A new employee starts on Monday. His laptop is still with the supplier. The e-mail account does not exist. Nobody knows which software licenses he needs. Or vice versa: an employee resigns. Three weeks after her last day, she still has access to all systems because no one has thought to block the accounts.
Both scenarios are not uncommon. According to recent studies, 71% of all companies have no formal offboarding process. The result: security gaps, wasted licenses, frustrated employees and, in the worst case, data loss or cyberattacks.
In this article, you will learn how to set up structured onboarding and offboarding – with clear checklists, responsibilities and processes that really work. You don’t need to be an IT expert to implement this. All you need is a system.
The goal: Everything is ready on the first day. On the last day, everything is secured. And everything runs smoothly in between.
What often goes wrong (and what it costs you)
Before we get into the solutions, let’s be honest: What happens if onboarding and offboarding don’t run smoothly?
Onboarding chaos: first impressions count
Scenario 1: The lost first day
Lisa starts as the new Marketing Manager. She comes into the office, full of motivation. Then:
- Your laptop is not there (forgotten order)
- The e-mail account has not been created
- Access to Canva, HubSpot, Asana?
- Nobody knows who is responsible for what
Result: Lisa sits around for 3 days, feels unwelcome and wonders whether she has made the right decision. Studies show: Good onboarding increases employee loyalty and reduces staff turnover. Poor onboarding has the opposite effect.
Costs:
- Lost productivity: 3 days at €500 each = €1,500
- Frustration and a bad impression: priceless
- Additional IT emergency assignments: 2-4 hours
Scenario 2: Lack of access = security risk
New employee gets admin rights because “it’s quicker”. He inadvertently downloads malware. All systems are affected.
Costs of a malware attack: on average €50,000-200,000 for SMEs (downtime, data recovery, image damage).
Offboarding disaster: the underestimated danger
Scenario 1: The ex-employee with full access
Thomas resigns in a dispute. His last day is March 15. On March 30 – two weeks later – he still has:
- Access to his e-mail account
- Admin rights in the cloud storage
- Passwords for social media accounts
- VPN access to the company network
What can happen:
- Data theft (customer lists, business secrets)
- Sabotage (deleting files, manipulating systems)
- Reputational damage (misuse of social media)
Insider threats are responsible for 60% of all data breaches. And: a third of companies need more than 24 hours to log out ex-employees – a huge security risk.
Real-life example: A retail company from Baden-Württemberg dismissed a sales employee in 2024. He still had access to the CRM for 6 weeks and copied the entire customer database – 12,000 contacts – onto his private USB stick. The customer list ended up with the competition. Damage: Over €200,000 due to lost orders.
Scenario 2: Zombie accounts and wasted licenses
Ex-employees are gone, but their accounts remain. The result:
- Zombie accounts that can be taken over by cybercriminals
- Ongoing costs for unused software licenses (Microsoft 365, Adobe, CRM, etc.)
- Compliance violations (GDPR: accounts without authorization)
Cost example:
- Microsoft 365 Business: 12€/month
- Adobe Creative Cloud: 60€/month
- HubSpot CRM: 50€/month
- Asana: 12€/month
Per forgotten account = 134€/month = 1,608€/year wasted.
With 5 forgotten accounts over 2 years: €16,080 burned.
The most common errors at a glance
| Error | Onboarding | Offboarding |
|---|---|---|
| No checklist | Forgotten entrances, chaotic start | Accounts remain active |
| Unclear responsibility | “Who does what?” | Nobody feels responsible |
| Shared accounts | Passwords are passed on | Ex-employee knows all passwords |
| Lack of automation | Manual effort, errors | Delay, security gaps |
| No documentation | Who has which accesses? | Which accounts were there at all? |
Conclusion: Bad onboarding/offboarding costs you money, security and employee motivation. The good news: it can be solved.
Roles & responsibilities: Who does what?
