Article Summary: 
Offboarding problems usually start long before someone resigns. Shared logins, forgotten SaaS tools, personal devices, and client relationships stuck in one person’s inbox often come from small onboarding shortcuts that were never cleaned up. When onboarding is done right, future offboarding becomes a clear 90-minute checklist instead of a stressful three-week cleanup. 

By the time an employee gives notice, the decisions that make their departure simple or messy have already been made. They were made during their first few weeks, when everyone was moving fast. A shared login here. A quick SaaS sign-up there. A personal laptop used “just for now” until the company device arrived. 

At the time, these things feel temporary. But months later, they become normal. Nobody remembers who created the account, where the password lives, or which device has access to what. Then someone leaves, and your team has to untangle it all under pressure.  That is why messy offboarding is usually not just an offboarding problem. It is an onboarding problem that was never fixed. 

This article explains where offboarding usually breaks down, which onboarding shortcuts create the biggest problems, how to clean up what your team already uses, and what your IT provider should be doing before someone resigns. 

Why offboarding problems start long before someone leaves 

When the right setup is in place, IT disables the employee’s account in your identity provider. That removes access across the tools connected through single sign-on. The device is wiped remotely or collected and wiped on-site. Email is forwarded to a manager or converted to a shared mailbox. CRM and project tool ownership is reassigned. A handover note gets filled in because the template already exists. 

That kind of offboarding can take about 90 minutes of IT time. 

The messy version looks very different. It starts with a list of tools nobody can fully remember. Someone has to ask the departing employee what they used. Then the team finds a Figma account, a Loom workspace, a Notion instance, and an Airtable base that were all set up separately. The passwords are in the employee’s personal password manager. The laptop is at their house. A client emails because they received a strange message from a personal address. Six weeks later, a vendor charges the company card for a seat everyone thought was cancelled. 

That is not just annoying. It slows down your team, leaves access open longer than it should be, and creates risk your business does not need. Whether offboarding is clean or chaotic depends on what happened during onboarding. 

In identity management, this is often called the “joiner, mover, leaver” lifecycle. Microsoft and most identity vendors use the same three-phase model. When the joiner phase is rushed, the cleanup gets pushed into the leaver phase, when everything is more urgent and harder to fix. 

The onboarding shortcuts that make offboarding harder 

New hires create their own SaaS accounts 

When an employee signs up for a tool on their own, using their work email and a password only they know, that account becomes difficult for the business to manage. You may not be able to reset the password without notifying them. You may not even know the account exists until an invoice shows up, or until a project breaks after they leave. 

This is one of the most common reasons businesses struggle to find all the logins during offboarding. The fix is to provision tools through a central identity system. Any new SaaS application should be connected to single sign-on before the first user logs in. 

That way, access belongs to the business, not to one employee. 

Personal devices become part of the Wworkflow 

Personal devices rarely stay temporary. An employee uses their own laptop for a few days. Then they install apps, connect to client systems, download files, and save credentials. What started as a short-term fix becomes their everyday setup. 

When they leave, you cannot easily remove company data from a device you do not own and never enrolled in a management system. At that point, you are relying on goodwill. And while most people will try to do the right thing, goodwill is not a security control. 

The better approach is to issue company-owned devices on day one and enroll them in mobile device management. If personal devices are allowed, company email and files should be accessed through managed apps that can be disconnected when needed. Browser-saved credentials are not enough. 

Shared logins turn into access problems 

Shared logins are one of the fastest ways to make offboarding harder. 

When five people use the same login, you cannot remove one person’s access without changing the password for everyone. And you usually discover the problem at the worst time, when the person leaving is the one who created the account and nobody else remembers the password. 

Shared credentials may feel like a small cost-saving shortcut in the moment. But the cost comes back later as wasted time, confusion, and exposed access. Per-seat access is the cost of doing this properly. It gives each person their own login, makes ownership clear, and makes access removal much easier when someone leaves. 

Client history gets trapped in one inbox 

This is especially common for agencies and professional services businesses. When a senior account manager or consultant leaves, the client relationship can leave with them. The history, preferences, open questions, and half-finished conversations are all buried in one person’s inbox. 

From the client’s side, it can feel like your business suddenly forgot who they are. The fix is to keep client communication in shared places. That might be a CRM, a shared inbox, or a Microsoft 365 shared mailbox where client threads are copied and easy to find. 

It does not need to be complicated. The goal is continuity. The relationship should belong to the business, not just one person’s inbox. 

How to clean up the gaps you already have 

Most businesses do not need to wait for the next new hire to fix this. The better place to start is with the team you already have. You cannot go back and redo everyone’s onboarding, but you can find the gaps now before the next departure turns them into a problem. 

Start with a SaaS audit 

Start with three months of credit card statements for every card used for business expenses. List every recurring SaaS charge. For each tool, answer these questions: 

  • Who set it up? 
  • Who has the login? 
  • Is it tied to a company email or personal email? 
  • Could someone else access it if that person left tomorrow? 

