Onboarding and Offboarding Employees Securely in Microsoft 365 and Google Workspace

Every time someone joins or leaves your company, your attack surface changes. New accounts get created, permissions get assigned, devices connect to your network, and data starts flowing. When someone departs, all of that needs to be reversed, quickly and completely.

For small businesses running Microsoft 365 or Google Workspace, these transitions are one of the most common sources of security gaps. Accounts left active after someone leaves, permissions granted too broadly on day one, devices never recovered, SaaS logins never revoked. None of these are dramatic failures on their own, but any one of them can lead to data leakage, account takeover, or a compliance problem down the road.

This guide covers what to do at each stage: onboarding, during employment, and offboarding. The goal is a repeatable checklist your team can follow every time, not just when someone remembers.

Secure onboarding checklist

Getting the first day right sets the tone for the entire employment period. These steps apply whether you are using Microsoft 365 or Google Workspace.

• Create the account with MFA from day one. Do not let the employee "set it up later." Require multi-factor authentication as part of the initial login. In Microsoft 365, use Security Defaults or Conditional Access. In Google Workspace, enforce 2-Step Verification at the organizational unit level.
• Assign only the licenses and group memberships the role requires. It is tempting to copy permissions from a similar employee, but that often carries over access that has accumulated over time and is no longer appropriate. Start with the minimum and add as needed.
• Provision devices with endpoint protection. Company laptops and phones should have endpoint detection and response software installed before they reach the employee. Consumer antivirus is not sufficient for business use.
• Set up email with proper authentication. Make sure your domain has SPF, DKIM, and DMARC configured so the new employee's outbound email is authenticated from the start. This protects both your reputation and your recipients.
• Document what access was granted. Keep a record of every license, group, shared drive, and SaaS tool the employee receives. This record becomes your offboarding checklist later.

During employment: keep access current

Onboarding is not a one-time event. Access needs to be reviewed throughout the employment period.

• Review access periodically. At least quarterly, check whether each employee still needs the access they have. Projects end, roles change, and permissions tend to accumulate if no one trims them.
• Remove access to completed projects. When a project wraps up, remove the employee from the associated SharePoint site, shared drive, or team channel. Do not wait for the next review cycle.
• Monitor for unusual sign-in patterns. Both Microsoft 365 and Google Workspace offer sign-in logs. Watch for logins from unexpected locations, unfamiliar devices, or unusual hours. These can indicate a compromised account.

Secure offboarding checklist

Offboarding is where most small businesses have the biggest gaps. The checklist below covers the critical steps in both Microsoft 365 and Google Workspace. For a deeper look at the offboarding side specifically, see our employee offboarding security page.

• Disable the account immediately. Do not just change the password. Disable or suspend the account entirely so no new sign-ins are possible. In Microsoft 365, block sign-in from the admin center. In Google Workspace, suspend the user.
• Revoke active sessions and MFA tokens. Changing the password alone does not sign the user out of existing sessions. Revoke all active sessions and reset MFA methods so that previously enrolled devices can no longer generate valid codes.
• Convert or transfer the mailbox. In Microsoft 365, convert the mailbox to a shared mailbox so a manager or colleague can access it without a license. In Google Workspace, use the data transfer tool to move email, Drive files, and calendar data to another user before deleting the account.
• Remove from all groups, teams, and shared drives. This includes Microsoft Teams channels, SharePoint sites, Google Groups, and shared Google Drives. Membership in these groups often grants access to sensitive files.
• Wipe or recover company devices. If the employee had a company laptop or phone, recover it. If the device was enrolled in Intune (Microsoft) or endpoint management (Google), issue a remote wipe. For personal devices with company data, remove the managed profile.
• Revoke SaaS access. Go through every third-party tool the employee used: Slack, Zoom, project management tools, accounting software, password managers. Revoke access or deactivate the account in each one.
• Check for email forwarding rules. Before disabling the account, check for any mail forwarding rules or delegates that were set up during employment. A forwarding rule to a personal email address can quietly send company data outside your control even after the account is disabled.
• Document everything. Record what was disabled, transferred, wiped, and revoked, along with the date. This documentation matters for compliance, for cyber insurance, and for your own peace of mind.

Common mistakes

Even companies with good intentions make these errors regularly.

• Leaving accounts active "just in case." The most common mistake. An active account for someone who no longer works at your company is an open door. If you need access to their email or files, convert the mailbox or transfer the data. Do not keep the account alive.
• Not revoking MFA tokens. Disabling the account is not enough if the departing employee still has an authenticator app enrolled. Revoke MFA registrations and clear trusted devices.
• Forgetting SaaS apps outside the directory. Microsoft 365 and Google Workspace admin consoles only manage what they know about. Employees often sign up for tools on their own using their work email. Without a list, these accounts get missed during offboarding.
• No documentation. If you cannot show what you did during offboarding, it is difficult to prove due diligence later. This matters for audits, insurance claims, and internal investigations.

Why this matters for compliance

Onboarding and offboarding procedures are not just operational best practices. They are increasingly required by the frameworks and vendors that small businesses interact with.

Cyber insurance applications routinely ask whether your organization has a documented process for provisioning and revoking user access. If you cannot demonstrate a consistent process, it can affect your eligibility or your premium. For more on what insurers look for, see our cyber insurance readiness guide.

Client audits, especially in legal and accounting, often check whether your firm controls who has access to client data and whether that access is revoked promptly when someone leaves. A documented onboarding and offboarding process is one of the simplest ways to satisfy these questions.

Building a repeatable process

The checklists above are a starting point, but the real goal is to make this process repeatable and consistent. That means assigning ownership (usually IT or operations), using a shared checklist for every transition, and reviewing the process at least once a year to account for new tools and changing roles.

If you are running Microsoft 365 or Google Workspace, the admin tools for managing users, groups, and devices are already built in. The challenge is not the tooling. It is having a clear process that gets followed every time.