A process only works if it is clear who is responsible for what. Here is your framework:
The three main players
1. HR / Management
- Onboarding: Trigger the process (set hiring date)
- Offboarding: Trigger the process (set termination date)
- Responsible for:
- Employment contracts, non-disclosure agreements
- Exit interviews (for offboarding)
- Communication with the team
2. IT manager / external IT service provider
- Onboarding: Technical setup (devices, accounts, access)
- Offboarding: Technical deprovisioning (blocking accounts, backing up data)
- Responsible for:
- Hardware provision
- Account creation/deletion
- Data backup and transfer
- Security audits
3. direct manager / team lead
- Onboarding: Professional induction
- Offboarding: knowledge transfer, handover
- Responsible for:
- Define access rights (Which folders? Which tools?)
- Software requirements (Does the person need CAD? Accounting software?)
- Data transfer (who takes over projects?)
RACI matrix: Who is responsible for what?
Explanation:
- R (Responsible): Performs the task
- A (Accountable): Ultimately responsible, must approve
- C (Consulted): Is consulted, provides input
- I (Informed): Will be informed
| Task | HR | IT | Manager |
|---|---|---|---|
| Start the onboarding process | A,R | I | I |
| Order hardware | I | R,A | C |
| Create e-mail account | I | R,A | – |
| Define software accesses | I | R | A,C |
| Set up password manager | I | R,A | – |
| Activate MFA | I | R,A | – |
| Professional training | I | – | A,R |
| Start the offboarding process | A,R | I | I |
| Deactivate accounts | I | R,A | – |
| Transfer data | I | C | A,R |
| Collect hardware | C | R,A | I |
| Exit interview | A,R | – | C |
Important: In small companies (< 10 employees), one person often takes on several roles. This is OK as long as the tasks are documented.
System owner: Who is responsible for which tool?
There should be an “owner” for each tool/system – someone who knows how it works and who has access to it.
Example:
| System | Owner | Backup owner |
|---|---|---|
| Microsoft 365 | IT Admin | Management |
| CRM (HubSpot) | Sales Manager | IT Admin |
| Accounting (Lexoffice) | Accounting | Management |
| Password manager (1Password) | IT Admin | – |
| Cloud storage (Nextcloud) | IT Admin | – |
| Social Media | Marketing | Management |
Why is it important?
- For onboarding: Who sets up the access?
- For offboarding: Who removes access?
- In case of problems: Who is the contact person?
Onboarding check: The first day is ready
Good onboarding starts BEFORE the first day. Here is your step-by-step plan:
Phase 1: Preparation (1-2 weeks before start)
Week 2 before the start:
- [ ] HR informs IT: name, start date, position, department
- [ ] Manager defines requirements:
- What software is required? (Office, CAD, accounting etc.)
- Which access rights? (Folders, databases, admin rights?)
- Mobile devices necessary? (Company cell phone, tablet?)
- [ ] Order/prepare hardware:
- Laptop/desktop (note delivery time!)
- Monitor, keyboard, mouse
- Headset (for remote work)
- Docking station
- Company cell phone (if required)
Week 1 before the start:
- [ ] Create e-mail account:
- Format:
vorname.nachname@firma.de - Prepare e-mail signature
- Add to distribution list (e.g.
team@firma.de)
- Format:
- [ ] Create accounts:
- Microsoft 365 / Google Workspace
- VPN access (if remote)
- Cloud storage (Nextcloud, OneDrive etc.)
- Communication (Slack, Teams, Zoom)
- Project management (Asana, Monday etc.)
- CRM (if required)
- Industry software
- [ ] Password manager access:
- Create account in 1Password/Bitwarden
- Access to Team Vault
- Set initial master password
- [ ] Set up hardware:
- Install/update operating system (Windows 11, macOS)
- Install antivirus
- Install VPN client
- Install standard software (Office, browser, PDF reader)
- Activate BitLocker/FileVault (hard disk encryption)
- Include device in MDM (Mobile Device Management) (if available)
Day before start:
- [ ] Send welcome e-mail:
- Start time, location, contact person
- What to bring?
