Top 9 Microsoft 365 Offboarding Best Practices

The offboarding process in Microsoft 365 is an essential step in protecting your organization's data integrity. When an employee leaves, they don't just walk out the door with memories and experiences; they potentially leave with access to digital assets and sensitive information. 

This makes it crucial to have a watertight offboarding strategy in place. The goal? To ensure a seamless transition that maintains your organization's security and operational flow. In this guide, we'll explore 9 Microsoft 365 offboarding best practices that are key to achieve a foolproof process.

Why is Secure Microsoft 365 Offboarding Important?

48% of organizations acknowledge that ex-employees continue to have access to their corporate networks.

As vital as it is to onboard employees effectively, ensuring a secure and thorough offboarding process is equally crucial. Here's why secure offboarding in Microsoft 365 matters:

• To Protect Sensitive Data: When employees leave, they take with them extensive knowledge of your business operations and potentially access to sensitive data. Secure offboarding ensures that access to critical information is revoked, safeguarding your business from data breaches or leaks.
• To Maintain Compliance: Various regulations, like GDPR or HIPAA, mandate strict control over access to personal and sensitive data. Failure to properly offboard employees can result in non-compliance, leading to legal repercussions and hefty fines.
• To Prevent Unauthorized Access: Ex-employees with lingering access can pose significant security risks. They might inadvertently or maliciously access, modify, or share company data. Secure offboarding includes revoking access permissions, ensuring that only current, authorized personnel have access to your Microsoft 365 environment.

Now that we’ve discussed the importance of Microsoft 365 offboarding, let’s take a look at its best practices.

9 Best Practices for Microsoft 365 Offboarding

When an employee leaves your organization, it's crucial to have a comprehensive offboarding process for Microsoft 365 to ensure security and continuity. Offboarding is not just about revoking access; it involves a series of strategic steps to safeguard sensitive information, maintain operational efficiency, and comply with data retention policies. 

Implementing best practices in the offboarding process protects your organization from potential security breaches and data loss, while also ensuring a smooth transition of responsibilities. Here are the top 9 best practices to follow when offboarding an employee from Microsoft 365:

1. Log out the former employee from all Microsoft 365 sessions

Begin by ensuring the former employee is logged out of all active Microsoft 365 sessions. This can be achieved through the Microsoft 365 admin center, where an administrator has the capability to end all active sessions associated with the user's account.

To make this step faster and easier, you can also use Resmo, a SaaS security solution. Resmo shows all your employees’ SaaS accounts, authorized/unauthorized. Use the offboarding option on Resmo to:

• Review critical OAuth permissions
• View user critical resources
• Review and cleanup accounts
• Transfer ownership

Logging out ex-employees is crucial for preventing any further access to emails, documents, or any other company data accessible via Microsoft 365. It's a fundamental security measure to safeguard against unauthorized access and potential data breaches.

2. Prevent them from logging in and block access

To ensure the former employee cannot log back in, their account settings need to be altered. This involves changing the user's password and setting their account status to disabled. By doing so, their credentials become invalid for any future login attempts. 

Additionally, it's important to review and revoke any active authentication tokens which might allow access through other devices or applications. This step is pivotal in maintaining the integrity of your organization's data and systems.

3. Archive mailbox contents

Before proceeding with account deletion, it's essential to archive the former employee’s email contents. This process can be accomplished by exporting the mailbox to a PST file, which can then be stored securely. 

Alternatively, Microsoft 365 offers archiving solutions that can automatically archive emails based on defined policies. Archiving is important for retaining valuable information and ensuring legal compliance, especially if the emails are required for audits or legal matters in the future.

4. Secure ex-employee’s mobile devices

If the ex-employee had access to Microsoft 365 on their mobile devices, it's important to ensure that these devices no longer have access to company data. This can involve remotely wiping company data from their devices or revoking their access to company applications via mobile device management (MDM) solutions. 

This step is critical for preventing data leaks or unauthorized access from devices that are no longer under the company's control.

5. Forward the mailbox content to another employee or convert to a shared mailbox

To ensure business continuity, you may need to forward the ex-employee's emails to a current employee, or convert the mailbox into a shared mailbox. Forwarding emails can be set up to automatically redirect incoming mail to a designated colleague. 

Converting to a shared mailbox allows multiple users to access and manage the mailbox, which is useful for team-based roles or when handling client communications. This step is essential for maintaining seamless communication and operational efficiency.

Suggested reading: Common IT Offboarding Mistakes

6. Transfer OneDrive and Outlook data

Important documents and data stored in the ex-employee’s OneDrive should be transferred to a secure location accessible to the relevant team or department. This involves identifying critical files and folders and moving them to another employee's OneDrive or a shared location. 

