Back to Blog
Security
9 min read

Offboarding Done Wrong: 7 Identity Gaps That Haunt Organizations After Employees Leave

When an employee leaves, the clock starts ticking on your security exposure. 48% of organizations admit ex-employees still have access to corporate networks, and 20% of data breaches involve former employees. Here are the seven identity gaps that create lasting vulnerabilities—and how to close them.

TrueConfig Team

Security Engineering

·January 20, 2026

The Friday Afternoon Scramble

It's 4:47 PM on a Friday. Sarah from HR just informed you that Marcus, your senior financial analyst, accepted a position at a competitor. His last day is today. Right now.

You scramble to disable his account, but then the questions start piling up: Does he have admin access to any SharePoint sites? What about that Power BI dashboard connected to your CRM? Which Teams channels contain sensitive client data he could still access from his phone? And what's the password to that shared departmental mailbox he set up three years ago?

If this scenario makes your stomach tighten, you're not alone. Research shows 76% of IT leaders agree that employee offboarding represents a significant security threat. Yet only 44% of companies manage to revoke all access within 24 hours of departure.

For mid-market IT teams managing Microsoft 365 tenants—often with limited staff and no dedicated identity management tools—proper offboarding feels like defusing a bomb while blindfolded. The average employee now uses 29 different SaaS applications, and each one represents a potential access point that outlives their employment.

Let's examine the seven identity gaps that continue to haunt organizations long after employees have cleaned out their desks—and the specific steps you can take to close them.

Gap 1: The Orphaned Admin Account

Here's a stat that should concern every IT leader: most mid-market Microsoft 365 tenants have approximately three times more admin accounts than they actually need.

When Marcus joined four years ago, someone gave him Global Admin rights "temporarily" to troubleshoot an Exchange issue. That temporary privilege became permanent through simple neglect. Now Marcus has left, but that elevated access creates two problems: his account with admin rights might remain active longer than it should, and you may not even know it existed.

Orphaned admin accounts are particularly dangerous because they often have permissions that bypass normal security controls. These accounts can be easily overlooked and forgotten, making them attractive targets for attackers.

How to close this gap:

  1. Run this PowerShell command monthly to identify all admin role assignments:
Get-MgDirectoryRoleMember -DirectoryRoleId (Get-MgDirectoryRole -Filter "displayName eq 'Global Administrator'").Id | Select-Object Id, DisplayName

  1. Audit every admin role—Global Admin, Exchange Admin, SharePoint Admin, Teams Admin—and document business justification for each assignment.

  2. Implement a quarterly access review where managers must re-certify that each admin account is still necessary.

  3. Use Privileged Identity Management (PIM) if you have Entra ID P2 licensing to make admin access just-in-time rather than permanent.

Gap 2: The Lingering Session Token

Blocking sign-in is step one. But here's what many IT teams miss: existing session tokens can remain valid for hours or even days after you disable an account.

When you block Marcus's sign-in at 5:00 PM, his Outlook mobile app, Teams desktop client, and browser sessions don't immediately disconnect. Those refresh tokens continue working until they expire—giving a departing employee continued access to email, files, and conversations.

How to close this gap:

After disabling sign-in, explicitly revoke all sessions using the Entra ID portal or PowerShell:

Revoke-MgUserSignInSession -UserId "marcus@contoso.com"

This forces immediate re-authentication across all devices and applications. Combine this with an immediate password reset to a complex, random value—this serves as a backup in case token revocation doesn't propagate immediately to all services.

For high-risk departures (like employees joining competitors), Microsoft Entra's real-time leaver workflows can trigger these actions instantly rather than waiting for scheduled processes.

Gap 3: The Shadow Group Membership

You removed Marcus from the Finance Team, the Monthly Reports channel, and the Executive Briefings SharePoint site. But what about the M365 Group he created two years ago for "Q3 Project Planning" that was never decommissioned?

Shadow IT extends to identity. Employees create Teams, SharePoint sites, Power Automate flows, and Power Apps that accumulate permissions over time. When they leave, these orphaned resources remain—often with the departed employee still listed as an owner or member.

