Hospitality turnover sits at around 75% a year in some segments - front of house in casual dining is the worst of it, but kitchen brigades and duty management are not far behind. If you run a 30-site group, that is roughly a leaver every working day, and probably more in the run-up to summer when students drift back to university. Every single one of those leavers is a potential security gap if your offboarding process is informal, and in most of the restaurant groups we audit at CloudMatters, it is very informal indeed.

This is the post I wish someone had handed me the first time I sat down with a hospitality finance director who could not explain why their former general manager was still receiving copies of the daily takings email three months after walking out the door. Here is how to do offboarding properly, what gets missed, and why the whole thing has to be automated if you have more than a handful of sites.

The gaps most restaurant groups leave behind

Before the checklist, it is worth being honest about what an “informal” offboarding process actually leaves on the table. When we run a leavers audit for a new client, this is the list we almost always come back with:

  • The Microsoft 365 account is still active and the password still works. Sometimes the phone is still receiving meeting invites.
  • Email forwarding is set up to a personal Gmail or iCloud address and has been for months. Every internal thread the account is copied on is being mirrored outside the business.
  • A shared rota or stock account password - the one the leaver knew - has never been changed. Six other people still use it daily.
  • Access to cloud apps is still live: rota software, EPOS back-office, reservations, the supplier ordering portal, the marketing email tool.
  • A company iPad or Surface is still in their possession, still syncing OneDrive, and nobody has asked for it back because it was issued before the current ops director started.
  • OneDrive and SharePoint files they had access to are still shared with their personal email, because they sent themselves a link six months ago for “working from home.”
  • The fob, the alarm code and the back-door key are still in their pocket. Physical access is part of identity, and we will come back to that.

Any one of these is a problem. Together, they are how a disgruntled assistant manager ends up with a copy of the entire weekly P&L, or how a former chef walks an allergen database to a competitor.

The 14-step offboarding checklist

This is the checklist we run for our managed clients. It is deliberately tactical - print it, laminate it, stick it on the wall of the IT cupboard. If you cannot tick every box on the day someone leaves, you have a gap.

  1. HR notifies IT on the day of departure, ideally the hour of. Not the Monday after. Not when payroll runs. The hour. This is the single biggest cultural change most groups need to make and it is free.
  2. Disable the account, do not delete it. Disabling preserves the data for compliance, e-discovery and the inevitable “can you check what was in their inbox” request from finance two weeks later. Deletion is the final step, not the first.
  3. Block sign-in and revoke all active sessions. In Entra ID this is two clicks - block sign-in, then revoke sessions. Without the second click, an already-signed-in mobile device keeps working until the token expires, which can be hours.
  4. Remove from distribution lists and security groups. Otherwise they keep receiving forwarded mail through the DL even after their own mailbox is locked.
  5. Convert the mailbox to shared and reassign if needed. A shared mailbox does not need a licence and lets the manager who picks up their work see the history without the ex-employee being able to log in.
  6. Remove from EPOS, PMS, rota, payroll and any admin portals. This is the step that gets missed most often because each of these is a separate tool with a separate admin. Keep a single system inventory and walk it top to bottom.
  7. Rotate any shared account credentials they knew. Every shared rota login, every shared supplier portal, every shared Canva seat. If they could log in yesterday, the password changes today. A business password manager makes this a five-minute job; a spreadsheet of passwords makes it an afternoon.
  8. Wipe and retrieve company devices. Intune or your MDM can issue a remote wipe before the device comes back, and should - assume the device will not be returned and act accordingly.
  9. Revoke OAuth tokens and third-party app consent. Users grant apps access to their mailbox and OneDrive all the time. Those grants survive a password change. Revoke them in the Entra ID enterprise apps blade.
  10. Document handover for their OneDrive content. Reassign ownership to their line manager so nothing important disappears when the licence is reclaimed. Without this step, files vanish 30 days after account deletion and the first you hear of it is a panicked call from finance.
  11. Review and revoke conditional access policies specific to them. Most policies are group-based, but the exceptions - the “allow this user from this IP” rules that always creep in - need to be audited and removed.
  12. Audit what they accessed in the last 30 days. Microsoft Purview audit logs will tell you which files they downloaded, which mailboxes they touched and which admin actions they ran. If anything looks out of pattern - a sudden bulk download, access to folders outside their remit - you want to know before they walk, not after.
  13. Check email forwarding rules at the mailbox level. This is the one that catches everyone. Inbox rules forwarding to personal addresses survive password changes and can be set up in seconds. Run a tenant-wide report on external forwarding at least monthly, and always at offboarding.
  14. Final account deletion after the retention period. Six months is a sensible default for most hospitality groups, longer if your sector regulator says so. Set a calendar reminder when you disable the account so it actually happens.

Fourteen steps is a lot. That is the point. Try to do it from memory under time pressure on a Friday afternoon and you will miss four of them.

Why automation matters

You cannot run this process manually at scale. A 500-person restaurant group with 75% turnover is somewhere between one and two leavers a day on average, and it is never spread evenly - it spikes at month-end, after the Christmas shift, and any time a new GM takes over a site. If your offboarding lives in a Word checklist that the IT manager opens when HR remembers to email them, you will skip steps and you will skip people.

Automation does three things informal processes cannot. It triggers from a single source of truth - usually the HR system - so nothing depends on someone remembering to send an email. It runs the same way every time, so step 13 is never quietly dropped because the on-call engineer was firefighting an EPOS outage. And it produces an audit trail you can hand to your insurer, your auditor or the ICO if you ever need to prove that yes, the leaver’s access really was revoked at 14:32 on the day they left.

Tools that help

The good news is that most of what you need is already in the licences you are paying for, or sits a short hop away. Entra ID lifecycle workflows can automate join, move and leaver actions directly from a HR feed. Power Automate stitches the gaps where Entra cannot reach - pinging Slack, raising tickets, kicking off the device wipe. A proper HR integration (BambooHR, HiBob, PeopleHR, SAP SuccessFactors all have connectors) means the trigger is a record change, not a human email. And if your stack is too sprawling for any of that, a dedicated joiner/mover/leaver platform like LemonadeHR or Lumos will sit on top and orchestrate everything.

The right combination depends on your size and your existing licensing. Most groups under 200 staff can do this entirely within Microsoft 365 E3 plus a Power Automate per-user plan. Larger groups usually justify a dedicated JML tool within a year on the time saved alone.

The CloudMatters approach

When we onboard a hospitality client onto our managed cloud service, the first thing we do is build the leaver workflow. HR posts the leaver into their system, the workflow fires the same hour, every step on the checklist above runs in sequence, and the IT manager gets a single confirmation email at the end with a list of what was done and what - if anything - needs human follow-up. Same-day offboarding becomes the default rather than the exception. The audit trail lives in our ticketing system and is available on demand.

It is not glamorous work, but it is the work that closes the gap between “we have a security policy” and “we have security.” If your offboarding currently lives in someone’s head, or in a checklist that gets opened on a good week, it is worth a conversation with our cyber security team. We will walk your current process, find the gaps, and quote you a fixed price to close them. Drop us a line - the leavers will keep coming, and every one of them is a chance to get this right.