- First steps guide
- [ ] Prepare workstation:
- Hardware set up and tested
- Desk, chair
- Welcome package (notebook, pens, company merchandise)
Phase 2: First day
In the morning (first 2 hours):
- [ ] Personal reception:
- Welcome by the manager
- Tour of the office/introduce the team
- Handover of hardware (laptop, cell phone, access card)
- [ ] IT facility with employees:
- Initial registration on the device
- Set up e-mail account (set password)
- Activate MFA (multi-factor authentication):
- Install Microsoft Authenticator / Google Authenticator
- Scan QR code
- Store backup codes securely
- Set up a password manager:
- Set master password
- Install browser extension
- Save first passwords
- [ ] Test important accesses:
- Send/receive e-mail
- Open cloud storage
- Test VPN connection (if remote)
- Communication tools (Teams/Slack)
Midday/afternoon:
- [ ] IT security briefing (15-30 min.):
- Recognize phishing emails
- Password guidelines (no reuse!)
- Handling sensitive data
- What to do with suspicious emails?
- GDPR basics (only work on company devices, etc.)
- [ ] Access to specific tools:
- CRM training (if required)
- Set up industry software
- Project management tools
- Access to relevant folders/drives
- [ ] Standard user account:
- Employee does NOT work with admin rights
- Admin password only for IT
- Installation requests via IT ticket system
Phase 3: First week
- [ ] Software training:
- Office tips (if necessary)
- CRM system
- Project management
- Time recording
- [ ] Professional training:
- Clarify responsibilities
- First tasks
- Contact for questions
- [ ] Feedback meeting (end of week 1):
- Is everything working technically?
- Is access/software still missing?
- Questions about the IT infrastructure?
Onboarding checklist: Overview
Hardware:
- [ ] Laptop/desktop provided
- [ ] Monitor, keyboard, mouse
- [ ] Headset
- [ ] Company cell phone (if required)
- [ ] Access card/key
Accounts & accesses:
- [ ] E-mail account
- [ ] Microsoft 365 / Google Workspace
- [ ] VPN access
- [ ] Cloud storage
- [ ] Communication tools (Teams, Slack)
- [ ] Password manager
- [CRM (if required)
- [ ] Project management
- [ ] Industry software
Security:
- [ ] MFA activated (e-mail, cloud, VPN)
- [ ] Password manager set up
- [ ] Hard disk encryption active
- [ ] Antivirus installed
- [ ] Standard user account (no admin rights)
- [ ] IT security briefing conducted
Documentation:
- [ ] Access data in the password manager
- [ ] Emergency contacts stored
- [ ] Hardware handover documented (serial number etc.)
Offboarding check: separate cleanly, stay safe
Offboarding is just as important as onboarding – only more time-critical. Every hour counts here.
Phase 1: Preparation (as soon as notice of termination is known)
Immediately (day 1 after notification of termination):
- [ ] HR informs IT & management:
- Name of the employee
- Last working day
- Reason for termination (amicable/dispute → higher risk)
- [ ] Risk assessment:
- Did the person have admin rights?
- Access to sensitive data? (customer lists, finances, code)
- What was the mood like? (Termination in a dispute = higher risk)
- Remote employee? (Hardware return more complicated)
- [ ] Create an offboarding plan:
- Which accounts need to be deactivated?
- What data must be transferred?
- Who takes on which tasks?
1-2 weeks before the last day:
- [ ] Organize knowledge transfer:
- Manager plans handover sessions
- Documentation of ongoing projects
- Transfer customer contacts
- Transfer passwords for shared accounts (if available → should be changed afterwards!)
- [ ] Data inventory:
- Which files are stored locally on the device?
- Which cloud folders are private?
- Back up your e-mail archive?
- Identify licenses (which ones can be terminated?)
Phase 2: Last working day
In the morning:
- [ ] Exit interview (HR/executive):
- Obtain feedback
- Assessing the mood (risk assessment)
- Hardware return agreement
- [ ] Data transfer:
- Transfer local files to server/cloud
- Set up e-mail forwarding (to successor/manager)
- Project documentation complete?
