Every business eventually loses an employee. They resign, they retire, they get let go. HR handles the exit interview and the final paycheck. But who handles the technology? In most small businesses, the answer is “nobody, at least not right away” — and that gap creates real security and data loss risks.

The Risks Most Businesses Don’t Think About

Active accounts after departure. If an employee’s Microsoft 365 account, VPN access, and application logins are not disabled on their last day, they still have access to your business systems. Most former employees would never misuse that access. But “most” is not “all” — and you are also exposed if their credentials are compromised by a third party after they leave.

Data walking out the door. In the days before a departure, employees sometimes download files, forward emails to personal accounts, or copy contacts. Sometimes this is innocent — they want copies of work they are proud of. Sometimes it is not. Without monitoring and access controls, you may never know what data left with them.

OneDrive and mailbox deletion. Here is the one that catches businesses off guard. When you delete a Microsoft 365 user account, Microsoft retains their OneDrive files for 30 days. After that, the files are permanently deleted. If that employee had critical documents, project files, or client records stored in their OneDrive — and many employees do — you have a 30-day window to recover them before they are gone forever.

Shared access gaps. Employees accumulate access over time. They get added to shared drives, SharePoint sites, Teams channels, third-party applications, and vendor portals. When they leave, all of those access points need to be audited and revoked. Miss one and you have an orphaned account sitting in a system that nobody is monitoring.

What a Proper IT Offboarding Process Looks Like

A structured offboarding process ensures nothing gets missed. Here is what should happen, ideally coordinated between HR and your IT team:

Before the last day:

• Notify your IT team as soon as the departure is confirmed. Do not wait until the last day.
• Identify all systems, applications, and shared resources the employee has access to.
• Determine whether any files or data in their OneDrive, email, or personal folders need to be transferred to a manager or colleague.
• If the departure is involuntary, coordinate with HR on timing — IT should be ready to disable access simultaneously with the notification.

On the last day:

• Disable the Microsoft 365 account (do not delete it yet — disabling blocks access while preserving data).
• Disable VPN and remote access.
• Revoke access to all third-party applications and vendor portals.
• Change any shared passwords the employee knew (WiFi, shared accounts, admin credentials).
• Collect company devices — laptop, phone, access badges, keys.
• Set up email forwarding or auto-reply on their mailbox so client communications are not lost.

After departure:

• Transfer ownership of their OneDrive files and relevant emails to their manager.
• Review and reassign any Teams channels, SharePoint sites, or shared mailboxes they owned.
• After data transfer is confirmed, convert the M365 license to a shared mailbox (free — preserves email history without consuming a paid license) or delete the account.
• Wipe company data from personal devices if the employee was using BYOD.
• Document everything that was done for compliance and audit purposes.

The Microsoft 365 Retention Trap

This deserves its own section because it catches businesses constantly. When you delete a Microsoft 365 user account:

• Mailbox: Moves to an inactive state for 30 days (or per your retention policy), then permanently deleted.
• OneDrive: Manager gets access for 30 days (if configured). After 30 days, files are permanently deleted.
• Teams data: Chat history is retained based on retention policies, but any files shared in chats may be lost with the OneDrive deletion.
• SharePoint: Files in shared SharePoint sites are not affected by the user deletion. But files in the user’s personal SharePoint space follow the same 30-day retention as OneDrive.

If you do not have a third-party M365 backup solution, that 30-day window is your only chance to recover departed employee data. Miss it and it is gone. This is one of the most common reasons businesses realize they need M365 backup — after they have already lost data they needed.

The Involuntary Departure: When Speed Matters

When an employee is terminated, the stakes are higher. There may be concerns about data theft, sabotage, or retaliation. In these situations, IT access should be disabled at the exact moment the employee is notified — not an hour later, not the next morning.

This requires coordination between HR and IT before the conversation happens. Your IT team should be standing by to disable the account the moment they receive the signal. If you use a managed IT provider, this should be part of your service agreement — a documented process for emergency access revocation that can be executed in minutes.

Why This Matters More Than You Think

Employee turnover is normal. Every business experiences it. But every departure is a security event — whether you treat it as one or not. The businesses that handle it well have a documented process, an IT team that is notified early, and backup systems that protect data regardless of what happens to user accounts.

The businesses that handle it poorly discover the gaps six months later when someone asks “where is that file?” and nobody can find it.