How to close this gap:

  1. Before removing the user, export their group memberships and owned objects:
Get-MgUserMemberOf -UserId "marcus@contoso.com" | Select-Object Id, DisplayName
Get-MgUserOwnedObject -UserId "marcus@contoso.com" | Select-Object Id, DisplayName

  1. For each owned resource, either transfer ownership to another user or document it for decommissioning.

  2. Review shared mailboxes, distribution lists, and security groups that might reference the departing employee.

  3. Check Power Platform environments for flows and apps created by the user that may have connections to sensitive data sources.

Gap 4: The Delegated Permission Time Bomb

Here's a scenario that plays out constantly: An employee grants their personal Gmail account access to their work calendar "for convenience." Or they authorize a third-party productivity app to read their email. Or they share their OneDrive with an external collaborator who still has access.

These delegated permissions don't disappear when the employee account is disabled. The connections persist, creating backdoors that can be exploited long after departure.

Password-based attacks constitute over 99% of the 600 million daily identity attacks Microsoft observes. Delegated permissions that survive offboarding extend your attack surface in ways that are easy to miss.

How to close this gap:

  1. Review OAuth application consents before disabling the account:
Get-MgUserOAuth2PermissionGrant -UserId "marcus@contoso.com"

  1. Revoke any suspicious or unnecessary application permissions.

  2. Check external sharing settings in OneDrive and SharePoint—remove external collaborator access or transfer file ownership first.

  3. Review calendar delegates and mailbox permissions that might grant ongoing access to sensitive information.

  4. Implement consent policies that prevent users from granting permissions to unverified applications in the first place.

Gap 5: The Compliance Evidence Void

Your next SOC 2 audit is in three months. The auditor asks: "Can you demonstrate that terminated employee access was revoked within 24 hours?" You check your records and find... nothing. No timestamp of when Marcus's access was removed. No documentation of what permissions existed. No evidence that you followed your own offboarding policy.

This gap doesn't create direct security exposure, but it creates compliance exposure that can be equally damaging. Organizations in regulated industries face strict requirements around access control documentation, and audit findings related to inadequate offboarding controls can impact regulatory standing and even cyber insurance qualification.

How to close this gap:

  1. Enable Entra ID audit logs and configure retention appropriate for your compliance requirements (minimum 90 days, ideally 1 year+).

  2. Document your offboarding procedure as a formal policy, including specific steps and responsible parties.

  3. Create an offboarding checklist that must be completed and signed for each departure—store these as compliance evidence.

  4. For each offboarding action, capture:

    • Timestamp of action
    • Who performed the action
    • What permissions were revoked
    • What data was transferred or preserved

  5. Consider implementing automated workflows that generate compliance-ready reports for each offboarding event.

Gap 6: The Device That Walked Away

Marcus used his personal iPhone for work email through the Outlook app. He also has a company laptop that IT will collect next week. But between now and then, both devices have cached credentials, downloaded files, and potentially saved passwords.

Microsoft Intune's selective wipe capabilities can remove corporate data from enrolled devices while leaving personal data intact—essential for BYOD scenarios. But this requires that devices were enrolled in the first place and that you actually trigger the wipe.

How to close this gap:

  1. Ensure all devices accessing corporate resources are enrolled in Intune or your MDM solution before an offboarding situation arises.

  2. For enrolled devices, initiate a selective wipe immediately upon departure notification:

    • For company-owned devices: Full wipe
    • For BYOD devices: Selective wipe (removes only corporate data)

  3. Implement Conditional Access policies that block access from non-compliant or non-enrolled devices—this limits exposure even if you can't wipe a personal device.

  4. Revoke app-specific passwords and application passwords that might be cached on devices.

  5. Disable or remove the user from any VPN or remote access systems.

Gap 7: The Knowledge Transfer Black Hole

Two weeks after Marcus left, someone needs access to the quarterly financial model he maintained. It's in his OneDrive. His OneDrive that was deleted when you removed his license. His license that you reclaimed immediately because, well, licenses are expensive.

The tension between security (remove access quickly) and operations (preserve business-critical data) creates a gap that many organizations fall into. Microsoft 365 retains deleted users for 30 days, but if you don't transfer data before removing the license, you may lose access to critical business information.