- Transfer customer contacts
Midday/afternoon:
- Collect [ ] hardware:
- Laptop/desktop
- Monitor, keyboard, mouse
- Company cell phone
- Access cards/keys
- USB sticks, external hard disks
- Create a log: Document serial numbers
- Change [ ] Shared Credentials:
- Social media accounts
- Shared drive passwords
- Admin passwords
- WLAN password (if the person knew it)
After work / in the evening of the last day:
- Deactivate [ ] accounts (DO NOT delete!):
- E-mail account: Deactivate, set up forwarding
- Microsoft 365 / Google Workspace: Withdraw license
- VPN access: Blocking
- Cloud storage: revoke access
- Communication tools: Remove from teams/channels
- CRM: Deactivate
- Project management: Deactivate
- Industry software: Deactivate
- Password manager: Revoke access
- Remove [ ] MFA devices:
- Remove from Microsoft Authenticator/Google Authenticator
- Invalidate backup codes
- [ ] Groups/distributors:
- Remove from e-mail distribution lists
- Remove from Slack channels/teams groups
- Remove from Google Drive/OneDrive shares
Phase 3: Follow-up (days/weeks afterwards)
Day 1-3 after last day:
- [ ] Set up e-mail auto-responder:
- “Person XY is no longer with the company. Please contact…”
- For external contacts (customers, suppliers)
- [ ] Data transfer:
- Archive e-mail inbox (if required by law)
- Ex-employee’s OneDrive/Google Drive: transfer ownership to manager
- Local files: Create backup, then delete device
- [ ] Hardware check:
- Reset device to factory settings
- Decrypt BitLocker/FileVault
- New installation for next employee
Week 1-2 after last day:
- [ ] Cancel/redistribute licenses:
- Microsoft 365: Remove license (saves 12€/month)
- Adobe Creative Cloud: Cancel (60€/month)
- CRM: Release license
- Check software subscriptions
- [ ] Perform audit:
- All accounts really deactivated?
- Check Shadow IT (has the person created their own accounts?)
- Check vendor access (did the person have access to external tools?)
- Delete [ ] accounts (after 30-90 days):
- Only after the retention period
- Archive emails (GDPR/observe retention obligations!)
- Then complete deletion
Offboarding checklist: Overview
Preparation:
- [ ] IT & Executive informs
- [ ] Risk assessment carried out
- [ ] Knowledge transfer organized
- [ ] Data inventory created
Last day:
- [ ] Exit interview
- [ ] Transfer data
- [ ] Hardware collected
- [ ] Shared credentials changed
- [ ] All accounts deactivated
- [ ] MFA removed
- [ ] Removed from groups/distributors
Follow-up:
- [ ] E-mail forwarding/auto-responder
- [ ] Data archived
- [ ] Hardware reset
- [ ] Licenses terminated
- [ ] Audit performed
- [ ] Accounts deleted after deadline
Special cases: Remote, working students, admin accounts
Remote employees
Onboarding:
- Send hardware (allow 2-3 days delivery time!)
- Video call for IT setup
- Use remote maintenance software (TeamViewer, AnyDesk)
- More detailed documentation (no personal support on site)
Offboarding:
- Send the return label
- Set a deadline (e.g. 5 days after the last day)
- In the event of non-return: costs withheld from the last salary (regulate in the contract beforehand!)
Working students / interns
Onboarding:
- Often shorter duration → simplified process
- Restricted access rights (only what is necessary)
- Temporary accounts (set automatic expiration date)
Offboarding:
- Mostly planned (end of internship/working student contract)
- Communicate early
- Offer testimonials/references (maintain a good relationship)
Admin accounts / IT staff
Take special care:
- IT staff often have several accounts with increased rights
- Comprehensive audit of all accounts
- Change all passwords (especially critical systems)
- Consider an external IT audit
Checklist for IT offboarding:
- [ ] Identify all admin accounts (often hidden/test accounts)
- [ ] Change root passwords
- [ ] Revoke VPN certificates
- [ ] Remove SSH keys
- [ ] Check firewall rules (backdoors?)
- [ ] Access to hosting/cloud providers (AWS, Azure etc.)
- [ ] Domain registrar access
- [ ] Code repositories (GitHub, GitLab)
Templates & proofs: Order is a must
Documentation sounds annoying, but saves you in an emergency (audit, legal dispute, GDPR audit).
