This work Instruction covers all tasks associated with offboarding a centrexIT employee.

---

All cIT employees tasked with completing a cIT user offboarding.

---

SOC Manager, Senior IT Manager, other senior engineers as required.

---

A fully offboarded user.

---

Simple Request Ticket to be created in Halo. All steps should be documented in the ticket.

---

1. HR will notify Security Team for Initial Lock down:

2. Security Lead will complete the following Immediately

   1. AD Domain Disable:
      1. Reset Password in AD
      2. Disable Account
      3. Get AD Group Membership and Document in ticket
      4. Get-ADPrincipalGroupMembership -identity (UserName) \| Select-Object name
      5. Remove all AD Group Membership
      6. Set AD Attribute msExchHideFromAddressLists = True
      7. Move Account to OU “centrexIT/Disabled Users/Disabled Users - Active Mailbox”
      8. Run Powershell cmd for Azure AD sync
         1. Start-ADSyncSyncCycle -PolicyType Delta
   2. Verify user did not have an admin account or CIPP account, if accounts are present, notate in ticket, disable accounts and move admin account to disabled admins OU
   3. NOTE: Items Tied to M365 or AD that are locked automatically
      1. Masergy
      2. Openpath / Avilogn Alta (Door access control for Poway office)
      3. Pagerduty
      4. Halo
      5. Onelogin Applications (see onelogin applications for list) Lucid Chart

3. Lock Ncentral RMM user from sign in, Delete RMM account 5. M365 Account 1. Block access in Exchange Mailbox, command is under Manage Mobile Devices 6. Webex 1. Disable User account 2. Under User, Security “Reset Access” 3. Remove Licenses 4. Remove Elevated Privileges (if applicable, IE Admin Role) 7. OneLogin 1. Verify user account is not Active 2. Document in Ticket all associated application groups membership, and remove 8. DUO 1. Delete User’s associated mobile device 2. Delete User 9. Align (Josh, Mike, or Kellee have admin access) 10. OpenDNS 11. Pax8 Portal user account 12. Jumpcloud 13. For client management roles (vITM, vCIO) 1. Review clients managed by user and verify no additional accounts exist, if they do, clean them up as needed. 2. My IT Process (Mike – to remove account) 14. Datto portal (Mike H.) 15. ADT (Poway alarm system) (Mike H. or Christie Z.)

4. Assign Ticket to Mike Hicks (Senior IT Manager), He will complete the remaining items which can be completed later.

5. Post Initial Lockdown steps (To be done later):

   1. Work with the listed admin’s below to disable these other applications:
      1. TrueMethods (Sean)
   2. M365 Cleanup Items:
      1. Remove M365/azure groups and Teams
      2. Move One Drive Files to Manager or SharePoint Site
      3. Hide from GAL
      4. If applicable, remove any Contacts associated with User (ie user’s personal Gmail account listed as a contact in GAL)
      5. Convert to shared mailbox
      6. Remove M365 Licenses
      7. Document in Ticket all assigned Licenses and remove all licenses
      8. Notify Dylan Quiros on which M365 Licenses to remove from cIT Subscription
   3. For copilot licenses, do not clean up license as it is a yearly subscription, leave it unassigned or assign it to another user
   4. LucidChart – Remove Licenses
   5. G Suite (Google workspaces) – Remove Licenses
   6. Udemy - Remove License
   7. Halo – Clean up account and remove employee groups, ensure work items are reassigned
   8. vCIO toolbox – Clean up account
   9. Jumpcloud - remove account