Remote employee IT offboarding checklist

An employee has left, and their company laptop is sitting on a desk in another city. Their VPN client is still connected. Their phone still has Outlook installed. The OneDrive folder on their personal machine is still syncing. You have never met them in person, and the only leverage you have over what happens to that hardware is the management tools you set up when they were hired.

Remote offboarding is not just regular offboarding done over email. It introduces risks that on-site offboarding simply does not have, and the timing window for handling them cleanly is narrower. This checklist covers what to do, in what order, and which remote-specific gaps most businesses forget.

What makes remote offboarding different

On-site offboarding has a natural forcing function: the employee hands back their laptop, their badge stops working, they physically leave the building. That visibility is gone when the employee is remote. Specifically, you have to think about:

• Device retrieval. The laptop is in the employee’s home. If they do not return it, you have a hardware problem and a data problem.
• VPN and remote access credentials. Unlike physical door access, VPN accounts do not stop working when someone leaves the office. If you do not revoke them explicitly, they keep working.
• Personal cloud sync. Remote workers are more likely than on-site workers to have copied files to personal Dropbox, Google Drive, or iCloud accounts, either deliberately or through sync clients they installed themselves.
• Shared credentials. Remote teams use shared passwords for SaaS tools more often than on-site teams, because password managers and SSO adoption is inconsistent in SMBs. Every shared password the departed employee knew needs to be rotated.
• Physical witnesses. There is nobody to confirm the employee did not walk out with a USB drive full of files. You have to rely on audit logs.

All of these are solvable, but only if you have the checklist and the tools in place before you need them.

Before you start

Gather this information before you begin. For involuntary terminations, gather it without alerting the employee.

• Full name, sign-in address, and employee ID
• Every company-owned device assigned to them (laptop, phone, tablet, security keys, external monitors, anything else)
• Whether they use any personal devices for work under a BYOD policy
• Their home shipping address (for device return)
• Manager or teammate who needs access to their email and files
• Any applications they are the sole admin of, or the sole owner of in Microsoft 365
• Shared credentials or accounts they had access to
• Any active client-facing projects where their absence needs to be communicated

Much of this should already be in your onboarding records from when they were hired. If it is not, the offboarding is going to be harder than it needs to be, and the next onboarding should fix the documentation gap.

Step 1: Revoke Microsoft 365 access

The first wave of actions should happen within minutes of the termination decision, especially for involuntary departures. Every minute a terminated employee retains access is a minute they could be downloading files, sending email, or deleting records.

The full M365 offboarding sequence is covered in detail in our Microsoft 365 user offboarding checklist. At minimum, within the first few minutes you need to:

• Block sign-in in the M365 admin center
• Revoke all active sessions in Entra (this kills tokens on every device they are signed in on, including their personal phone)
• Reset the password to a random string
• Remove all registered MFA methods

Do these four things first, before anything else in this checklist. Everything else can wait an hour if it needs to. These cannot.

Step 2: Cut off VPN and remote access

This is the step most commonly missed during remote offboarding, because VPN is managed separately from Microsoft 365 and there is no single dashboard that shows “this person’s access to everything.”

Go through every remote access channel and disable the departing employee’s credentials:

• VPN. Disable the account on the VPN appliance or service. If you use a VPN that supports RADIUS or AD authentication, blocking sign-in in Entra may cover this, but verify. Do not assume.
• Zero trust network access. If you use a ZTNA product, remove the user from all access policies.
• Remote desktop. If the employee used RDP, Windows Virtual Desktop, or Azure Virtual Desktop, revoke access to the session hosts.
• Jump hosts or bastion servers. If the employee had SSH access to any servers, remove their keys and disable their account.
• RMM or remote support tools. If the employee was part of an IT team using a remote monitoring and management tool, remove their login and any device access they had.
• Firewall exceptions. If any firewall rules allowed their home IP address, remove those rules.

For businesses that have moved to identity-based access (ZTNA, conditional access requiring compliant devices), blocking the M365 identity handles most of this automatically. For businesses still running traditional VPN as a separate system, each item needs to be handled on its own.

Step 3: Remotely wipe or lock the device

The company laptop is sitting in the employee’s home. Until it is returned and confirmed wiped, you cannot be certain what is on it or who has access to it.

If the device is enrolled in Microsoft Intune or another MDM, go to the admin console and take one of these actions:

• Selective wipe (for personal BYOD devices). Removes company data, email, and apps while preserving the user’s personal content. This is the only appropriate option for devices the employee owns.
• Remote wipe (for company-owned devices). Resets the device to factory defaults. Use this when the device has been returned, or when you do not expect it to be returned (a termination where return is uncertain, or a device you have already written off).
• Remote lock (temporary holding action). Some MDM platforms support remote lock, which locks the screen and requires a PIN to unlock. This is useful when the device is being returned and you want it secured in transit without wiping it yet.