How to close this gap:

  1. Before disabling the account, identify and transfer critical data:

    • OneDrive files: Transfer ownership to the manager or department shared location
    • Mailbox: Convert to shared mailbox (no license required) or export to PST
    • Teams chat history: Preserved in compliance center if needed for legal hold

  2. Implement a standard holding period (30-90 days) where the account is disabled but not deleted, allowing time for data transfer requests.

  3. Convert the mailbox to a shared mailbox before removing the license:

Set-Mailbox -Identity "marcus@contoso.com" -Type Shared

  1. Set up OneDrive retention policies that preserve departed employee files for a defined period.

  2. Use the manager delegation feature in Entra ID to automatically grant the departing employee's manager access to their OneDrive.

Building a Sustainable Offboarding Practice

Closing these seven gaps isn't a one-time fix—it requires building sustainable processes that scale with your organization. For mid-market IT teams, this means:

Standardize: Create a documented offboarding checklist that covers all seven gaps. Assign clear ownership for each step.

Automate: Microsoft Entra ID Governance's Lifecycle Workflows can automate many offboarding tasks based on HR system triggers. If you integrate with Workday, SuccessFactors, or similar systems, departures can automatically initiate access revocation.

Monitor: Schedule monthly reviews of your identity hygiene—orphaned accounts, stale admin privileges, and unresolved offboarding tasks.

Measure: Track metrics like time-to-revocation and incomplete offboarding tickets. Companies with automated offboarding processes reduce security incidents by 34%.

The Cost of Getting It Wrong

The stakes are higher than many organizations realize. Research indicates that 20% of data breaches involve former employees within six months of their departure. Organizations lose an average of $23,000 per improperly offboarded employee due to data recovery costs, security incidents, and compliance penalties.

For MSPs managing multiple client tenants, these risks multiply. Each client represents a separate identity boundary where offboarding gaps can occur—and a single incident can damage relationships across your entire portfolio.

Moving from Reactive to Proactive

The fundamental challenge with offboarding is that it's inherently reactive. Someone leaves, and you scramble to close the gaps. But the organizations that handle this well flip the script—they maintain continuous visibility into their identity posture so that offboarding becomes a predictable process rather than an emergency response.

This means knowing, at any moment:

  • Which users have elevated privileges and why
  • What external sharing and delegated permissions exist
  • Which accounts haven't been used in 90 days
  • Whether your actual state matches your intended security baseline

This is where continuous configuration monitoring makes a difference. Tools like TrueConfig help mid-market IT teams and MSPs maintain visibility into their Microsoft 365 identity configuration—detecting drift from your desired state before it becomes a security gap. When you know your current state matches your baseline, offboarding becomes a matter of following your checklist rather than discovering surprises.

The goal isn't perfection—it's predictability. When Marcus from Finance gives notice, you should be able to execute a clean, documented offboarding within hours, not days. Your audit evidence should be automatic, not assembled after the fact. And your security posture should be validated, not assumed.

Because in identity management, the gaps you don't know about are the ones that come back to haunt you.

employee offboarding
Microsoft 365
identity lifecycle
Entra ID
access management
IT security

Related Articles

Security

Microsoft Is Closing a Conditional Access Loophole on March 27

Starting March 27, 2026, Microsoft Entra ID will begin enforcing Conditional Access policies against sign-ins that have been silently bypassing them for years. If your tenant has CA policies targeting all resources with exclusions, apps like Azure CLI and custom tools will break. Here is what is changing, who is affected, and what to do before the deadline.

9 min read
Security

Geopolitical Conflict Is a Cybersecurity Event: What M365 Admins Must Do Right Now

Wars don't stay on the battlefield anymore. The Middle East conflict has triggered a measurable surge in state-sponsored cyberattacks targeting Microsoft 365 tenants. Here is what IT administrators must do to harden their identity infrastructure before they become collateral damage.

12 min read
Security

ClawdBot Went Viral. Then Infostealers Showed Up in 48 Hours.

A viral AI agent stored corporate credentials in plaintext, exposed control panels to the internet, and gave attackers remote code execution. Infostealers adapted before most security teams knew it was running. Here is what IT admins managing Microsoft 365 need to know.

9 min read