"Offboarding: A Former Employee's Account Is an Open Door Into Your Company"
11 July 2026 · 6 min read
When an employee leaves, HR collects the equipment, the paperwork gets signed, and that is usually where it ends. The IT part of the story, shutting down access, gets postponed "until tomorrow", then until next week, and then it is forgotten. The result is an account that still receives mail, a VPN that still connects, and passwords the former colleague still knows. On audits of new clients we routinely find accounts of people who have not worked there in years, and that is not one company's negligence, it is the norm in smaller organizations without a formal process.
Why this is a bigger risk than it looks
A former employee's account is ideal for an attacker: it is legitimate, it has history, nobody watches it, and its password has often been sitting in a public breach database for years. A sign-in to such an account does not look like an intrusion, it looks like a Monday. Then there is the human factor: most departures are amicable, but it takes only one disputed dismissal for live access to become a means of revenge, from deleted files to a client database carried off to a competitor.
And it is not only employees. The same problem is created by the accounts of former contractors, freelancers, agencies, and, very often, the previous IT provider, who sometimes retains admin access to everything years after the engagement ended.
What stays active after someone leaves
Disabling an account is not one click, because access lives in many places:
- Account and sessions: the Entra ID account, plus active sign-ins on a phone and laptop that keep working even after a password change if sessions are not revoked.
- Mail: delegations to other mailboxes, auto-forwarding rules to a private address, shared mailboxes.
- Shared passwords: Wi-Fi, shared tool accounts, social media and website access, passwords that "everyone knew".
- External services: SaaS tools bought on a card outside IT, OAuth apps connected to the account, access at suppliers.
- Devices: a personal phone with a work profile and synced OneDrive folders.
What proper offboarding looks like
The process we set up for clients fits on one checklist and runs on the day of departure, not after it: the account is disabled, all active sessions revoked, MFA methods reset, mail and OneDrive handed over to the manager or successor, forwarding and delegations removed, shared passwords rotated, devices wiped through Intune, and access at external services and suppliers closed. On top of that comes prevention: a quarterly review of all accounts and access, because offboarding catches the people you know are leaving, and the review catches the ones the process missed.
The bottom line
A company that shuts down access properly is not paranoid, it simply knows a plain truth: every active account is an entrance, and an entrance nobody uses or watches is a gift to an attacker. An offboarding checklist is written once, takes half an hour per departure, and closes a risk that has brought down far bigger companies than yours.
INTO MSP sets up the offboarding process, quarterly access reviews, and shared password control through a central vault for its clients. If you do not know how many former people currently have live access to your systems, that is exactly the question our audit answers.
Want this handled, without the drama?
INTO MSP runs security, backup and IT for small and mid-size companies. Step one is a short, no-obligation review.
IT Security → Contact