1st template: Onboarding protocol
2nd template: Offboarding protocol
3rd template: Account overview (master list)
4th template: Hardware handover protocol
Where to save?
- Protected folder (HR & IT access only)
- Password manager (1Password: Secure Notes)
- HR software (if available)
Automation: less effort, fewer errors
Manual checklists work for small teams (< 10 people). But as soon as you do onboarding/offboarding more often, automation pays off.
Tools for automated onboarding/offboarding
1. Microsoft 365 / Google Workspace (integrated)
Automation:
- New employee is created in the HR system
- Automatic: e-mail account, OneDrive, Teams access
- Assign group memberships automatically
- When leaving: Deactivate account automatically
Setup:
- Power Automate (Microsoft) / Google Apps Script
- Azure AD Lifecycle Management
2. zapier / make (no-code automation)
Example workflow:
- New entry in HR table (Google Sheets / Airtable)
- Automatic: Slack message to IT
- Automatic: Create accounts (Zapier integrations)
- Automatic: Onboarding e-mail to employees
Costs: From 20€/month (Zapier), from 9€/month (Make)
3. specialized tools
- BambooHR: HR software with IT onboarding workflows
- Rippling: Combines HR, Payroll, IT (USA-focused)
- Workday: Enterprise solution (for larger companies)
- JumpCloud: Directory-as-a-Service (similar to Active Directory, cloud-based)
4. scripting (for technical teams)
PowerShell script for onboarding (Microsoft 365):
# Neuen Benutzer erstellen
New-MsolUser -UserPrincipalName "max.mustermann@firma.de" `
-DisplayName "Max Mustermann" `
-FirstName "Max" `
-LastName "Mustermann" `
-UsageLocation "DE" `
-LicenseAssignment "firma:ENTERPRISEPACK"
# Zu Gruppen hinzufügen
Add-MsolGroupMember -GroupObjectId "abc123" -GroupMemberType "User" `
-GroupMemberObjectId (Get-MsolUser -UserPrincipalName "max.mustermann@firma.de").ObjectId
Advantage: Repeatable, no manual errors.
What you should NOT automate
- Personal greeting: people appreciate personal contact
- Exit interviews: Important feedback
- Risk assessment: human judgment is important when offboarding in a dispute
- Data transfer: Needs context and understanding
Compliance & legal matters: GDPR, retention obligations, employment law
GDPR for offboarding
The dilemma: You have to delete data (data minimization), but also retain it (legal obligations).
What MUST be deleted:
- Personal data without business reference (private e-mails, photos)
- Accounts in systems (after retention period)
- Access logs (after fulfillment of purpose)
What MUST be kept:
- Emails with a business reference (e.g. contracts, offers): 6-10 years
- Financial documents: 10 years (Commercial Code)
- Employment contract, payslips: 10 years (social insurance)
- Time recording data: 2 years (Working Hours Act)
Best Practice:
- Archive e-mail inbox (extract business e-mails)
- Delete personal data
- Store archive in encrypted form (only HR/management access)
- After retention period: Final deletion
Retention periods (Germany)
| Document | Deadline | Legal basis |
|---|---|---|
| Employment contract | 10 years | Social insurance |
| Payroll accounting | 10 years | Social insurance |
| Business e-mails | 6 years | HGB §257 |
| Invoices | 10 years | AO §147 |
| Time recording | 2 years | Working Hours Act |
| Application documents | 6 months (rejected) | AGG |
Employment law pitfalls
Termination without notice:
- Immediate offboarding process
- Block access IMMEDIATELY (risk of sabotage)
- Consult a lawyer (proceed correctly under labor law)
Exemption:
- Employee no longer has to work, but is still employed
- Do NOT block access completely (problematic under labor law)
- E-mail access may be restricted (read only, no sending)
Action for unfair dismissal:
- Retain all data (possible evidence)
- Documentation of the offboarding process is important
Tip: For legally sensitive terminations, ALWAYS consult a lawyer before blocking accounts.
Frequently asked questions (FAQ)
How much time do I need for onboarding/offboarding?
