IT Contractor Onboarding and Offboarding: The Security Checklist

The Scope of the Risk

A 2024 survey by CyberArk found that 63% of organisations had experienced a security incident caused by a third-party contractor in the previous 12 months. The most common causes: orphaned accounts after contract end, overly broad access granted during the engagement, and shared credentials that were never rotated after contractor departure.

Onboarding: Least Privilege from Day One

Contractor access should follow the principle of least privilege rigorously — more rigorously than for permanent employees, because the organisational relationship and trust baseline are different.

Onboarding checklist:

• Create a contractor-specific account (do not add contractors to existing shared accounts)
• Set an account expiry date aligned to the contract end date — in Azure AD this is a first-class attribute
• Grant access only to the specific systems, file shares, and applications needed for the stated work
• Require MFA for all contractor accounts — no exceptions
• Add contractor accounts to Privileged Identity Management (PIM) for any admin roles — just-in-time access rather than persistent elevation
• Ensure contractors sign an acceptable use policy and NDA before any access is granted
• Issue hardware (laptop) from your own fleet if possible rather than allowing BYOD for contractors handling sensitive data

During the Engagement

Review contractor access quarterly or on any scope change. Contractors whose project scope has changed often retain access from their previous assignment — clean this up proactively. Log and alert on contractor access to sensitive systems.

Offboarding: The Critical Window

Contractor offboarding is high-risk because it is less emotionally charged than permanent employee departures — it can feel routine and be given less attention. But a contractor with active access who has moved on to a competitor represents the same risk as any other departing employee.

Offboarding checklist:

• Disable the Azure AD / Active Directory account on the last day of contract — not the day after, the last day
• Revoke all active sessions (in Azure AD: Revoke sign-in sessions)
• Rotate any service account credentials the contractor had access to
• Retrieve all equipment (laptop, access cards, tokens) on the last day
• Conduct an access audit: list all systems the contractor had access to and confirm access is removed from each
• Review any service accounts or API keys created during the engagement — disable any that are no longer needed

Automation is the Answer

Manual offboarding fails because it depends on someone remembering to do it. Automate account expiry in Azure AD. Use ServiceNow or your ITSM platform to trigger an offboarding workflow when a contract end date is reached. Make the process systematic, not heroic.