Top 9 Microsoft 365 Offboarding Best Practices

Written by Hatice Ozsahan and David Worthington on February 1, 2024

Share This Article

The offboarding process in Microsoft 365 (M365) is an essential step in protecting your organization’s data integrity. When an employee leaves, they don’t just walk out the door with memories and experiences; they potentially leave with access to digital assets and sensitive information.

This makes it crucial to have a watertight offboarding strategy in place. The goal? To ensure a seamless transition that maintains your organization’s security and operational flow. In this guide, we’ll explore 9 M365 offboarding best practices that are key to achieve a foolproof process.

Note: Still unsure about migrating off of M365? Learn more about its risks and downsides.

Why is Secure Microsoft 365 Offboarding Important?

48% of organizations acknowledge that ex-employees continue to have access to their corporate networks.

As vital as it is to onboard employees effectively, ensuring a secure and thorough offboarding process is equally crucial. Here’s why secure offboarding in M365 matters:

  • To Protect Sensitive Data: When employees leave, they take with them extensive knowledge of your business operations and potentially access to sensitive data. Secure offboarding ensures that access to critical information is revoked, safeguarding your business from data breaches or leaks.
  • To Maintain Compliance: Various regulations, like GDPR or HIPAA, mandate strict control over access to personal and sensitive data. Failure to properly offboard employees can result in non-compliance, leading to legal repercussions and hefty fines.
  • To Prevent Unauthorized Access: Ex-employees with lingering access can pose significant security risks. They might inadvertently or maliciously access, modify, or share company data. Secure offboarding includes revoking access permissions, ensuring that only current, authorized personnel have access to your M365 environment.

Now that we’ve discussed the importance of M365 offboarding, let’s take a look at its best practices.

1. Log the former employee out of all M365 sessions

Begin by ensuring the former employee is logged out of all active M365 sessions. This can be achieved through the M365 admin center, where an administrator has the capability to end all active sessions associated with the user’s account.

Logging out ex-employees is crucial for preventing any further access to emails, documents, or any other company data accessible via M365. It’s a fundamental security measure to safeguard against unauthorized access and potential data breaches.

2. Prevent them from logging in and block access

To ensure the former employee cannot log back in, their account settings need to be altered. This involves changing the user’s password and setting their account status to disabled. By doing so, their credentials become invalid for any future login attempts.

Additionally, it’s important to review and revoke any active authentication tokens which might allow access through other devices or applications. This step is pivotal in maintaining the integrity of your organization’s data and systems.

3. Archive mailbox contents

Before proceeding with account deletion, it’s essential to archive the former employee’s email contents. This process can be accomplished by exporting the mailbox to a PST file, which can then be stored securely.

Alternatively, M365 offers archiving solutions that can automatically archive emails based on defined policies. Archiving is important for retaining valuable information and ensuring legal compliance, especially if the emails are required for audits or legal matters in the future.

4. Secure ex-employee’s mobile devices

If the ex-employee had access to M365 on their mobile devices, it’s important to ensure that these devices no longer have access to company data. This can involve remotely wiping company data from their device’s application and data partition or revoking their access to company applications via mobile device management (MDM) solutions.

This step is critical for preventing data leaks or unauthorized access from devices that are no longer under the company’s control.

5. Forward the mailbox content to another employee or convert to a shared mailbox

To ensure business continuity, you may need to forward the ex-employee’s emails to a current employee, or convert the mailbox into a shared mailbox. Forwarding emails can be set up to automatically redirect incoming mail to a designated colleague.

Converting to a shared mailbox allows multiple users to access and manage the mailbox, which is useful for team-based roles or when handling client communications. This step is essential for maintaining seamless communication and operational efficiency.

6. Transfer OneDrive and Outlook data

Important documents and data stored in the ex-employee’s OneDrive™ should be transferred to a secure location accessible to the relevant team or department. This involves identifying critical files and folders and moving them to another employee’s OneDrive or a shared location.

For Outlook, ensure that any essential contacts, calendar appointments, or tasks are exported and shared with relevant team members. This step is crucial to retain important project files, contacts, and schedules that are vital for ongoing business operations.

You might also want to check if the former employee has any access to your business documents on Google Drive and other cloud document services.

7. Remove or delete the M365 license from the former employee

After securing all necessary data and ensuring that no further access is required by the former employee, proceed to remove or delete their M365 license. This can be done through the M365 admin center.

Removing the license frees it up for allocation to a new employee, optimizing your organization’s resource usage. Additionally, this step helps in reducing unnecessary costs associated with maintaining unused licenses.

8. Delete the ex-employee’s user account

According to a survey of IT decision makers, 70% stated that deprovisioning a single former employee’s corporate application accounts can take as long as an hour.

Following the completion of all prior steps, it’s safe to delete the ex-employee’s user account. This action should be performed with caution, as it permanently removes the user’s profile, along with any associated data not previously archived or transferred.

Prior to deletion, ensure all necessary steps have been completed to secure any valuable data. Account deletion is a critical step in maintaining your organization’s security posture, as it eliminates any potential access points that might be exploited for unauthorized access.

9. Reassign licenses to new employees

Finally, reassign any licenses that have become available as a result of the offboarding process. These licenses can be allocated to new hires or existing employees who require upgraded access.

Efficient license management ensures that you are maximizing the value of your M365 investment and that all employees have the tools they need to be productive. Regularly reviewing and managing your license allocation can also help in identifying unused or underutilized licenses, further optimizing costs.

Is Your Organization Using Active Directory?

If your organization syncs user accounts to M365 from a local Active Directory (AD) system, it’s essential to remember that user account management, including deletion and restoration, should be done within your local Active Directory. These actions cannot be performed directly in M365.

To find out how to delete and restore user accounts in your local Active Directory, please refer to the “Delete a User Account” resource.

JumpCloud’s Open Directory Eases Migrations

JumpCloud’s open directory platform syncs with M365 and integrates with Active Directory, so that you can set up the authentication flows that are right for your transition. Log into services with your Microsoft credentials through federation or delegation or make JumpCloud your authoritative directory. 

JumpCloud is a Google Partner and can be used to enable the transition from M365 or AD to Google Workspace. ​​You can try JumpCloud for free to determine if it’s right for your organization.

Our customers tell us that asset management is also important for security and IT operations. JumpCloud is enhancing its platform to unify SaaS, IT security, and asset management.

Hatice Ozsahan
David Worthington

I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter