IT SecuritySaaS ManagementEmployee Offboarding

SaaS Offboarding Checklist: Secure Access in 24 Hours

Departing employees retain access to an average of 7 SaaS apps after leaving. Get a complete checklist for revoking SaaS access in 24 hours or less.

Coax TeamFebruary 20, 20269 min read

The Hidden Risk of Incomplete Offboarding

When an employee leaves your organization, IT follows a standard offboarding checklist: disable Active Directory or Google Workspace account, collect the laptop, revoke VPN access. Done.

Except it's not done. Not even close.

The average departing employee retains active accounts in 7 or more SaaS applications after their corporate identity is deprovisioned. These are accounts IT doesn't know about — classic shadow IT — tools the employee signed up for independently, connected via OAuth, or accessed with a personal email and a corporate-adjacent password.

Every one of these orphaned accounts is a security vulnerability. A disgruntled former employee, a credential-stuffing attack, or a vendor breach at any of these services could expose your company data months or years after the employee left.

The numbers tell the story:

  • 49% of organizations have experienced a security incident caused by a former employee's retained access
  • The average time to discover a former employee still has access: 6 months
  • Former employees with access to sensitive data are involved in one in four data breaches at mid-market companies

Why Manual Offboarding Fails

Most mid-market companies rely on a manual offboarding process that looks something like this:

  1. HR notifies IT that an employee is leaving
  2. IT disables the employee's corporate email and identity provider account
  3. IT manually revokes access to known, sanctioned applications
  4. Someone checks a spreadsheet (if one exists) for any other accounts

This process fails for several predictable reasons.

The Spreadsheet Is Wrong

If your SaaS inventory is maintained in a spreadsheet, it's out of date. New applications are adopted weekly. People forget to update the sheet. Entire categories of tools — free tiers, trials, department-purchased apps — were never on it to begin with.

Spreadsheet accuracy for SaaS inventory averages 30-40%. That means 60-70% of a departing employee's SaaS accounts are invisible to the offboarding process.

IdP Deprovisioning Has Limits

Disabling an employee's Google Workspace or Azure AD account is necessary, but it's not sufficient. Here's why:

  • Direct accounts: Many SaaS apps allow signup with email + password, bypassing SSO entirely. Disabling the IdP account doesn't touch these.
  • OAuth tokens: Some OAuth tokens remain valid even after the parent IdP account is disabled, depending on the SaaS vendor's implementation.
  • Personal email signups: Employees sometimes sign up for work-related tools with personal email addresses. These accounts are completely invisible to IdP-based offboarding.
  • Cached sessions: Some applications maintain active sessions for days or weeks after authentication is revoked at the IdP level.

Nobody Owns Shadow IT Offboarding

Most offboarding processes are designed around the applications IT knows about. There is no process for revoking access to shadow IT — because, by definition, nobody knows these applications exist until someone goes looking.

Even in organizations with mature offboarding procedures, shadow IT accounts are almost always missed.

The Complete SaaS Offboarding Checklist

Use this checklist to ensure comprehensive access revocation when an employee departs. The goal is to complete all steps within 24 hours of the employee's last day.

Phase 1: Immediate Actions (Within 2 Hours)

Corporate Identity

  • Disable primary email account (Google Workspace / Microsoft 365)
  • Disable identity provider account (Azure AD / Okta / Google)
  • Revoke all active SSO sessions
  • Change shared account passwords the employee had access to
  • Revoke VPN and remote access credentials

Critical Systems

  • Revoke access to production systems (cloud consoles, databases, servers)
  • Remove from admin groups and privileged access roles
  • Disable access to financial systems (banking, accounting, payment processors)
  • Revoke access to source code repositories (GitHub, GitLab, Bitbucket)
  • Remove from customer-facing systems (CRM, support desk, client portals)

Phase 2: SaaS Application Sweep (Within 8 Hours)

Sanctioned Applications

  • Remove from all IT-managed SaaS applications (check your software catalog)
  • Transfer ownership of files, documents, and shared resources to a designated colleague
  • Reassign application admin roles held by the departing employee
  • Cancel any individual licenses or seats assigned to the employee
  • Export or transfer any data the employee created that the organization needs

