The offboarding process in Microsoft 365 (M365) is an essential step in protecting your organization’s data integrity. When an employee leaves, they don’t just walk out the door with memories and experiences; they potentially leave with access to digital assets and sensitive information.<\/p>\n\n\n\n
This makes it crucial to have a watertight offboarding strategy in place. The goal? To ensure a seamless transition that maintains your organization’s security and operational flow. In this guide, we’ll explore 9 M365 offboarding best practices that are key to achieve a foolproof process.<\/p>\n\n\n\n
Note<\/strong>: Still unsure about migrating off of M365? Learn more about its risks and downsides<\/a>.<\/p>\n\n\n\n 48%<\/a> of organizations acknowledge that ex-employees continue to have access to their corporate networks.<\/p>\n\n\n\n As vital as it is to onboard employees effectively, ensuring a secure and thorough offboarding process is equally crucial. Here’s why secure offboarding in M365 matters:<\/p>\n\n\n\n Now that we\u2019ve discussed the importance of M365 offboarding, let\u2019s take a look at its best practices.<\/p>\n\n\n\n Begin by ensuring the former employee is logged out of all active M365 sessions. This can be achieved through the M365 admin center, where an administrator has the capability to end all active sessions associated with the user’s account. Logging out ex-employees is crucial for preventing any further access to emails, documents, or any other company data accessible via M365. It’s a fundamental security measure to safeguard against unauthorized access and potential data breaches.<\/p>\n\n\n\n To ensure the former employee cannot log back in, their account settings need to be altered. This involves changing the user’s password and setting their account status to disabled. By doing so, their credentials become invalid for any future login attempts.<\/p>\n\n\n\n Additionally, it’s important to review and revoke any active authentication tokens which might allow access through other devices or applications. This step is pivotal in maintaining the integrity of your organization’s data and systems.<\/p>\n\n\n\n Before proceeding with account deletion, it’s essential to archive the former employee\u2019s email contents. This process can be accomplished by exporting the mailbox to a PST file, which can then be stored securely.<\/p>\n\n\n\n Alternatively, M365 offers archiving solutions that can automatically archive emails based on defined policies. Archiving is important for retaining valuable information and ensuring legal compliance, especially if the emails are required for audits or legal matters in the future.<\/p>\n\n\n\n If the ex-employee had access to M365 on their mobile devices, it’s important to ensure that these devices no longer have access to company data. This can involve remotely wiping company data from their device\u2019s application and data partition or revoking their access to company applications via mobile device management<\/a> (MDM) solutions.<\/p>\n\n\n\n This step is critical for preventing data leaks or unauthorized access from devices that are no longer under the company’s control.<\/p>\n\n\n\n To ensure business continuity, you may need to forward the ex-employee’s emails to a current employee, or convert the mailbox into a shared mailbox. Forwarding emails can be set up to automatically redirect incoming mail to a designated colleague.<\/p>\n\n\n\n Converting to a shared mailbox allows multiple users to access and manage the mailbox, which is useful for team-based roles or when handling client communications. This step is essential for maintaining seamless communication and operational efficiency.<\/p>\n\n\n\n Important documents and data stored in the ex-employee\u2019s OneDrive\u2122 should be transferred to a secure location accessible to the relevant team or department. This involves identifying critical files and folders and moving them to another employee’s OneDrive or a shared location.<\/p>\n\n\n\n For Outlook, ensure that any essential contacts, calendar appointments, or tasks are exported and shared with relevant team members. This step is crucial to retain important project files, contacts, and schedules that are vital for ongoing business operations.<\/p>\n\n\n\n You might also want to check if the former employee has any access to your business documents on Google Drive and other cloud document services.<\/p>\n\n\n\n After securing all necessary data and ensuring that no further access is required by the former employee, proceed to remove or delete their M365 license. This can be done through the M365 admin center.<\/p>\n\n\n\n Removing the license frees it up for allocation to a new employee, optimizing your organization’s resource usage. Additionally, this step helps in reducing unnecessary costs associated with maintaining unused licenses.<\/p>\n\n\n\n According to a survey of IT decision makers, 70%<\/a> stated that deprovisioning a single former employee\u2019s corporate application accounts can take as long as an hour.<\/p>\n\n\n\n Following the completion of all prior steps, it’s safe to delete the ex-employee’s user account. This action should be performed with caution, as it permanently removes the user\u2019s profile, along with any associated data not previously archived or transferred.<\/p>\n\n\n\n Prior to deletion, ensure all necessary steps have been completed to secure any valuable data. Account deletion is a critical step in maintaining your organization\u2019s security posture, as it eliminates any potential access points that might be exploited for unauthorized access.<\/p>\n\n\n\n Finally, reassign any licenses that have become available as a result of the offboarding process. These licenses can be allocated to new hires or existing employees who require upgraded access.<\/p>\n\n\n\n Efficient license management ensures that you are maximizing the value of your M365 investment and that all employees have the tools they need to be productive. Regularly reviewing and managing your license allocation can also help in identifying unused or underutilized licenses, further optimizing costs.<\/p>\n\n\n\n If your organization syncs user accounts to M365 from a local Active Directory (AD) system, it’s essential to remember that user account management, including deletion and restoration, should be done within your local Active Directory. These actions cannot be performed directly in M365.<\/p>\n\n\n\n To find out how to delete and restore user accounts in your local Active Directory, please refer to the “Delete a User Account<\/a>” resource.<\/p>\n\n\n\n JumpCloud\u2019s open directory platform syncs with M365<\/a> and integrates with Active Directory<\/a>, so that you can set up the authentication flows that are right for your transition. Log into services with your Microsoft credentials through federation or delegation or make JumpCloud your authoritative directory. <\/p>\n\n\n\n JumpCloud is a Google Partner<\/a> and can be used to enable the transition from M365 or AD to Google Workspace<\/a>. \u200b\u200bYou can try JumpCloud for free<\/a> to determine if it\u2019s right for your organization.<\/p>\n\n\n\nWhy is Secure Microsoft 365 Offboarding Important?<\/h2>\n\n\n\n
\n
1. Log the former employee out of all M365 sessions<\/h2>\n\n\n\n
<\/p>\n\n\n\n2. Prevent them from logging in and block access<\/h2>\n\n\n\n
3. Archive mailbox contents<\/h2>\n\n\n\n
4. Secure ex-employee\u2019s mobile devices<\/h2>\n\n\n\n
5. Forward the mailbox content to another employee or convert to a shared mailbox<\/h2>\n\n\n\n
6. Transfer OneDrive and Outlook data<\/h2>\n\n\n\n
7. Remove or delete the M365 license from the former employee<\/h2>\n\n\n\n
8. Delete the ex-employee\u2019s user account<\/h2>\n\n\n\n
9. Reassign licenses to new employees<\/h2>\n\n\n\n
Is Your Organization Using Active Directory?<\/h2>\n\n\n\n
JumpCloud\u2019s Open Directory Eases Migrations<\/h2>\n\n\n\n