IT Onboarding and Offboarding Checklist for Small Business

Every new hire and every departure is a small operational test of how well your business runs. When the process is rushed or improvised, you end up with new employees waiting days for accounts they need, ex-employees with lingering access to email and SaaS apps for weeks after they leave, and a steady drip of security and productivity costs that most owners never quite trace back to the source. For small and mid-size businesses across Chicagoland, IT onboarding and offboarding is one of the highest-leverage processes to document and run consistently — the payoff shows up in faster ramp times, fewer security incidents, and far less time spent firefighting after the fact.

This guide gives you a complete, practical IT onboarding and offboarding checklist designed for Chicago small businesses with 5 to 200 employees. It covers what to do before a new hire's first day, what to set up on day one, what to revoke when someone leaves, and how to handle the operational and compliance details that get missed when companies wing it. The framework works whether you are a 12-person law firm in the Loop, a 40-person SaaS startup in Fulton Market, or a 90-person manufacturer in the northwest suburbs.

Why a Documented IT Onboarding and Offboarding Process Matters

Most Chicago small businesses we work with have a process that looks something like this: when someone is hired, the owner emails IT a few notes, IT scrambles to set up a laptop and accounts, the new hire shows up and waits half a day for something to work, and a few weeks later everyone forgets they did it that way. When someone leaves, accounts may or may not get disabled depending on who remembers, the laptop comes back at some point, and shared passwords stay shared.

The hidden costs are real. Industry surveys of SMB IT operations consistently find that the average new hire loses 4 to 6 hours of productive time in their first week to IT setup issues — at a fully-loaded cost of $250 to $500 per onboarding. On the offboarding side, the average small business takes more than a week to fully revoke a departing employee's access to every SaaS app, and roughly one in four offboardings leaves at least one credential active for more than a month. For Chicagoland businesses in healthcare, finance, legal services, or any field handling protected client data, those lingering credentials are not just productivity issues — they are direct compliance and breach exposure.

The IT Onboarding Checklist: Before Day One

The fastest small-business IT teams treat onboarding as a process that begins the moment a candidate accepts an offer, not the morning they walk through the door. The goal is to have everything provisioned and tested 24 to 48 hours before the start date.

Trigger the workflow. Use a single intake form — a short HR or hiring-manager kickoff — that captures the new hire's full name, start date, role, department, manager, location (remote, in-office, hybrid), and the application access their role requires. This form is the source of truth that triggers every downstream IT task. Even a Google Form, Notion page, or shared spreadsheet works if it is consistently used.

Create core identity. Provision the user in your identity platform first — Microsoft Entra ID, Google Workspace, or Okta — because every other system will inherit identity from there if you have single sign-on configured. Set a strong initial password, require a reset on first login, and enroll the user in multi-factor authentication during setup.

Provision applications by role. Use predefined access templates for each role — sales, accounting, operations, executive — so the hiring manager does not have to remember every individual app. A sales hire gets CRM, email, calendar, Zoom or Teams, the proposal tool, the marketing automation viewer, the BI dashboard, and the shared sales drive. An accounting hire gets QuickBooks or NetSuite, the bank portal, expense management, and the finance share. Documenting these role packages once saves hours on every subsequent hire.

Prepare the device. Order or pull a laptop from inventory, image it through your MDM (Microsoft Intune for Windows, Jamf or Kandji for Mac), pre-install required software, enroll it in EDR, and label it with the asset tag. For remote employees, ship the device with enough lead time to arrive two to three days before the start date. For employees in the Chicago office, have it ready at their desk or in a sealed welcome kit.

Pre-build the welcome kit. A simple onboarding document — sent the day before start — covers Wi-Fi credentials, how to log in, where to find policies, who to contact for help, and a 15-minute first-day IT orientation booked on the calendar. This single document eliminates the bulk of first-day support tickets.

The IT Onboarding Checklist: Day One and Week One

On day one, the goal is for the new hire to log in, complete identity verification, and reach a productive state within the first 90 minutes. Run a brief IT orientation — in person or over video — that walks them through password manager setup, MFA enrollment, mailbox configuration, and an overview of acceptable use, data handling, and reporting suspicious activity. This 15-to-30-minute session is the single highest-ROI security investment small businesses can make.

During week one, validate access. Have the new hire and their manager confirm that every application and shared resource they need is working. Capture missing access through your help desk system rather than ad-hoc requests so the gaps become visible in your onboarding metrics over time. Schedule a 30-day check-in to catch anything that surfaces once the employee is fully operational.

The IT Offboarding Checklist: Immediate Actions

Offboarding has a sharper time pressure than onboarding. The window between an employee being informed of their departure and their access being cut should be minutes for involuntary terminations and the same business day for voluntary ones. Coordinate with HR so IT is in the loop before, not after, the termination meeting.

Disable identity. The fastest single action that closes the most exposure is disabling the user account in your identity platform. In Microsoft Entra ID or Google Workspace, this immediately blocks new logins to every SSO-connected application, kills active sessions across most services, and invalidates refresh tokens.

Revoke MFA and reset sessions. Disabling the account does not always log out active sessions in every app. Force a session revocation in your identity provider, remove the user's MFA tokens, and sign them out of all devices.

Wipe the mobile work container. For employees with phones enrolled in MDM, issue a selective wipe that removes the work container — email, work apps, work data — while leaving personal content intact. For company-owned phones, issue a full device wipe.

Cut SaaS apps not behind SSO. Every business has SaaS apps that fall outside SSO — niche tools, free-tier accounts, vendor portals — and these are the most common offboarding misses. Maintain a SaaS inventory and review it on every departure. Removing the user from a Slack workspace, an Asana account, a Mailchimp seat, or a vendor extranet has to happen by hand if it is not SSO-connected.