For Outlook, ensure that any essential contacts, calendar appointments, or tasks are exported and shared with relevant team members. This step is crucial to retain important project files, contacts, and schedules that are vital for ongoing business operations.

You might also want to check if the former employee has any access to your business documents on Google Drive and other cloud document services. See Resmo’s cloud document security option.

7. Remove or delete the Microsoft 365 license from the former employee

After securing all necessary data and ensuring that no further access is required by the former employee, proceed to remove or delete their Microsoft 365 license. This can be done through the Microsoft 365 admin center. 

Removing the license frees it up for allocation to a new employee, optimizing your organization's resource usage. Additionally, this step helps in reducing unnecessary costs associated with maintaining unused licenses.

8. Delete the ex-employee’s user account

According to a survey of IT decision makers, 70% stated that deprovisioning a single former employee’s corporate application accounts can take as long as an hour.

Following the completion of all prior steps, it's safe to delete the ex-employee's user account. This action should be performed with caution, as it permanently removes the user’s profile, along with any associated data not previously archived or transferred. 

Prior to deletion, ensure all necessary steps have been completed to secure any valuable data. Account deletion is a critical step in maintaining your organization’s security posture, as it eliminates any potential access points that might be exploited for unauthorized access.

9. Reassign licenses to new employees

Finally, reassign any licenses that have become available as a result of the offboarding process. These licenses can be allocated to new hires or existing employees who require upgraded access. 

Efficient license management ensures that you are maximizing the value of your Microsoft 365 investment and that all employees have the tools they need to be productive. Regularly reviewing and managing your license allocation can also help in identifying unused or underutilized licenses, further optimizing costs.

Is Your Organization Using Active Directory?

If your organization syncs user accounts to Microsoft 365 from a local Active Directory system, it's essential to remember that user account management, including deletion and restoration, should be done within your local Active Directory. These actions cannot be performed directly in Microsoft 365.

To find out how to delete and restore user accounts in your local Active Directory, please refer to the "Delete a User Account" resource.

Simplify Microsoft 365 Offboarding with Resmo

Resmo is a comprehensive tool for SaaS management and security. It enables organizations to discover SaaS app usage, pinpoint security vulnerabilities like over-permissive access rights and weak passwords, and centralize control for a streamlined offboarding process. 

• Easily manage and revoke access rights during the offboarding process.
• Ensure all sensitive data is accounted for in the offboarding checklist.
• Remove or transfer user accounts in a few simple steps.
• Transfer ownership in minutes.

Visit Resmo to learn more about optimizing your offboarding procedures for a secure, streamlined experience. Start your free trial to see it for yourself.

Microsoft 365 Offboarding: FAQ

How do I offboard an employee in Microsoft 365?

Offboarding an employee in Microsoft 365 involves several key steps to ensure data security and compliance. Start by revoking the employee's access by resetting their password and disabling their account. Next, archive their mailbox contents and manage their email forwarding or convert it to a shared mailbox. Transfer or secure data from their OneDrive and SharePoint. Finally, remove their Microsoft 365 license and delete the user account. Remember to document each step for compliance and auditing purposes.

What happens to OneDrive when an employee leaves?

When an employee leaves, their OneDrive content remains accessible to the administrator for a period (typically 30 days). During this time, it's important to transfer any necessary documents to another employee or save them for archival purposes. After this period, the OneDrive account and its contents are permanently deleted. Proactive management of OneDrive data is crucial during the offboarding process to prevent data loss.

How do I offboard an employee in Active Directory?

Offboarding an employee in Active Directory requires you to disable their account, which prevents any future logins. Before disabling, transfer any relevant data from their profile and ensure all group memberships are updated. It's also important to update any scripts or automated processes the employee was responsible for. After ensuring all responsibilities and data are transferred, you can proceed to disable or delete the account as per your organization's policy.

Also read: Azure Active Directory Security Best Practices

How do I offboard a user?

Offboarding a user, regardless of the platform, should be done methodically. Start by revoking their access to any company systems, including email and cloud services. Retrieve any company-owned equipment. Archive or transfer their work data, and ensure that their responsibilities are reassigned. Notify relevant departments about the offboarding to update records and handle final pay or benefits. Document every step for a smooth transition and to meet any legal or compliance requirements.

Keep on learning:

• Best Offboarding Software Tools for IT Teams
• How to Manage User Access & Permissions in SaaS Applications
• 17 Remote Work Security Risks & Best Practices