
Automation
For businesses with frequent employee turnover — trades and construction businesses during busy seasons, for example — manual onboarding and offboarding is time-consuming and error-prone. Automation tools can create and disable accounts based on triggers from your HR system, assign access based on department and role, send automated notifications to IT, HR, and the departing employee’s manager, and generate compliance reports showing access changes.
Microsoft 365 lifecycle workflows and tools like JumpCloud provide this automation at an SME-appropriate scale and cost.
Get Your Process Right
A documented, consistent onboarding and offboarding process protects your business and improves the employee experience. Contact TechAssist to set up or review your IT onboarding and offboarding procedures.
