IT Onboarding and Offboarding: A Service Desk Process Guide

IT onboarding and offboarding are two of the highest-volume, most error-prone request types a service desk handles. When the process is ad hoc, new employees wait days for access, and departing employees leave behind active accounts and unrecovered assets. This guide walks through how to design a repeatable, ITIL-aligned process that cuts provisioning time, closes security gaps, and keeps your asset records accurate.

Why IT Onboarding and Offboarding Break Down

Most organisations treat onboarding and offboarding as a series of informal tasks rather than a managed service. HR sends an email, IT scrambles, and critical steps get missed. The consequences stack up quickly.

Common failure points in onboarding:

• No standard checklist, so provisioning steps depend on whoever picks up the ticket
• Hardware is not pre-staged because IT only hears about the new hire the day before they start
• Software licences are assigned manually, often duplicating what another user already has
• Active Directory or identity provider accounts are created without a role template, leading to over-provisioned access

Common failure points in offboarding:

• Accounts are disabled days or weeks after the employee leaves
• Laptops, phones and access cards are not recovered before the final day
• Shared mailboxes and distribution lists still include the departed user
• The CMDB and asset register are never updated, leaving ghost records that inflate licence counts

Each of these failures is a process problem, not a people problem. The fix is to treat onboarding and offboarding as formal service request workflows with defined steps, owners, and SLAs.

Designing the Onboarding Workflow

A well-designed onboarding workflow starts before the employee's first day. The trigger should come from HR as soon as a start date is confirmed, not on the morning someone walks through the door.

The pre-arrival window

Most experts recommend a minimum five-business-day lead time between the HR trigger and the start date. This window allows IT to:

• Allocate and image a device from available stock
• Create the user account and apply the correct role-based access template
• Assign software licences appropriate to the job function
• Prepare any hardware peripherals, access cards or VPN tokens
• Stage the device so it is ready to hand over on day one

Building the request template

The onboarding request should be a structured form, not a free-text email. Capture the fields that drive every downstream task:

• Full name, job title and department
• Manager name (for approval routing and access inheritance)
• Start date and work location (on-site, remote or hybrid)
• Cost centre for asset and licence assignment
• Any role-specific application access required

With these fields captured at intake, the service desk can auto-route sub-tasks to the right teams: desktop support for hardware, the identity team for accounts, facilities for physical access, and so on.

Parallel task tracks

Onboarding involves multiple teams working simultaneously. Modelling this as a parent ticket with linked child tasks lets each team work independently while the service desk tracks overall completion. SLAs apply to the parent ticket, so nothing slips through because one team assumed another had finished.

Designing the Offboarding Workflow

Offboarding carries more risk than onboarding because the window is often shorter and the stakes are higher. A disgruntled or simply forgetful departing employee can leave access, data and hardware unaccounted for.

The trigger and lead time

Offboarding should trigger the moment a resignation is accepted or a termination decision is made, not on the last day. Where possible, aim for the same five-day minimum as onboarding. In involuntary separations, IT security may need to act within hours, so the workflow should support an expedited path that disables accounts immediately while the asset recovery steps follow.

Sequencing the steps correctly

The order of offboarding tasks matters. A sensible sequence is:

• Confirm last working day and return logistics with the manager
• Schedule account suspension for end of last working day, not before (to avoid disrupting work in progress)
• Transfer ownership of files, shared drives and email to the manager
• Revoke all application access and remove from distribution lists
• Recover hardware, peripherals and access cards on or before the last day
• Update the asset register to mark devices as available or send them to the disposal queue
• Run a licence reclamation check to free up any assigned seats

Preventing access creep

One of the most common audit findings is that former employees still have active accounts weeks after leaving. Automating the account suspension step, tied to the confirmed last-working-day field in the offboarding ticket, removes the human dependency. The service desk ticket becomes the authoritative record that the step was completed and when.

Connecting the Process to Asset Management

Onboarding and offboarding are the two events that most directly affect the accuracy of your asset register and CMDB. Every device issued or recovered, every licence assigned or reclaimed, should flow back into your asset data.

Asset assignment at onboarding

When a device is issued, the asset record should be updated to reflect:

• The assigned user and their department
• The issue date
• The cost centre responsible for the asset
• The software licences linked to that device or user

If this update is a manual step, it will be skipped under pressure. The best practice is to make asset assignment a required field in the onboarding ticket closure checklist, so the ticket cannot be closed until the record is updated.

Asset recovery at offboarding

Recovered devices should move through a defined state in the asset register: from assigned, to in-recovery, to available or awaiting disposal. This prevents the ghost-asset problem where a device that left the building two years ago still appears as assigned in your inventory.

Licence reclamation is equally important. Every software seat tied to a departing user that is not reclaimed is wasted spend. Running a reclamation check as a mandatory offboarding step, rather than a periodic audit, keeps licence counts accurate in real time.

The CMDB angle

For organisations running a CMDB, user-to-asset relationships are configuration items. An offboarded user whose device is not updated leaves a broken relationship in the CMDB that can mislead incident and change processes downstream. Treating the CMDB update as a closure gate on offboarding tickets is a straightforward way to maintain data quality without a separate audit cycle.

Building a Practical Checklist

The following checklist covers the minimum steps for both processes. Adapt it to your environment and encode it as task templates in your ITSM tool.

Onboarding checklist:

• HR trigger received with all required fields
• Start date confirmed and lead time verified
• Device allocated from stock and imaged
• User account created with role-based access template applied
• Software licences assigned and recorded in asset register
• Email, collaboration tools and VPN configured
• Physical access and any hardware peripherals prepared
• Manager notified that provisioning is complete
• Asset register updated with device-to-user assignment
• Welcome communication sent to new employee

Offboarding checklist:

• Offboarding trigger received with confirmed last working day
• Expedited path flagged if involuntary separation
• File and email ownership transferred to manager
• Account suspension scheduled for end of last working day
• All application access and group memberships reviewed and removed
• Distribution lists and shared mailboxes updated
• Hardware recovery confirmed with manager
• Device returned and asset record updated to available or disposal queue
• Licence reclamation check completed and seats freed
• CMDB relationships updated to reflect user departure
• Confirmation record attached to closed ticket for audit trail

Metrics to Track and Improve

Measuring the process is the only way to improve it. The metrics that matter most for onboarding and offboarding are:

• Time to provision: the elapsed time from HR trigger to a fully ready new employee, broken down by team to identify bottlenecks
• On-time completion rate: the percentage of onboardings completed before or on the start date
• Account suspension rate: the percentage of offboardings where account suspension happened on or before the last working day
• Asset recovery rate: the percentage of devices recovered within a defined window, typically five business days of the last day
• Licence reclamation cycle time: how quickly freed licences are available for reassignment

Reviewing these metrics monthly gives IT managers the data to justify process investment and identify which team or step is causing the most delays.

Key Takeaways

• Treat onboarding and offboarding as formal service request workflows, not informal tasks, with defined steps, owners, and SLAs
• Start both processes early: a minimum five-business-day lead time prevents last-minute scrambles
• Use structured request forms to capture the data that drives every downstream task automatically
• Make asset register and CMDB updates a closure gate on tickets, not an optional step
• Licence reclamation at offboarding is a direct cost saving that most teams leave on the table
• Track time-to-provision, on-time completion, account suspension rate and asset recovery rate to drive continuous improvement

The TIKTING service management platform supports onboarding and offboarding through structured service request templates, parent-child task routing, and closure checklists that enforce mandatory steps before a ticket can be resolved. Odysseus asset discovery keeps device records current by detecting when assets go offline or change ownership, feeding accurate data back into the asset register without manual intervention. Together they give service desk teams a single place to manage the full lifecycle of every employee transition.