OAuth and Connected Applications

  • Review all OAuth grants issued by the employee in Google Workspace / Microsoft 365
  • Revoke OAuth tokens for all third-party applications
  • Check for API keys or tokens the employee may have created
  • Review service account permissions the employee managed

Communication and Collaboration

  • Remove from all Slack / Teams channels and workspaces
  • Remove from shared email groups and distribution lists
  • Revoke access to shared drives, folders, and documents
  • Remove from project management tools (Asana, Jira, Monday, etc.)
  • Disable calendar sharing and meeting organizer access

Phase 3: Shadow IT Discovery (Within 24 Hours)

Automated Discovery

  • Run a SaaS discovery scan focused on the departing employee's email address
  • Identify all SaaS applications the employee signed up for using their corporate email
  • Cross-reference discovery results against your sanctioned application list
  • Flag any previously unknown applications for security assessment

Account Remediation

For each discovered shadow IT application:

  • Determine if the account contains company data
  • If possible, log in using admin access or password reset to the corporate email (before email forwarding expires)
  • Export any company data stored in the application
  • Delete or deactivate the account
  • Add the application to your shadow IT registry for future reference

Phase 4: Verification (Within 48 Hours)

  • Re-run SaaS discovery scan to confirm all accounts are deprovisioned
  • Verify no active sessions remain across discovered applications
  • Confirm email forwarding is set up for business-critical communications (time-limited)
  • Document all actions taken for audit trail
  • Report completion to security team and manager

GDPR Considerations for SaaS Offboarding

For European companies, employee offboarding has specific GDPR implications that go beyond access revocation. Organizations subject to NIS2 face even stricter requirements for access control and incident handling.

Right to Erasure (Article 17)

Departing employees may exercise their right to erasure for personal data processed in SaaS applications. This includes:

  • Personal data stored in HR systems beyond what's required for legal retention
  • Personal data in collaboration tools (messages, profiles, activity logs)
  • Data in shadow IT applications where the employee was both the data subject and the user

The challenge: You cannot comply with an erasure request for applications you don't know about. SaaS discovery during offboarding ensures you can identify all locations where an employee's personal data may be stored.

Data Processing Records (Article 30)

GDPR requires organizations to maintain records of processing activities, including the categories of personal data processed and the recipients (including SaaS vendors). When an employee departs, review:

  • Which SaaS applications processed the employee's personal data?
  • Are data processing agreements (DPAs) in place with each vendor?
  • Is there a legal basis for continued processing of the employee's data after departure?

Data Minimization (Article 5(1)(c))

After an employee departs, continue processing their personal data only where necessary:

  • Legal requirements: Tax records, employment history, contractual obligations
  • Business continuity: Transfer of files and responsibilities (time-limited)
  • Security: Audit logs retained for incident investigation (defined retention period)

Delete personal data from SaaS applications where there is no ongoing legal basis for processing. This includes profile data, activity logs, and personal files in tools the employee used.

Cross-Border Data Transfers

If an employee's data resides in SaaS applications hosted outside the EEA, ensure that:

  • Appropriate transfer safeguards are in place (Standard Contractual Clauses, adequacy decisions)
  • The data transfer was documented in your Article 30 records
  • Data deletion requests can be fulfilled across all geographic locations where data is stored

Offboarding Shadow IT: The Missing Step

Shadow IT offboarding is the step that most organizations miss entirely. Here's a focused approach:

Discovery During Offboarding

Use email metadata analysis to identify every SaaS application associated with the departing employee's corporate email address. This catches:

  • Applications the employee signed up for directly
  • Applications that send notifications, invoices, or confirmations to the corporate email
  • Free tiers and trials that left no financial trace
  • Applications signed up months or years ago that are still active

Prioritization

Not all shadow IT accounts need the same level of attention. Prioritize by risk:

