💡Key Points:

Like it or not, this is the era of SaaS.

New SaaS applications are introduced every month, claiming to make work more productive and life more comfortable. They are easy to adopt and quick to put to work, so anyone can do it. We no longer have to wait for the expert IT guys to choose, evaluate and install the apps before giving us the green light to use them. We are independent and do what it takes to get the job done.

That’s all good… unless you are the IT guy and have to offboard those employees from those applications.

You then need to figure out which apps that employee signed up for and used. What access permissions do you revoke? What company data sits in those apps? What should be deleted? What should be returned to the safety of the corporate infrastructure?

Unfortunately, it feels like ease for the end user means a headache for IT.

That’s why we’ve put together this Employee Offboarding Checklist for IT. Your simple guide of the must-have steps that need to get done when employees move on.

Download Your Copy of the IT Employee Offboarding Checklist

Employee Offboarding Checklist:

  1. Revoke system access from IdP and SSO 
  2. Close employee SaaS accounts 
  3. Terminate VPN and review any remote access methods 
  4. Change/revoke shared account passwords 
  5. Change system ownership 
  6. Forward employee email address 
  7. Recover company equipment and assets 
  8. Reclaim employee licenses 
  9. Update credit card payments 
  10. Schedule account deletion for suspended accounts. 

Download the full guide here and cover all your bases. 

1. Revoke System Access From Your IdP and SSO

Your Identity Provider (IdP) is usually the first port of call. This is your single source of truth and, in many cases, the access point to many other internal and external systems.

Tip: Log in to your G-suite or Azure Active Directory admin console and suspend or disable the user.

If you have a Single Sign On (SSO) solution such as Okta, OneLogin, or others, then disabling the user account on your SSO is one of your most important steps since the mission-critical systems are protected behind it.

Pro Tip: Do not reuse an old email address for new employees. For example, if [email protected] has left the company and then another John joins, do not give him the [email protected] address. This may allow him access to unrestricted resources.

2. Close Employee SaaS Accounts

According to Torii’s internal data, most employees typically use at least 30 SaaS accounts. ALL of these accounts should be closed for security, compliance, and cost-saving reasons.

These include:

  • SaaS tools for which the employee has an active account
  • SaaS tools the employee has used in the past

close employess SaaS accounts

Make sure you also close the accounts of SaaS tools that are behind the SSO login. SaaS vendors are unaware of the fact that you’ve disabled the account access from the SSO or G-suite, and that has many implications:

  • Employee account data still lies with the 3rd party provider. What happens if the vendor gets hacked? Will they notify you of the data breach of an employee who is no longer with the company?
  • Employee sessions might still be valid. While the employee may not be able to perform a new login, a long-running session may leave the account exposed.
  • A vendor license is probably allocated to the employee, and you may still be paying for it.
  • API access tokens might still be valid, leaving the backdoor open without you knowing about it. This is a bad security practice.


Tip: Remember that revoking G-suite/SSO access is not enough. While it may block the user from accessing the system, it doesn’t delete their data on that tool, and their account may still occupy a paid license seat.

3. Terminate VPN and Review Any Remote Access Methods

It is common these days for employees to have remote access to internal or cloud services, whether they work from home or from a satellite office.

Make sure you revoke the employee’s access from all methods of logging into the VPN, remote desktop, or any other remote access forms.

Tip: It is good practice to review your VPN and remote access logs once in a while, making sure nothing has fallen between the cracks.


4. Change/Revoke Shared Account Passwords

Having shared accounts is bad security practice. However, you may have some services where you’ve created a shared user for several employees. Whether that’s a database password, router access, or a SaaS shared account, this is an open backdoor.

In case the departing employee had access to a shared account, you should revoke all existing tokens and sessions and create a new password. This might also be a good time to revisit this shared account and create separate accounts where possible.

Airplane seats

Tip: Shared accounts are a bad security practice and should be avoided. They impose both security and compliance risks. 

5. Change System Ownership

The departing employee might have acted as the system owner of one or more tools. Make sure you have someone else assigned to the role and have the proper system permission to do so.

Change system ownership

Tip: Maintain a list of system owners in your SaaS System of Record (SOR). Every application should have a designated application owner. Additional roles, such as business owner and budget owner, are also recommended.

6. Forward Employee Email Address

To ensure business continuity, it is important to forward the emails of the departing employee to a colleague or a manager, at least temporarily. You should probably do this when you disable the employee’s G-suite/Office-365 email account.

It is good practice to create an automatic reply on behalf of the departing employee, letting the sender know his email will be addressed by a new employee.

This is especially important for employees who were the single point of contact with a customer or a supplier.

Tip: When thinking about single-point-of-contact employees, not only managers or sales executive emails should be forwarded. Remember that in today’s SaaS era, many individual contributors in various departments might have signed up for a SaaS tool. An important email from a vendor might be lost unless you had created a forward rule for the employees once they’d left.

7. Recover Company Equipment and Assets

Stating the obvious, but without an updated and comprehensive company asset register, company property might get lost. Keeping an updated inventory of company assets used by each employee is good practice, and checking these assets when the employee leaves is a must.

Recover all company property from the departing employee, including laptop, cell phone, peripheral devices, office keys, access cards, etc. 


8. Reclaim Employee Licenses

Unfortunately, many SaaS applications hide the fact that you keep paying for inactive users. Even former employees that are no longer with the company. Our observation is that the total cost of wasted licenses can sum up to around 30% of your total SaaS license cost.

To save costs, make sure you reclaim the SaaS licenses of departing employees. Pay attention to the different license models of the various providers. With many tools, you keep paying for disabled/suspended accounts as if they were active accounts. Often, the only way to stop the license charge is to remove the account.

Reclaim employee licenses

9. Update Credit Card Payments

Charging your credit card is very common with SaaS applications. Your finance department will revoke the corporate card held by a departing employee, but how would you know for which SaaS applications this card has been paying?

Keeping an up-to-date list that matches the credit cards and their SaaS app’s billing records is critical if you would like to ensure business continuity. Once you have this list in place, you need to make sure you regularly update new cards and apps on the list. Failing to do so might result in the vendor blocking access to the service or limiting its functionality.

Update credit card payments

10. Schedule Account Deletion for Suspended Accounts

With many services, such as Salesforce, G-suite, Dropbox, and others, you have the ability to suspend/disable the user before deleting it. This allows you to disable the employee’s access to a certain account without losing important corporate data.

While this is good practice, we tend to forget to review those accounts and delete them once the data has been transferred.

Make sure you install a good process to revisit suspended accounts after a fixed period of time to delete them.

Schedule account deletion for suspended accounts

The Bottom Line:

A smooth employee exit is just as important as a great start for the employee and for the company. Formalizing the offboarding process not only mitigates legal and security threats but also ensures that employee departures cause minimal disruption. The proliferation of SaaS tools has made the employee’s offboarding task considerably more difficult.

Follow the checklist to keep your operation smooth and the organization secure and compliant; Keep employees’ SaaS licenses under control to make sure money is not wasted.

But what’s next? The truth is that offboarding is just one stage of the employee lifecycle. If you want to gain a better understanding of the way that your employees are using technology throughout their entire time at your organization, you should consider a SaaS Management Platform. From:

  • Onboarding via an Application Catalog
  • Shadow IT discovery
  • License optimization
  • Offboarding

Distributed SaaS Management empowers you to empower your whole organization.

Ready to learn how Torii can help? Request a demo today!