Offboarding an M365 User

Purpose

Ensure that when an employee leaves, their access is fully revoked, their data is preserved according to retention policy, and their license is reclaimed in a timely manner.

Scope

Applies to all full-time and contract staff with Microsoft 365 accounts.

Prerequisites

• Global Admin or User Administrator role in Entra ID
• Access to Microsoft 365 Admin Center
• Knowledge of the departing user’s manager

Procedure

1. Block sign-in immediately

1. Open Entra ID admin center
2. Navigate to Users > All users
3. Select the departing user
4. Under Properties, set Account enabled to No
5. Click Save

Blocking sign-in invalidates all active sessions within the hour. For immediate revocation, also go to Authentication methods and select Revoke sessions.

2. Reset the password

Change the password to a randomly generated value that no one retains. This prevents any cached credentials from being used.

3. Remove from all groups and roles

1. Under the user’s profile, open Groups
2. Remove from all security groups, M365 groups, and Teams
3. Check Assigned roles and remove any admin roles

4. Forward email and set out-of-office

1. In Exchange Admin Center, go to Recipients > Mailboxes
2. Select the user, open Manage mailbox delegation
3. Add the user’s manager under Read and manage (Full Access)
4. Optionally configure a mail forwarding rule or auto-reply

5. Preserve the mailbox

Do not delete the account immediately. Convert the mailbox to a shared mailbox to preserve data without consuming a paid license:

1. In Exchange Admin Center, select the user’s mailbox
2. Choose Convert to shared mailbox
3. Remove the assigned M365 license from the user account

Shared mailboxes do not require a license as long as they are under 50GB.

6. Transfer OneDrive access

1. In M365 Admin Center, go to Users > Active users
2. Select the user, choose OneDrive
3. Under Get access to files, set the manager as the delegate
4. The manager will receive an email with a link to the files

7. Reclaim the license

Once the mailbox is converted to shared and OneDrive is delegated:

1. Go to Users > Active users, select the user
2. Open Licenses and apps
3. Uncheck all assigned licenses
4. Click Save changes

8. Document and close

Record the offboarding in your IT ticket system with:

• Date of offboarding
• Who authorized it
• Whether a litigation hold was applied
• License reclaimed and date

Notes

• If the user is subject to a legal hold, do not convert to shared mailbox or delete any data. Consult legal before proceeding.
• Review after 90 days whether the shared mailbox is still needed.