For phones, the same options apply. If the employee had company email on their personal phone under a BYOD policy, use selective wipe so only the work profile or work apps are removed.

If the device is not enrolled in MDM, your options are far more limited. You can remove the M365 account from the device remotely (which handles email and Teams), but anything downloaded locally is out of your reach. This is exactly the scenario that makes MDM enrollment worth the cost, and it is worth noting as a gap to fix before the next departure.

Document every wipe with a timestamp and who initiated it. If the employee later disputes that data was deleted, or if an auditor asks, you need the record.

Step 4: Arrange device return

Wiping the device remotely does not get the hardware back. You still need the laptop, phone, security keys, and any other equipment returned.

Send a return kit with prepaid shipping:

• A box sized for the laptop with protective packaging
• A prepaid return shipping label (UPS, FedEx, or USPS, depending on your carrier relationship)
• A simple list of items to include (laptop, charger, security key, any other hardware)
• Clear instructions and a deadline

Require the employee to drop it off at a carrier location rather than a personal mailbox drop, so there is a scan record.

Track the shipment. When the device arrives, verify the contents against the list and confirm the serial number matches what was assigned to the employee. Log the return date and condition.

For terminations where the employee is uncooperative, the recovery process gets harder. Document everything in writing (the request, the deadline, the response or lack of response), withhold any final paycheck items that are legally allowed to be withheld for unreturned equipment (check with HR/legal for your jurisdiction), and understand that some hardware may simply not come back. The remote wipe you did in Step 3 is your insurance against the data on it being accessible.

If the device does not return, write it off as a loss, note it in the asset register, and flag it for follow-up with your insurance provider if applicable. Do not leave it in a state of “maybe they will send it eventually” for months – close the book on it so it does not distort your asset inventory.

Step 5: Audit personal cloud sync and shadow IT

Remote employees use more personal cloud services for work than on-site employees, because there is nobody watching what they install on their laptop and no IT walk-by to catch it. Part of offboarding is figuring out where company data may have ended up outside the systems you manage.

Review the M365 audit log for the departing employee’s activity over the past 30 to 90 days:

• Large downloads from OneDrive or SharePoint
• Bulk email forwarding rules
• Messages to external email addresses with attachments
• OAuth consent grants to third-party apps
• Sign-ins from unexpected IP addresses or locations

If the employee had admin access to any systems, widen the audit window and check for configuration changes, permission grants, and account creations.

If you find that company data was synced to a personal cloud account (for example, a personal Dropbox installation on the company laptop showing recent sync activity), document what was found and escalate through HR. The device wipe removes the local copy, but data that was synced to a personal account remains under the former employee’s control. This is a different kind of problem than IT can solve alone, and it typically needs HR and legal input.

The best defense against this is preventative: block personal cloud sync clients from installing via Intune policy, and train employees during onboarding that company data stays in company systems. Catching it during offboarding is too late to stop it, but at least you know what happened.

Step 6: Rotate shared credentials

Anywhere the employee had access to a shared account, the password needs to be rotated. Common examples:

• Shared social media accounts (the company Twitter, LinkedIn page admin, etc.)
• Shared SaaS tool accounts that did not support individual logins
• Service account passwords they knew (line-of-business apps, FTP accounts, database logins)
• API keys they had access to
• Password manager vaults they were members of (revoke access, then rotate the credentials stored in those vaults)
• Wi-Fi passwords for the office (if they were ever onsite), especially the password for any network the employee’s devices knew
• Any “in case of emergency” passwords stored in a shared document

This is tedious, and it is the step most commonly skipped. The result is that former employees often retain indefinite access to shared accounts because nobody rotated the passwords when they left. This becomes a real problem when the departure was not amicable, or years later when a business discovers that a shared account has been accessed by someone who should not have access.

A password manager with team vaults makes this significantly easier, because you can see exactly which shared credentials the user had access to and rotate them systematically. Without a password manager, you have to rely on memory and institutional knowledge, which inevitably misses things.

Step 7: Handle mailbox, OneDrive, and M365 cleanup

Follow the full sequence in the M365 offboarding checklist: convert the mailbox to shared if anyone needs the historical email, set up forwarding if appropriate, handle OneDrive files (copy critical ones to SharePoint or a manager’s account before the retention period expires), remove from distribution lists and Teams, revoke third-party app consents, and remove or reassign the license.