PriorityCriteriaActionTimeline
CriticalAccesses sensitive data (customer PII, financial, IP)Immediate account deletion or lockdownWithin 2 hours
HighHas OAuth access to corporate systemsRevoke OAuth tokens, then delete accountWithin 8 hours
MediumContains company data but limited accessExport data, delete accountWithin 24 hours
LowNo company data, no corporate system accessDelete account when possibleWithin 1 week

Systematic Approach

For each discovered shadow IT application:

  1. Assess: What data does this application have access to?
  2. Contain: Revoke OAuth tokens and change any shared credentials
  3. Recover: Export company data if present
  4. Remove: Delete or deactivate the account
  5. Document: Record the application for future offboarding processes and SaaS inventory

Automating SaaS Offboarding

Manual offboarding at scale is unsustainable. A 200-person company with 10% annual turnover offboards 20 employees per year. If each employee has accounts in 15-25 SaaS applications (including shadow IT), that's 300-500 account revocations per year — most of them invisible to current processes.

What to Automate

  • SaaS discovery: Automated scanning of email and IdP data to identify all accounts associated with a departing employee
  • OAuth revocation: Automatic revocation of all third-party OAuth grants when an IdP account is disabled
  • Alerting: Automatic notification to IT when an employee is flagged for departure in HR systems
  • Verification: Automated re-scanning to confirm all accounts have been deprovisioned

What Requires Human Judgment

  • Data recovery decisions: Should company data in shadow IT accounts be exported or deleted?
  • Application assessment: Is this shadow IT application used by other employees? Should it be formally evaluated?
  • Exception handling: Some accounts may need to remain active temporarily (e.g., shared service accounts)

Measuring Offboarding Effectiveness

Track these KPIs to assess and improve your SaaS offboarding process:

Process Metrics

  • Time to full deprovisioning: Hours from departure trigger to complete access revocation (target: <24 hours)
  • Coverage rate: Percentage of total SaaS accounts successfully deprovisioned (target: >95%)
  • Shadow IT discovery rate: Number of previously unknown accounts found during offboarding

Security Metrics

  • Orphaned account count: Number of active accounts belonging to former employees (target: 0)
  • Post-departure access events: Logins or API calls from former employee accounts after departure (target: 0)
  • Time to discovery: Average time between an employee's departure and discovery of their retained access

Compliance Metrics

  • GDPR erasure compliance: Percentage of departing employees whose data erasure requests are fully fulfilled
  • Audit completeness: Percentage of offboardings with complete documentation and audit trail
  • DPA coverage: Percentage of discovered SaaS vendors with valid data processing agreements

The Bottom Line

SaaS offboarding is a security imperative, not an administrative afterthought. Every departing employee who retains access to company data through unknown SaaS accounts is a breach waiting to happen.

The fix starts with visibility. If you can discover every SaaS account an employee has before their last day, you can revoke access comprehensively. Without that visibility, you're deprovisioning the accounts you know about and hoping for the best on the rest.

Hope is not a security strategy.

Want to see what a complete offboarding looks like? Book a demo and discover every SaaS account across your organization in 15 minutes.

Ready to take control of your SaaS stack?

See your full SaaS landscape — shadow IT, wasted spend, and security gaps — in 15 minutes.

Related Articles

Shadow ITIT SecuritySaaS Management

Shadow IT Examples: 50+ Real-World Cases Every IT Team Should Know

Discover the most common shadow IT examples in the workplace, from unauthorized SaaS tools to AI apps, and learn how to manage them effectively.

Mar 17, 202611 min read
Read
Shadow ITSaaS ManagementIT Security

The Complete Guide to Shadow IT Discovery

Shadow IT costs mid-market companies millions in wasted spend and security gaps. Learn how to discover and manage unauthorized SaaS applications.

Jan 15, 20268 min read
Read
SaaS GovernanceIT GovernanceSaaS Management

SaaS Governance: A Complete Framework for IT Leaders in 2026

Build a SaaS governance framework that reduces risk, controls costs, and accelerates adoption. Proven policies and implementation strategies.

Mar 17, 202611 min read
Read