Offboarding of a Contractor Procedure

Purpose

The purpose of this procedure is to outline the steps to be followed when offboarding a contractor from Vaxa’s systems and applications. It ensures that the offboarding process is conducted securely, efficiently, and in compliance with Vaxa’s policies and legal requirements.

Scope

This procedure applies to all contractors engaged by Vaxa, including temporary staff, consultants, and third-party vendors. It covers the steps to be taken by the IT team and the Onboarding Lead (or designated manager) to remove access to Vaxa’s systems and applications when a contractor’s engagement ends.

Roles & Responsibilities

Procedure

Important: Offboarding must be initiated as soon as the contractor’s engagement ends, or as directed by HR or Legal. The Onboarding Lead (or designated manager) is responsible for initiating this process and ensuring all offboarding steps are completed, but will be supported by the IT team.

1. Initiation of Offboarding Process

• Trigger: Offboarding should begin immediately once the contractor’s term is concluded, or upon receipt of a termination request from HR or Legal.
• Responsibility: HR or Legal to inform the IT team and Onboarding Lead of the end date.
• Documentation: Capture the final date of access and reason for offboarding in the contractor’s personnel record.

2. Disable and Remove Access from Microsoft Entra / M365

• Action: Disable the contractor’s M365 account as soon as possible (preferably within 24 hours of termination notice).
  • Log in to the Microsoft 365 Admin Center using an admin account (admin.microsoft.com).
  • Navigate to Users > Active Users.
  • Locate the contractor’s account and select Block sign-in. This will prevent any further access to M365 services.
• Remove from Groups:
  • Open the user’s profile in the Admin portal.
  • Under Groups, select Manage groups.
  • Remove the contractor from OS_x_Contractors and any other groups granting access to resources.
• Licence Removal:
  • While still in the user’s profile, navigate to Licences and Apps.
  • Unassign all Microsoft 365 licences, including Business Basic, Business Premium, or any other assigned licence.
  • Navigate to Licenses and reduce the number of purchases licenses to reduce costs.

3. Revoke Session Tokens and Invalidate Access

• Action:
  • Visit entra.microsoft.com and log in with an admin account.
  • In the Entra/Azure AD portal, under the user’s profile, select Authentication methods and ensure no active sessions remain.
  • Use the “Revoke Sessions” option to invalidate all existing refresh tokens, blocking any chance of re-entry.

4. Removal of Access from Other Systems

• Cloudflare Access Portal:

  • Navigate to Vaxa’s Cloudflare Access administration portal.
  • Remove the contractor’s seat and revoke any sessions.

• Productive (Project Management Tool):

  • The contractor’s account in Productive is tied to their M365 identity.
  • With M365 access removed, they will no longer be able to log in.
  • Confirm that no direct, non-SSO logins exist.
  • Reassign any of the contractor’s tasks, projects, or responsibilities to internal staff. This step is usually performed by the Project Manager or Onboarding Lead
  • Remove the license from the contractor’s account to reduce costs, if required.

• Client Sites and Third-Party Services:

  • Remove the contractor from any client SharePoint sites, Teams channels, or external portals.
  • Revoke permissions from BitWarden, production IT environments (e.g. Google Cloud, AWS), scheduling software (e.g. Cal.com), LMS platforms, or any other services the contractor was granted access to.
  • Ensure no residual accounts or API keys tied to the contractor’s identity remain active.

5. Data Retrieval and Handover

• Mailbox and Data:
  • If required, preserve the contractor’s mailbox content by placing it on eDiscovery hold (if applicable) or exporting mailbox data for legal and compliance purposes.
  • Transfer ownership of any SharePoint documents, Teams files, or OneDrive data to a designated internal staff member. This is usually best done by converting to a Shared Mailbox and assigning access to the relevant person.
• Productive Project Handover:
  • Verify that all time entries and expense records are finalised.
  • Ensure that any non-completed tasks are reassigned to another user.

6. Hardware and Physical Asset Recovery

• Action:
  • If the contractor was issued any Vaxa-owned devices (e.g. laptops, phones, security tokens), arrange for their immediate return.
  • Perform a factory reset or secure wipe of returned hardware to remove any residual data.

7. Notification and Confirmation

• Communications:
  • HR or Legal to confirm with IT once all steps have been completed.
  • Notify the Onboarding Lead that the contractor’s offboarding is finalised.
• Record Keeping:
  • Document the completion of offboarding steps in the contractor’s personnel file.
  • Retain any necessary access logs or audit reports in line with compliance requirements.

The contractor may be notified with an email to their personal email, similar to the following:

Subject: Vaxa Offboarding Notification

Dear [Contractor Name],

This email is to confirm that your access to Vaxa’s systems and applications has been disabled in line with the conclusion of your engagement. If you have any questions or require further information, please contact [Onboarding Lead’s Name] at [Onboarding Lead’s Email Address].

Thank you for cooperation.

Best regards, [Onboarding Lead’s Name]

Compliance and Monitoring

The Onboarding Lead or IT Manager should periodically review the offboarding process to ensure all steps are followed consistently. Identify any gaps or risks and update this procedure as needed.

Exceptions

If a contractor requires partial offboarding (e.g. retaining access to certain systems for a defined period), ensure it is documented by the Onboarding Lead. Any deviation from this process must be approved by HR or Legal and recorded for audit purposes.