For remote workers specifically, pay extra attention to:

• OneDrive content. Remote workers tend to store more in OneDrive than on-site workers, because they do not have access to office file shares. Check for critical files that need to move to SharePoint before the account is deleted.
• Teams channel membership. Remote workers often have deeper Teams presence. Transfer ownership of any Teams or channels they owned, and back up any channel conversations that contain decisions or institutional knowledge.
• Shared calendars. If they maintained a team calendar, transfer ownership.
• Group and site permissions across SharePoint. Audit permissions on SharePoint sites where the user was an owner or admin.

Step 8: Update internal and client-facing communications

For remote workers, especially those in client-facing roles, the departure needs to be communicated in a way that does not leave clients emailing a dead address.

• Configure the mailbox auto-reply or forwarding to direct new messages to the replacement or team inbox
• Update any company directory, About page, or team listing that references the employee
• If the employee was listed on public-facing bios, case studies, or marketing materials, queue updates for the next content review
• Notify any clients they directly managed about the change in point of contact
• Update call routing and any shared helpdesk/support routing rules
• Remove them from Slack, Teams guests, or other external-facing channels

This part often falls to a mix of IT, HR, and marketing. Coordinating it is usually an operational task, not a pure IT one, but IT is the team that makes sure the mailbox and accounts are actually in the right state to support the changes.

Step 9: Document everything

Record the offboarding in enough detail that you can answer three questions six months from now:

• When exactly was access revoked to each system?
• What happened to the device, and what was wiped when?
• What data disposition decisions were made (mailbox converted or forwarded, OneDrive files migrated or retained, etc.)?

At a minimum, the documentation should include the employee name, termination date and time, a list of systems where access was revoked with timestamps, device return tracking and wipe logs, mailbox and OneDrive decisions, any anomalies found in the audit review, and the name of the person who performed the offboarding.

For businesses subject to HIPAA, SOC 2, or other compliance frameworks, this documentation is often required as part of access control and termination procedures. Even without formal compliance obligations, the documentation protects the business against later disputes about what was done and when.

Timing: involuntary vs voluntary

The sequence above is the same either way, but the compression of the timeline differs enormously.

Voluntary departure with notice: You have days or weeks to coordinate. You can plan the device return in advance, schedule the M365 account transitions, transfer Teams and project ownership gradually, and arrive at the last day with most of the work already done. The final day is mostly just pulling the trigger on the access revocations at the agreed-upon time.

Involuntary termination: Steps 1, 2, and 3 must happen within minutes of the termination conversation, ideally while it is still happening. HR or the manager signals IT when the conversation is about to begin, and IT executes the M365 revocation and remote device wipe or lock the moment the termination is delivered. Everything else follows over the next few hours and days.

Termination where you suspect data exfiltration risk: Even tighter. Preserve evidence before revoking access. Snapshot the mailbox, preserve audit logs, and coordinate with legal before wiping devices, because a wipe that happens before evidence is preserved can compromise an investigation. This is not a scenario to handle off the cuff – it is worth having a separate documented procedure for.

For remote workers, the geographic distance means there is no way to “keep them in the room” while IT executes the offboarding. The termination conversation happens over video, IT executes the revocations during the conversation, and the employee’s access is gone before they close their laptop. Coordinate the timing explicitly between HR and IT so there is no gap.

Common remote offboarding mistakes

• Forgetting the VPN. Blocking M365 sign-in does not automatically disable a separate VPN account. The former employee keeps working access until someone manually removes it.
• Waiting for the device to come back before wiping. Wipe first, return second. The device does not need to be in your hands to be reset via MDM.
• Not rotating shared credentials. “They were a good employee, they would never” is not a security control. Rotate every shared password they knew, every time.
• Assuming the employee will return the hardware. Most do. Some do not. Plan for both.
• Treating remote offboarding as an email exercise. The device, the VPN, the third-party SaaS accounts, the personal cloud sync check – none of these happen by sending the employee a polite email asking them to sign out of things.
• No documentation. Six months later, nobody remembers what was done. An auditor, an unhappy ex-employee, or a manager asking “who has access to this” will expose the gap.

How Sequentur handles remote offboarding

For managed IT clients, we handle the technical side of remote offboarding end-to-end: M365 access revocation in the required sequence, Intune device wipe, VPN and remote access termination, audit log review, and documentation of every step for compliance purposes. When the business coordinates the timing with HR, our team executes the technical revocations during the termination window so there is no access gap.

The bigger value is not the offboarding itself – it is that remote offboarding is only clean when the onboarding was done correctly. Devices have to be enrolled in MDM, accounts have to be created with proper policies, shared credentials have to be tracked, and access has to be granted with an eye toward eventual revocation. Handling both sides of the employee lifecycle with the same provider is what makes each individual departure a process rather than a scramble. This is one of the core reasons businesses with distributed workforces look at managed IT support for remote and hybrid teams.

If your remote workforce has grown to the point where offboarding feels like a risk every time, schedule a call and we will talk through your current process.