Reset shared credentials. Any password the departing employee knew that was shared — service accounts, social media logins, vendor portals, building keypad codes — needs to be rotated. A password manager with team vaults makes this dramatically easier; without one, this step is where most small businesses fail silently.

Recover physical assets. Laptops, monitors, keyboards, headsets, building badges, parking passes, company credit cards, and any other physical company property. For Chicago employees in WeWork, Industrious, or coworking arrangements, also remove their access from the building management platform.

Forward email and preserve data. Set up an email forward or shared mailbox so customer messages do not bounce, and preserve the departing employee's mailbox and OneDrive or Google Drive content according to your retention policy. For regulated industries or contested departures, take a forensic export before deletion.

Special Cases: Involuntary Terminations and Sensitive Roles

Involuntary terminations require tighter coordination. Plan with HR so IT is staged and ready to execute account disablement at the precise moment the employee is informed — not before, which can tip them off through unexpected logouts, and not after, which gives a window for data exfiltration. For sensitive roles like executives, finance leadership, IT administrators, or anyone with access to customer data at scale, take a forensic snapshot of their email, files, and admin activity logs before deletion. This protects the business if there is later litigation, an insurance claim, or a regulatory inquiry.

For IT administrators and anyone with elevated access, the offboarding scope expands significantly. Rotate every shared admin credential, audit every system the person had privileged access to, review service principal and API key usage for anything they could have created, and check for any backdoor accounts or scheduled tasks that could provide post-departure access. Chicagoland businesses in financial services, legal, or healthcare should have written offboarding procedures for privileged users specifically — generic offboarding workflows miss too much.

Automation: When It's Worth It

For small Chicago businesses with under 25 employees and a stable SaaS stack, a well-maintained checklist run by the same person each time is often the right answer — automation adds complexity without enough return at that scale. Once you cross roughly 25 employees, 15 SaaS apps, or two to three hires per quarter, automated provisioning starts paying for itself quickly.

The leading options for SMB lifecycle automation: Rippling combines HR, payroll, and IT provisioning in one platform and is popular with Chicago-area startups. BambooHR with its IT integrations gives a similar workflow at a slightly lower price point. Microsoft Entra ID with HR-driven provisioning — pulling user lifecycle from Workday, BambooHR, SAP SuccessFactors, or a custom HR feed — is the right answer for businesses already centered on Microsoft 365. Okta Lifecycle Management is the best fit for businesses with a heterogeneous SaaS stack and an existing Okta deployment.

Whatever you choose, the foundation has to be a clean source of truth for who works at the company. If your HR system is incomplete, every automation built on top of it will produce noisy, error-prone results.

Frequently Asked Questions

Why does IT onboarding and offboarding matter for a small business?

IT onboarding and offboarding directly affects security, productivity, and cost. A new hire who waits two days for accounts, equipment, or system access loses roughly $400 to $800 in productive time, and a rough first day hurts retention. A departing employee whose accounts are not revoked promptly is one of the most common sources of data breaches at small businesses. For Chicago businesses in regulated industries — healthcare, legal, financial services — gaps in offboarding can trigger compliance violations under HIPAA, Illinois PIPA, or cyber insurance policy terms. A documented checklist run consistently turns a chaotic, error-prone process into a predictable workflow that protects the business.

How long should IT onboarding take for a new employee?

A well-run IT onboarding process should have the new hire fully equipped and productive on day one — laptop ready, accounts provisioned, software installed, and access granted. For Chicago small businesses, the practical target is 24 to 48 hours of IT prep time before the start date, front-loaded the moment the hire is confirmed. Companies that wait until the start date routinely lose the entire first week of new-employee productivity. The fastest small-business IT teams use a kickoff form completed by the hiring manager to trigger account creation, device imaging, and software assignment, often through Microsoft Intune, Jamf, or a tool like Rippling or BambooHR's IT integrations.

What should be revoked immediately when an employee leaves?

Within minutes of departure — especially for involuntary terminations — every credential that grants access to business systems should be revoked. The minimum list: email and Microsoft 365 or Google Workspace account, VPN, all SaaS applications, shared file storage, cloud admin consoles, password manager vault, and any customer-facing portals or social media accounts. Mobile devices enrolled in MDM should have their work container or full device wiped. Physical access — keys, badges, parking passes — should be collected. Shared service accounts and API keys the person knew should be rotated. The highest-risk gap is usually SaaS access for shadow apps that were never inventoried.

Should we use automation tools for IT onboarding and offboarding?

For most Chicago small businesses, automation pays for itself once you have more than about 25 employees or 15 to 20 SaaS applications. Tools like Rippling, BambooHR with IT integrations, Microsoft Entra ID with HR-driven provisioning, or Okta Lifecycle Management can automatically create accounts in connected apps when a new hire is added to HR, and deprovision them on the termination date. For smaller teams, a well-maintained checklist paired with single sign-on gives most of the benefit at a fraction of the cost. The decision usually comes down to how many SaaS apps you need to provision and how often you onboard or offboard.

How do we handle offboarding when an employee is terminated unexpectedly?

Coordinate the termination meeting with IT in advance so access is cut at the exact moment the employee is informed. Have the IT lead ready to disable accounts, revoke MFA tokens, wipe the mobile work container, sign the user out of all sessions, and reset shared credentials the moment the meeting begins. Collect company equipment in the termination meeting when possible. For sensitive roles — executives, finance, IT admins — preserve a forensic snapshot of the mailbox, files, and activity logs before deletion in case of legal disputes. Chicago employers should coordinate with HR and legal on Illinois-specific notification and final-pay requirements that interact with the timing of system access cutoff.