IT Employee Onboarding and Offboarding Checklist for Berlin SMBs

Onboarding and offboarding are two of the highest-leverage processes an SMB IT team can systematise. Every new hire is an access provisioning event. Every departure is an access revocation event. When these happen ad hoc — through scattered requests, forgotten accounts, and manual password resets — the result is credential sprawl, lingering access, wasted licences, and GDPR exposure.

This checklist covers the IT side of both processes for a Berlin SMB using Microsoft 365, with notes on where automation is practical and where manual steps are unavoidable.

Why this matters beyond convenience

The business case for a documented IT onboarding/offboarding process is not primarily efficiency — it is risk management:

• Offboarding is a GDPR obligation. When an employee leaves, you are required to prevent unauthorised access to personal data. An active Microsoft 365 account belonging to a departed employee is an open access point to customer data, internal communications, and potentially payroll or HR records. GDPR Article 32 requires appropriate technical measures — account deactivation is the baseline.
• Lingering access is a leading cause of data exfiltration. Most insider incidents — intentional or accidental — occur in the period after someone has decided to leave but before access is revoked. The shorter that window, the lower the risk.
• Licence costs accumulate. A Microsoft 365 Business Premium licence costs approximately €22/user/month. Forgetting to reclaim licences from departed staff is a common, invisible cost leak in SMBs with regular turnover.
• New hire productivity starts at login. A structured onboarding process that has accounts, devices, and access ready on day one makes a material difference to how quickly someone becomes effective.

IT Onboarding Checklist

This checklist assumes Microsoft 365 as the primary platform, with Intune for device management.

Before start date (T-3 to T-1 business days)

• ☐ Create Microsoft 365 user account with correct display name, UPN, and job title
• ☐ Assign Microsoft 365 licence appropriate to role (Business Basic / Standard / Premium)
• ☐ Add to relevant Microsoft 365 groups and Teams channels
• ☐ Set up shared mailbox access if required (e.g., team inbox)
• ☐ Add to relevant SharePoint sites and document libraries
• ☐ Create VPN / remote access credentials if applicable
• ☐ Order and configure device: OS install, encryption enabled (BitLocker), Intune enrolment, baseline compliance policy applied
• ☐ Set temporary password and require reset on first login
• ☐ Prepare MFA setup instructions (or schedule guided setup on day one)
• ☐ Confirm line manager has been briefed on the access the new hire will have

Day one

• ☐ Complete Microsoft Authenticator / MFA setup
• ☐ Confirm Microsoft 365 apps are accessible and licensed correctly
• ☐ Walk through IT security basics: phishing awareness, password manager setup, how to report suspicious email
• ☐ Confirm device is enrolled in Intune and shows as compliant
• ☐ Provide IT contact information and escalation path
• ☐ Confirm access to all systems required for the role

First week

• ☐ Verify OneDrive Known Folder Move is syncing correctly (Documents, Desktop, Pictures)
• ☐ Confirm shared drives / SharePoint access is functional
• ☐ Add to any additional tools or SaaS platforms used by the team (document these for offboarding)
• ☐ Record all systems and access levels granted — this becomes the offboarding checklist

IT Offboarding Checklist

Offboarding should begin the moment a resignation or termination is confirmed — not on the last day. For involuntary terminations, IT actions should happen simultaneously with or immediately after the notification conversation.

Immediate actions (within the hour for terminations; scheduled for planned departures)

• ☐ Disable Microsoft 365 account (not delete — preserve mailbox and data)
• ☐ Revoke active sessions (Entra ID → User → Revoke sessions)
• ☐ Change password on the account (prevents re-authentication if session cookies survive)
• ☐ Remove from distribution lists and shared mailboxes as appropriate
• ☐ Revoke VPN / remote access credentials
• ☐ Disable any other active accounts: line-of-business apps, CRM, accounting software, etc.

Within 24–48 hours

• ☐ Set up mailbox auto-reply pointing to the appropriate colleague
• ☐ Configure mail forwarding to line manager or designated successor (time-limited — typically 30–90 days)
• ☐ Transfer OneDrive data to manager or successor (Microsoft 365 admin → User → OneDrive)
• ☐ Transfer ownership of Teams, SharePoint sites, and shared files owned by the departing employee
• ☐ Audit for any admin roles or elevated permissions held by the account — remove immediately
• ☐ Retrieve company device: wipe and reset, return to inventory

Within 30 days

• ☐ Reclaim Microsoft 365 licence (assign to new hire or remove)
• ☐ Review and remove access from all SaaS tools (cross-reference the onboarding access log)
• ☐ Formally delete or archive the Microsoft 365 account per your data retention policy
• ☐ Document the offboarding completion with timestamp — relevant for GDPR and NIS2 audit readiness

Automating the process with Microsoft 365

For businesses that regularly onboard and offboard staff, manual checklists work but carry execution risk. Microsoft 365 and Intune provide several automation options:

• Entra ID Lifecycle Workflows (Microsoft Entra ID Governance). Automate pre-hire account creation, day-one tasks, and leaver account deactivation based on HR system data or scheduled triggers. Available in Microsoft 365 F3 / E3 / Business Premium with Entra ID Governance add-on.
• Dynamic Microsoft 365 Groups. Assign users to groups (and therefore SharePoint/Teams access) based on attributes like department, location, or job title. New hires in a group automatically get appropriate access; departures are removed when attributes change.
• Intune Autopilot. Pre-configure device deployment so that new hardware self-provisions to a ready state without manual imaging. Reduces device setup time from hours to under an hour.
• Microsoft Purview eDiscovery. When a leaver’s data needs to be preserved for legal or compliance reasons, Litigation Hold and eDiscovery tools allow you to place the mailbox on hold before deleting the account.

GDPR considerations for employee data

When an employee leaves, their data does not automatically become yours to keep indefinitely. GDPR requires a documented retention policy for employee personal data, including email, HR records, and access logs. Typical retention periods: employment records (10 years under German law in some cases), payroll records (10 years), general correspondence (up to 6 months for non-business-critical email).

The practical implication: before deleting a departed employee’s account, ensure data has been reviewed against your retention policy, business-relevant content has been transferred, and the deletion is documented. An undocumented deletion of employee data following a dispute creates more GDPR risk than a structured, policy-driven deletion.

Getting the process right

The onboarding/offboarding process is one of the first things we review in an IT assessment — because it is a reliable indicator of how rigorously access control is managed across the rest of the environment. Businesses with documented, tested onboarding and offboarding processes consistently have lower exposure from credential-based attacks and insider risk.

If you want a structured review of how your current access management and offboarding process holds up — alongside security posture, Microsoft 365 configuration, and compliance readiness — our free IT assessment covers this as part of the operational resilience review.