A customer called me last summer. A former employee still had access to their Azure billing console four months after leaving. Nobody had noticed because the account was still inside a security group that nobody owned anymore.
Nobody got hacked. Nothing bad happened. They just got lucky.
Offboarding is the riskiest part of the identity lifecycle and most teams treat it like a checkbox. Disable the account, change the password, done. Then six months later you find an old contractor still receiving Teams notifications.
Why offboarding gets missed
Onboarding has urgency. The new hire is starting on Monday. The manager is asking. HR is asking. The new person needs a laptop and a login or they cannot do their job.
Offboarding has the opposite problem. The person is already gone. They are not waiting for anything. Nobody is in your DMs asking when their access will be revoked. So it slides.
The other thing is that offboarding is mostly cleanup work. Onboarding adds. Offboarding has to subtract from a list nobody really wrote down. The project sites, the shared mailboxes, the Entra ID groups picked up during a leave cover three years ago. None of it lives in one place.
What it actually costs you
Three things, in order of how badly they hurt.
First, the breach you have not had yet. A former employee with active credentials is one phishing email away. From there, an attacker is inside your tenant with whatever access the leaver had. Even if you trust the person, you do not control their next employer or their device hygiene.
Second, the audit finding. Any auditor pulling a sample of leavers will check whether their access was revoked. ISO 27001, SOC 2 and NIS2 all require it. A leaver from eight months ago with active group memberships is a control gap. You get to write a corrective action plan and explain it to the certification body.
Third, the licenses. A 200-person company with steady turnover usually has 10 to 30 stale licenses on disabled or forgotten accounts. At E3 prices, that is a real number on a real invoice every month.
The bit that breaks most offboarding processes
The Entra ID account disable is the easy bit. Most teams nail that on day one.
What breaks is everything attached to the account.
Group memberships. The user was in 47 groups. Some of those grant access to SharePoint sites, Teams channels, shared mailboxes and application roles. Disabling the account does not always cut those connections cleanly.
License assignments. Licenses do not detach automatically. They have to be removed manually or by a script. Otherwise you pay for them.
Mailbox conversion. Sometimes you want the mailbox kept as a shared mailbox so a colleague can pick up the in-flight conversations. Sometimes you want it deleted after 30 days. Neither happens by default in a sensible way.
Device sign-outs. The last device is still cached. Tokens last for hours. Without conditional access policies that handle the disabled state correctly, the device can keep working past the point you expect.
External shares. Files the user shared with vendors. Anonymous links to OneDrive folders. Those keep working until somebody walks through Sharing settings and revokes them.
How to actually do it
You need three things.
A trigger. Something that fires the moment HR marks the person as a leaver. Not a Slack message to IT. An actual event your tooling can listen for. If you do not have an HR system that exposes that, the last working day in the calendar is acceptable.
A checklist that runs against the trigger. Disable, remove from groups, strip licenses, handle the mailbox, expire sessions, audit external shares. Same steps every time. No improvisation.
A delayed cleanup pass. Thirty days later, hard-delete or convert per your retention policy. Sixty days later, confirm there is nothing in OneDrive that should be kept. This part almost always gets skipped, which is why stale mailboxes pile up.
If you want the worked example of the full sequence, the Entra ID offboarding checklist walks through every step.
The quiet part
Most offboarding pain comes from the fact that nobody owns it end to end. HR thinks IT does it. IT does the easy half and assumes the manager handles the rest. The manager assumes someone else did. So access creep builds on the live side, and stale access piles up on the leaver side.
Full transparency, this is our product. Adcyma watches the HR trigger and runs the full revoke sequence against Entra ID. It also handles the 30 and 60 day cleanup so the slow parts do not get forgotten. If you want a look, see how it deploys in a day instead of six months.