FREE TEMPLATE

Employee Offboarding Checklist

A complete checklist for revoking SaaS access when employees leave your company.

7 sections · 54 items

When an employee leaves your company, revoking their access to every SaaS tool is critical — but easily overlooked. This checklist covers every step of the access revocation process, from identity providers to individual SaaS apps. Use it as-is or customize it for your team's tool stack.

Pre-Offboarding (Before Last Day)

Complete these steps before the employee's final day to ensure a smooth transition.

Confirm departure date and last working day with HR

Identify all tools and systems the employee has access to

Document any shared accounts or credentials the employee manages

Transfer ownership of shared drives, documents, and repositories

Transfer ownership of Slack channels and Google Groups the employee owns

Back up any data in the employee's personal accounts that the company needs

Notify relevant team leads about the transition timeline

Identify and reassign any scheduled tasks, cron jobs, or automations owned by the employee

Identity Provider & SSO

Start with the identity provider to immediately cut off SSO access to downstream apps.

Disable the user account in your identity provider (Okta, Entra ID, Google Workspace)

Revoke all active SSO sessions

Remove the user from all identity provider groups

Disable or rotate any service account credentials the employee created

Revoke any SAML/OIDC tokens

Remove the user from any conditional access policies or MFA exemptions

Email & Communication

Prevent access to company communications and ensure no messages are lost.

Disable the employee's email account (Gmail / Outlook)

Set up email forwarding to their manager for a defined period

Remove the employee from email distribution lists and mailing groups

Deactivate Slack account and remove from all channels

Remove from Microsoft Teams and any team channels

Revoke access to any shared communication tools (Discord, WhatsApp Business)

Update any shared mailbox delegations

Code & Development Tools

Revoke access to source code, CI/CD pipelines, and development infrastructure.

Remove from GitHub organization and all repositories

Remove as outside collaborator from any private repos

Revoke any personal access tokens (PATs) the employee created

Remove SSH keys from GitHub, GitLab, or Bitbucket

Remove from CI/CD platforms (GitHub Actions, CircleCI, Jenkins)

Revoke access to container registries (Docker Hub, ECR, GCR)

Remove from package registries (npm, PyPI, RubyGems)

Revoke access to any staging or development environments

Cloud Infrastructure

Remove access to cloud platforms and infrastructure services.

Delete or disable AWS IAM user account

Rotate or delete any AWS access keys the employee created

Remove from AWS IAM groups and detach inline policies

Revoke access to GCP projects and service accounts

Remove from Azure subscriptions and resource groups

Revoke access to any databases (RDS, Cloud SQL, MongoDB Atlas)

Remove from Kubernetes cluster access (kubeconfig, RBAC)

Revoke VPN or bastion host access

Revoke access to monitoring tools (Datadog, New Relic, PagerDuty)

Business & Productivity Tools

Remove access to general business applications.

Deactivate account in project management tools (Jira, Asana, Linear, Monday)

Remove from Notion workspace and revoke guest access

Revoke access to design tools (Figma, Adobe Creative Cloud)

Remove from documentation platforms (Confluence, GitBook, Notion)

Deactivate CRM account (Salesforce, HubSpot)

Remove from financial tools (QuickBooks, Stripe Dashboard, Brex)

Revoke access to HR platforms (BambooHR, Gusto, Rippling)

Remove from analytics tools (Google Analytics, Mixpanel, Amplitude)

Post-Offboarding Verification

Verify that all access has been successfully revoked.

Verify the employee can no longer log in to any company tool

Check for any shared passwords in your password manager that need rotation

Rotate any API keys or secrets the employee had access to

Review recent activity logs for any unusual access in the final days

Confirm all hardware (laptop, phone, keys, badges) has been returned

Archive the employee's offboarding record for compliance

Generate an offboarding report with timestamps for audit purposes

Schedule a 30-day follow-up to check for any missed accounts

Pro tips

Start with the identity provider — disabling SSO cuts off access to most downstream apps immediately.

Don't delete accounts until you've transferred ownership of shared resources (drives, repos, channels).

Keep a running list of every new tool your company adopts and update this checklist accordingly.

Set calendar reminders for 30 and 90 days post-offboarding to catch any missed accounts.

Consider using ViglaFort to automate this entire process — connect your tools once, and offboard with one click.

Skip the manual checklist.

ViglaFort automates everything in this template. Connect your tools once, and manage access with one click.

Join the Beta — Free

More templates

Quarterly Access Review Template

A step-by-step template for conducting thorough SaaS access reviews.

View template

SaaS Security Audit Checklist

A comprehensive checklist for auditing security across your SaaS tool stack.

View template