Onboarding:
- Preparation: 2-4 hours
- First day: 1-2 hours (together with employee)
- First week: 30-60 min. aftercare
Offboarding:
- Preparation: 1-2 hours
- Last day: 2-3 hours
- Follow-up: 1-2 hours
What is the cost of bad onboarding/offboarding?
Onboarding:
- Lost productivity: 1,000-3,000€ (first days without access)
- Security risks: Potentially €50,000-200,000 (in the event of a malware attack)
- Fluctuation: 30.000-80.000€ (recruitment + training of new person)
Offboarding:
- Unused licenses: 1.600€/year per forgotten account
- Data loss: Priceless (customer data, business secrets)
- Security incident: €50,000-500,000 (insider threat)
Do I need onboarding/offboarding for mini-jobbers?
Yes, mini-jobbers also have:
- E-mail access (often)
- Access to customer data
- Hardware (sometimes)
Simplified process is OK, but don’t leave it out completely.
What do I do with very small teams (2-5 people)?
- Automation mostly overkill
- Simple checklist (Word/Excel) is sufficient
- Important: Document anyway!
- For growth: scaling processes
Can I outsource onboarding/offboarding?
Partially:
- Hardware setup: Yes (IT service provider)
- Account creation: Yes (Managed IT Services)
- Professional training: No (internal)
- Exit interviews: No (HR task)
How do I deal with shared accounts?
In the short term:
- Save passwords in the team password manager
- For offboarding: change ALL shared passwords
Long-term (best practice):
- Avoid shared accounts
- Everyone has their own account with defined rights
- For unavoidable shared accounts (e.g. social media): Role-based access (multiple admins instead of one password)
What about cloud services that are not directly linked?
Example: Employee has created Canva account with company e-mail.
Solution:
- For onboarding: list of ALL cloud services used
- For offboarding: go through it systematically
- Tools such as “Google Password Manager” show saved logins
Shadow IT problem: Regularly audit which services are used.
Summary: Your next steps
Onboarding and offboarding are not optional “nice-to-haves” – they are business-critical. Poor processes cost you money, security and employee satisfaction.
The good news is that with clear checklists, defined responsibilities and a little automation, it is absolutely feasible.
Your 4-week plan
- Week: Stocktaking
- [ ] List ALL systems that you use (email, cloud, CRM, etc.)
- [ ] For each system: Who is the owner?
- [ ] Current process: How is onboarding/offboarding going today? (evaluate honestly!)
Week 2 : Create checklists
- [ ] Adapt onboarding checklist (to your tools)
- [ ] Customize offboarding checklist
- [ ] Create templates (protocols, hardware handover)
Week 3 : Clarify roles
- [ ] Fill in the RACI matrix (who does what?)
- [ ] Coordinate with HR/executives
- [ ] Document process (Confluence, SharePoint, Wiki)
Week 4 : Testing & optimization
- [ ] At the next onboarding: Test the checklist
- [ ] Obtain feedback (employees, IT, HR)
- [ ] Customize process
After that: Continuous improvement. Review the process every 6 months.
Conclusion: Invest 4 hours, save thousands of euros
A structured onboarding/offboarding process is not rocket science. It needs:
- Clear checklists
- Defined responsibilities
- Consistent implementation
The investment: 4-8 hours setup, 2-4 hours per employee.
The return: Satisfied employees, secure systems, no wasted licenses, zero insider threats.
2026 is the year in which you professionalize your IT processes. Start with onboarding/offboarding – it’s the quick win that is immediately noticeable.
Do you need support?
Setting up onboarding/offboarding is doable, but sometimes you just need someone to lend a hand. We are happy to help you – flexibly and without fixed contracts:
- Process setup: We create your individual checklists together with you (2-3 hours)
- Automation: We set up workflows for you (e.g. Zapier, Power Automate)
- Managed onboarding: We take care of the entire IT setup for new employees
- Offboarding support: We block accounts, back up data, document everything
🗓️ Book a flexible appointment now
About itsupport.online: We are your partner for reliable IT support – online, throughout Germany and without a contract. From onboarding processes and cloud solutions to complete IT setups: you book exactly the help you need, when you need it.
