Read time: 8 minutes

Summary: The checklist for Office 365 terminated employee best practices must include the how to block sign-in request, withdraw access from users, and deactivate inactive and old licenses. It’s crucial that you perform this process carefully to avoid harming your organization or your data.

As per an industry report, a lot of companies remain unaware that their former employees still have access to their company’s confidential data and resources. This is a compliance nightmare just waiting to happen. With a strong Offboarding strategy for past employees is as important as having an onboarding strategy for new employees.

A good strategy helps in minimizing the considerable risks of incorrect user deprovisioning, data theft, and compliance violation. This article discusses the Microsoft 365 Offboarding best practices that are necessary for a safe and smooth exit of an employee.

Microsoft 365 Offboarding Best Practices at a Glance

microsoft 365 offboarding best practices

Do You Really Need a Strategy for Office 365 Offboarding?

A detailed strategy for Office 365 offboarding is a crucial security and compliance need. Here are some reasons why it is necessary to follow Microsoft 365 offboarding best practices:

  • Prevent unauthorized user access: This one of the biggest risks that can bring an organization to a complete halt. Past employees still retain data when they’re leaving an organization until the access is withdrawn completely. Properly following Office 365 offboarding strategy helps to revoke permissions of the correct user to prevent unauthorized access.
  • Regulatory compliance: Failing to offboard employees properly can result in violation of industry standards like GDPR, HIPAA, etc. Also, many companies have strict rules for data retention so it’s necessary to take certain steps to properly archive and store data.
  • Protect data: Office 365 users have access to data like emails, OneDrive files, SharePoint sites, confidential Teams chats, etc. As soon as an employee leaves an organization, admins need to carefully delete or archive user’s data to prevent data leak or theft.
  • Cost effectiveness: Decommissioning old and inactive Office 365 tenants after you remove deleted users from Office 365 is cost effective for admins. It saves monthly storage fees and helps admins manage licenses in a better way.
  • Avoid insider threats: A lot of security threats emerge from inside the organization, often by a disgruntled employee or contractors. They can misuse the data intentionally to cause serious harm if offboarding isn’t done properly.
  • Legal requirements: Some organizations require data of past employees for legal purposes or for auditing. Following proper Office 365 terminated employee best practices helps to preserve data and audit logs without any errors.

Employee Resignation and Employee Termination: Core Office 365 Offboarding Differences

Although, people think that the process for offboarding of resigned employees and terminated employees is the same, this isn’t the case.

When an employee resigns, IT admins and the employee have time to gradually transfer permissions and roles to the assigned person. Important conversations are archived, and data is backed up to a safe location.

When an employee is terminated, the process is usually very swift. In this case, access is revoked instantly, and all devices are wiped clean after backing up the data. The primary focus remains on withdrawing access before the terminated employee can do any harm.

Microsoft 365 Offboarding Best Practices to Protect Data

Follow these practices to smoothly offboard employees from your organization.

1. Withdraw Access from the Leaving Employee

Before deleting the user account, withdraw all the access provided to the account of the ex-employee. Log out of all Office 365 sessions and reset the password so no unauthorized person can gain access to confidential data. Follow the steps to block sign-in and revoke access from departing employees:

  • Sign into Microsoft 365 Admin Center (global admin credentials needed).
  • Navigate to Users > Active Users and then choose the exiting user that you want to withdraw access from.
  • Select Block Sign in and tick the checkbox besides the Block this user from signing in
  • Save the changes and wait for 24 hours to verify if access was revoked successfully.

Note: If you want to block user access instantly, reset their account password by going to Users > Active Users > Reset password.

2. Backup and Archive All the User Data

Accounts of exiting employees store important data like emails, files, chats, and other confidential data. Make sure that you’ve backed up data like Exchange Online Mailbox, OneDrive files, Microsoft Teams data, and SharePoint data. Setup archive and deletion policies for the former employee’s Office 365 mailbox to automate the backup process.

It’s necessary to take a backup of all the user data and archive it to a safe location for easy access in the future. Also, backing up all your data helps during legal audits and for compliance requirements of companies with data retention policies auditing.

3. Decommission Unused Licenses

Admins need to manually decommission unused Microsoft 365 Licenses once an employee leaves. This license can either be removed completely or it can be reassigned to another user. This is also a cost-effective practice as doing so saves subscription cost of the organization. Follow the steps to decommission unused licenses in Office 365:

  • Log into Office 365 Admin Center and go to Users > Active Users.
  • Choose the departing employee uncheck all the checkboxes of licenses that you want to remove in the License and apps
  • Then click on Save for the changes to reflect.