You will probably find tools nobody remembers signing up for. You may find accounts with only one owner. You may also find subscriptions still being paid for after the original user has already left. 

This does not need to be a big technical project. A spreadsheet and a careful look at your statements can show you where the risk is hiding. 

Build a simple device register 

Build a simple list of who has what. Include each device, when it was issued, whether it is enrolled in a management system, and what company data it can access. If you do not have this list today, create it now. Ask each employee to confirm which devices they use for work, including personal ones. The goal is not to punish anyone. The goal is to understand what your business depends on. 

For any personal device that has accessed company systems, the minimum should be managed access for company email and files. That gives you a way to disconnect company data without touching the rest of the device. 

Move client communication into shared places 

Client communication should not disappear when one person leaves. 

Move important client conversations into places the business can access. Set up a shared inbox, alias, or CRM process for client-facing communication. If a full CRM process feels like too much right now, even a Microsoft 365 shared mailbox with a clear expectation that client threads are copied there is a big improvement. 

This is about protecting the client experience. When someone leaves, the next person should be able to step in without making the client repeat everything. 

What your IT provider should handle during onboarding 

Many IT providers only get called when someone resigns. They disable the account, try to collect the laptop, and work with whatever documentation exists. That helps, but it is the wrong end of the process. If your IT provider is only involved when someone leaves, you are missing the best chance to prevent the mess in the first place. A better model brings IT into onboarding from the start. 

Your IT provider should help set up the new account in your identity provider, enroll the device in mobile device management, and provision access through single sign-on. That way, every tool the employee uses is connected to a central identity that can be turned off when needed. 

They should also help maintain a handover document for each employee. That document should list the systems they access, the client relationships they manage, and the credentials tied to their role. When that structure exists, offboarding becomes a checklist instead of an excavation. 

Ask your IT provider what they do during onboarding. If the answer is “not much” or “we usually get called when someone leaves,” that is worth a conversation. 

A 60-day plan to prevent the next offboarding mess 

You do not need to know when the next resignation will happen to prepare for it. This work is much easier when nothing is urgent. 

Weeks 1 and 2: Run the SaaS audit.
Review business credit card statements and list every recurring SaaS tool. Identify who owns each account, who has access, and which logins would be difficult to recover if that person left this week. 

Weeks 3 and 4: Build the device register.
Confirm what every team member uses for work. Include company-owned and personal devices. For personal devices with company access, require managed app access at minimum. Enroll company-owned devices in a management system if they are not already covered. 

Weeks 5 and 6: Audit client-facing communication.
Find client relationships that mostly live in one person’s inbox or on one person’s phone. Move the highest-risk relationships into shared mailboxes or CRM logging first. 

Weeks 7 and 8: Write the onboarding process you wish you had.
Use what you found in the first six weeks to build a better onboarding process. Apply it to the next hire from day one, and use the same structure to create handover documents for your current team. 

Most of this is operational, not complicated. A spreadsheet, honest conversations with your team, and a few hours with your IT provider can remove a lot of future stress. 

Conclusion  

Messy offboarding does not usually happen because one person forgot a step. It happens because access, devices, tools, and client communication were never clearly set up in the first place. 

The good news is that you do not have to wait for the next resignation to fix it. A simple review of your SaaS accounts, devices, shared logins, and client handoffs can reveal where the gaps are before they turn into a stressful cleanup. 

If you are not sure what would happen if someone left tomorrow, now is the time to find out. 

Atekro can help you review your onboarding and offboarding process, identify hidden access risks, and build a cleaner system for future employee transitions. Contact us today to start with a practical access and device review.

FAQs

How do I find SaaS tools my team signed up for without telling me? 

Start with a three-month review of every credit card statement used for business expenses. Most shadow SaaS tools show up as recurring charges somewhere on the card. 

Can I wipe a personal device after someone leaves? 

Only company data, and only if the right controls were set up while the person was still employed. Mobile device management or managed app access can remove company email, files, and credentials from a personal device without touching personal data. If those controls were not in place, your options are limited. 

What’s the role of single sign-on in offboarding? 

Single sign-on ties a user’s access to a central identity. When that identity is disabled, access to connected tools can be removed from one place. Without single sign-on, each platform has to be reviewed and updated manually. 

Should I make employees use only company devices? 

Where practical, yes. Company-owned devices are easier to manage, secure, and wipe when needed. If personal devices are allowed, managed app access or device management should be required. A personal device with saved company credentials and no management is one of the highest-risk setups during offboarding. 

Not sure if your IT is truly supporting your growth?

Let’s have a conversation and see if we’re the right partner for you.

  • Talk through your current challenges and goals
  • Get an outside perspective on what’s working, and what’s not
  • Understand how we typically help businesses like yours

Love This Article? Share It!

Related Posts

STAY IN THE LOOP

Subscribe to our free newsletter.

By selecting "Get the Atekro news", I agree that Atekro will process my personal information in accordance with the Atekro Privacy Policy.