The contract ended Friday. The laptop went home for the weekend. Your site superintendent promised to drop it off Monday morning. Standard stuff. It happens all the time in AEC work.
But over the weekend, OneDrive quietly synced project files to the personal laptop he’d signed into last month. His account still had access to three active SharePoint libraries.
The Intune device wipe? Never triggered.
The account disable? Scheduled for “next week when things slow down.”
By Wednesday, a reused password got compromised. Now someone’s downloading RFIs and bid documents while your team’s filing permits, completely unaware.
You had all the right tools. Microsoft 365, Intune, Conditional Access—everything was in place. What failed was the handoff. Who triggers what, when it happens, and how you prove it’s done.
In AEC environments, these gaps are everywhere. Teams scale up and down with projects. Devices live in trailers, trucks, and home offices. Subcontractors get temporary access. Field supervisors share tablets. The pace is relentless, and “we’ll handle that after the project wraps” becomes standard operating procedure.
You don’t need new tools. You need a process that actually gets followed.
In the next few minutes, we’ll show you why these gaps keep happening in construction and engineering firms, how they turn into serious security problems, and what “good” actually looks like for Microsoft 365 and Intune lifecycle management.
Why AEC Environments Amplify Intune Gaps
AEC work moves fast. Teams scale up for projects, then scatter when they wrap. Devices float between job trailers, service trucks, and home offices. That constant movement creates gaps in your device management. Gaps that turn into real access problems.
What it Looks Like on The Ground
Your project manager needs that subcontractor online today, so they skip the formal onboarding. A superintendent’s personal tablet becomes the unofficial RFI machine. Laptops ship straight to job sites and never check in for policy updates. That spare device from the last project? Nobody remembers who had it last.
Those realities do not break Intune by themselves. They break the process Intune relies on, opening the door for ransomware or credential theft hits.
You’re Not Too Small to Be Hit
The threat can’t be shrugged off as a “big-company problem.” Reported U.S. cyber losses hit $16.6B in 2024, and Verizon’s 2025 DBIR SMB snapshot shows ransomware was present in 88% of SMB breaches compared with 39% at large organizations, which puts smaller firms squarely in attackers’ sights, especially because attackers know you’re moving too fast to button everything up.
Most AEC firms can’t go five days without document access before schedules start slipping. One ransomware hit costs more than just money. It can cascade through every active job.
Intune Isn’t The Problem, Your Process Is
Most “Intune failed us” stories aren’t about Intune at all. They’re about what happens around it.
Intune can wipe a device clean. It can retire BYOD devices without touching personal data. It can enforce encryption, push updates, and lock down access. The technology works fine.
Here’s where it breaks down: People think clicking “Wipe” in Intune means offboarding is done. It’s not.
That wipe command only works if the device checks in. Meanwhile, the user’s account is still active. Their cached credentials still work. Their browser sessions are still valid. They can log into SharePoint from their home computer right now.
What Actually Needs to Happen
Real offboarding means three connected actions:
- Disable the account in Microsoft Entra (formerly Azure AD)
- Revoke all active sessions to kill existing tokens
- Then wipe or retire the device
Miss any of those steps, or do them out of order, and you’ve left a door open.
The fix isn’t complicated. You need a repeatable process that connects HR’s departure notice to IT’s action items. Clear ownership for each step. A way to prove it happened.
Access Hygiene Blocks Ransomware (and Limits Damage)
Ransomware doesn’t need sophisticated exploits. It just needs valid credentials or an unmanaged device. Usually, it gets both from employees who left weeks ago but still have active access.
Good access hygiene takes those entry points away.
The Three Essential Moves
- Cut access immediately: When someone leaves, their account gets disabled the same day. Not next week. Not after the project wraps. Same day. Revoke their sessions too—cached credentials on their home laptop won’t help if the tokens are dead.
- Lock down the devices: Company devices get wiped. Personal devices get corporate data removed. No exceptions, no delays. That SharePoint sync on their personal tablet? Gone.
- Document what happened: You need proof that these steps actually happened. Who disabled the account, when the device was wiped, which sessions were revoked. Without documentation, you’re just hoping it got done.
Quick Self-Assessment
Take 30 seconds to answer these:
- Who in your organization triggers offboarding? What’s their first step?
- Which devices are accessing your SharePoint sites right now?
- If someone quits this afternoon, how fast can you kill their access?
- Can you prove (with logs) that last month’s departures were properly offboarded?
If you’re not sure about any of these, you’ve got gaps that need fixing. The good news is that creating a solid process isn’t complicated. You just need to document who does what, when they do it, and how you’ll verify it happened.
Ready to lock this down?
We’ve built a complete Microsoft Intune Onboarding/Offboarding Checklist that walks through every step. Download it now and start closing those gaps today.
What “Good” Looks Like: Secure Onboarding and Offboarding in M365 + Intune
Good lifecycle management is boring. That’s the point. New hires get access on day one. When people leave, their access ends immediately. You can prove both happened.
When Someone Joins: Their device enrolls automatically on first sign-in. Baseline security applies right awaydisk encryption, Defender protection, update schedules. The apps they need to download without IT involvement. Before they can touch any project files, Conditional Access confirms they’re on a managed device.
No manual setup or “we’ll configure that later.” It just works.
When Someone Leaves: HR notifies IT about the departure. IT disables the account and revokes all sessions within hours, not days. Company devices get wiped. Personal devices lose corporate access but keep personal data. The SharePoint sync stops. The email access ends. The door closes completely.
And you can prove every step happened with timestamps and logs.
Why This Matters for AEC
Every unmanaged device is shadow IT waiting to happen. Every lingering account is a potential ransomware entry point. Every undocumented departure is project data walking out the door.
Federal guidance specifically calls out removing unused and departing-user accounts as a critical security control. It’s not optional anymore—insurance companies and compliance auditors are checking.
When You Need Extra Visibility
For high-risk departures (think: estimators with full access to bid data), Microsoft’s Insider Risk Management can flag unusual activity—mass downloads, bulk file copies, sudden email forwarding. It’s built into your licenses already. Worth knowing about, even if you’re not using it yet.
Ready to Get There?
If your current process doesn’t look like this, you’re not alone. Most AEC firms are still figuring it out. We’ve documented exactly what needs to happen, who needs to do it, and how to verify it’s done.
Get instant access to our Intune Onboarding/Offboarding Checklist and start building a secure, streamlined process that protects your projects. Simply fill out the form below to download.
Your Action Plan
People leave. Projects continue. The gap between those two realities is where problems live—dormant accounts, forgotten devices, SharePoint sites still syncing to who-knows-where.
These aren’t dramatic security failures. They’re ordinary oversights that compound into real problems. A rushed departure here, a skipped step there, and suddenly you’re explaining to a GC why their bid documents showed up on the dark web.
You already have the tools. What’s missing is the process that connects them.
When HR and IT work from the same playbook, when every device gets handled the same way, when you can prove access actually ended, that’s when departures stop being security events.
They become routine. Boring, even. That’s the goal. Make it boring.
Start with a documented process. Clear steps, clear owners, clear verification. Follow it every single time, no matter how busy the project gets.
Ready to build that process?
Download our Microsoft Intune Onboarding/Offboarding Checklist. It’s the foundation for getting your device lifecycle under control.