Note: You can restore all the licenses within the next 30 days, if required.

4. Enable Email Forwarding for the Departing Employee

Enable email forwarding in the ex-employee’s mailbox to the mailbox of another employee so that there’s no communication gap. This helps in maintaining steady communication with clients and colleagues without any major changes. This saves time and also saves people from a lot of confusion and chaos. Follow the steps below enable email forwarding:

  • Navigate to Users > Active Users in the Microsoft Office 365 Admin Center.
  • Click on the desired employee and navigate to the Mail
  • Now, choose Manage email forwarding under the Email forwarding
  • Turn on the Forward all email sent to this mailbox
  • Now, enter the email address of the new employee in the Forwarding address box and click on Save.

5. Transfer Ownership and Permissions

Make sure to transfer ownership and all the permissions to the new employee before deleting the ex-employee’s account. If this is not done correctly, other employees can lose access to important resources. This can negatively affect the workflow and cause unnecessary delays. Here’s how to transfer ownership in different applications of Office 365.

Ownership Transfer of Office 365 Groups

Ownership transfer of Office 365 groups happens when an existing owner assigns a new owner to an orphaned Office 365 group. This is done as soon as the previous owner leaves so that there’s no delay in the workflow and the data remains protected. Admins can either transfer ownership via the Office 365 Admin Center or use the Admin Mobile app. If there are a lot of groups that you need to assign owners for, then using PowerShell is the best option for you.

Ownership Transfer of SharePoint

For changing the owner of an existing SharePoint, users can go to SharePoint and assign new owner in the Site Permission section. Another way is to change owners via the SharePoint Admin Center.

Ownership Transfer of Microsoft Teams

If you want to shift ownership of Microsoft Teams group or channel, you can simply make someone a team owner by either Microsoft Teams desktop app or mobile app. Admins can also do this by going to Groups section in Microsoft 365 Admin Center.

6. Wipe all the Corporate Devices and Disconnect all Apps

Delete all the former employees’ accounts and wipe all the corporate devices clean of the data after backing it up properly. Just make sure that you’ve safely backed up all the data before deleting’s former employee’s account. This step removes all the user data and any associated data.

7. Save all Audit Logs and Compliance Records

Audit logs and compliance records are important for legal investigations, regulatory audits, security incidents, and comply with industry standard. You can use legal holds to prevent data deletion amidst legal proceedings and litigations.

8. Implement Zero Trust Policy

Zero trust policy in Office 365 works on the principles of ‘don’t trust anybody, always verify everything’. This policy advises users to always verify any and all activity in your Office 365 tenant. Along with this, implement Least Privilege Access policy to provide access and permissions to only selected users and applications.

9. Carry Out Post-Offboarding Audits

Run compliance and security checks after offboarding the exiting employee to verify that all access is now revoked. Make sure the former user doesn’t have any active sessions or access to any shared mailboxes or other shared company resources. Admins carry out post-offboarding audits via the Microsoft Purview portal.

10. Automate Office 365 Offboarding

As compared to manual offboarding, automated Office 365 offboarding is way more efficient and secure. Here we’ve given some ways how you can automate your Offboarding process:

  • Microsoft Entra Lifecycle Workflows: It automates the group removal, license removal, and the process of revoking access.
  • PowerShell automation: It automates the license management, license deprovisioning, and the process of session revocation.

What’s the Final Verdict?

Office 365 Offboarding of employees is a critical process that should be carried out with utmost care. Document each and every step and backup all the data with a trusted Office 365 Backup tool to prevent any data loss and to avoid compliance violation. If you follow all the practices we’ve discussed in this blog, I’m sure you’ll be able to safely offboard your employees.

Free Download 100% Secure

People Also Ask

Q1. Is it necessary to decommission license of an ex-employee?

A. Yes, it’s very important that you deactivate the license of an employee that’s no longer working for your organization to avoid the risk of data theft. This is also important to save recurring subscription fees, so that you’re not wasting money paying for an unused license.

Q2. What happens if offboarding of an Office 365 user is done poorly?

A. Poorly executed Office 365 offboarding can invite the risks like unauthorized user access, confidential data leak or theft, and heavy compliance penalties.

Q3. What’s the retention period of OneDrive data after account is deleted?

A. OneDrive data retention period is different for each organization based on organizational policies.

download Office 365 backup tool
Related Posts
How to Permanently Remove Deleted Users from Office 365?
How to Permanently Remove Deleted Users from Office 365?
How to Move Office 365 Mailbox to Another User?
How to Move Office 365 Mailbox to Another User?
How to transfer Office 365 subscription to new computer?
How to transfer Office 365 subscription to new computer?