Case Study — B2B SaaS

How We Standardised
Onboarding and Offboarding
for a Growing SaaS Team.

A 70-person B2B SaaS company moved from a 3-week offboarding lag to a 24-hour standard in five weeks — with day-1 access for new hires and audit evidence captured by default.

5
weeks
end-to-end JML rebuild
24h
standard
new offboarding rule (vs 3+ weeks)
Day 1
access
ready for new hires (vs week 2)
Industry B2B SaaS
Size ~70 employees
Platform Microsoft 365 + mixed SaaS estate
Engagement 5 weeks
Services used Assessment · The Security Baseline™
Goal Standardised JML + audit-ready access lifecycle

The company

A B2B SaaS company of roughly 70 people, growing fast. Headcount had increased by 30% in the previous twelve months. Multiple teams, multiple locations, a mixed cloud estate centred on Microsoft 365 with a long tail of best-of-breed SaaS tools.

Joiner-mover-leaver was being handled as a one-off every time. The People team would email IT with a name and a start date. IT would create accounts in the systems they remembered to create accounts in. The hiring manager would chase missing access on day three. Someone would forget to deactivate a leaver until they showed up in an access review weeks later.

The challenge

Every joiner and leaver was being handled as a one-off. The People team would email IT with a name and a start date. IT would create accounts in the systems they remembered to create accounts in. The hiring manager would chase missing access on day three. Someone would forget to deactivate a leaver until they showed up in an access review weeks later.

The process was visible only when it broke. Which was constantly.

"How did this go unnoticed for four months?"

The trigger for the project was a near-miss: a contractor whose engagement had ended four months earlier was discovered to still have active access to a customer support console with sensitive data visibility. No malicious activity had occurred. But the question "how did this go unnoticed for four months?" did not have a comfortable answer.

Why it mattered

Our approach

Process first, tooling second. Automation amplifies whatever process you have — if the process is broken, automation just makes the breakage faster.

Phase 01 · Weeks 1–2
Map
Document the current state. Identify every tool, every access path, every role pattern. Surface what's broken. The output: a clear, written joiner-mover-leaver process — not a finished tool, but a documented standard for what we'd build to.
Phase 02 · Weeks 3–4
Standardise
SSO footprint extended. Access groups defined by role, not by individual. A documented checklist for the long tail of tools outside SSO. Named owners for each phase of the lifecycle. Evidence capture built into the workflow so audit-readiness is a by-product, not a separate exercise.
Phase 03 · Week 5
Operate
Run the first joiner and leaver through the new process. Validate evidence capture. Handover to internal owners. Set the quarterly access review cadence. The process is now in operation — not just on paper.

The outcome

Five weeks of focused work. Joiner-mover-leaver became a documented, evidenced operation.

Offboarding moved from 3+ weeks to 24 hours Critical access is now revoked the day of, with full closure within a week. Evidence is captured as a by-product of the workflow.
New hires productive on day one Access provisioning is now triggered before the start date, not chased after it. The two-to-three day onboarding drag is gone.
Audit posture defensible The company can produce a record for any joiner, mover, or leaver in the past quarter — exactly what access was granted, modified, or revoked.
No more orphaned accounts The quarterly access review surfaces anomalies the same quarter they appear, not a year later. The contractor near-miss that triggered the project cannot recur.
Role-based access, not individual grants New hires inherit access from their role — not from whatever happens to be remembered on the day. Role changes update access automatically.
Leadership has a defensible answer "Who has access to what?" now has a documented, evidenced response. The CTO is no longer the bottleneck for access decisions.

Key takeaways

Services used in this engagement

Diagnose, implement, maintain.

Is this your situation? Joiners chasing access on day three. Leavers still in the system weeks later. Contractor accounts nobody can explain. We've done this before. The path is clear. Book a fit call →

Ready to do this?

Your security transformation
starts with one conversation.

Book a 30-minute fit call. No sales pitch. We'll tell you honestly where you stand, what it would take, and whether we're the right fit.

Book a Fit Call