Office 365 Employee Leaving: Your Next Steps

Your Office 365 Employee is Leaving: Here Are Your Next Steps

Office 365 Employee Leaving: Your Next Steps

For organizations using Microsoft Office 365, employee leaving is a concern for an HR manager and an admin. If you perform the offboarding procedure incorrectly, it can cause a data loss or data leak with the following consequences. If you are in the process of terminating an employee and figuring out what to do when an employee leaves, you’re in the right place.

As a leading data protection company for Office 365 applications, SpinOne has rich experience helping companies secure their data after their employees leave. We witnessed many incorrectly conducted offboarding procedures that exposed the company to many data-related risks. 

This article will help you avoid those risks by following seven best practices.

Office 365 Terminated Employee: 8 Steps to Organize Offboarding

How to manage an account and data belonging to Office 365 user leaving your company? Here are the best practices you may find beneficial:

  1. Reset the password
  2. Block the account sign-in
  3. Set up email forwarding
  4. Preserve ex-employee’s data cost-efficiently
  5. Disconnect mobile devices
  6. Discover and manage app’s access
  7. Add email alias
  8. Remove the MS Office 365 license.

Now let’s dive into details.

1. Reset the password 

The first thing you should do when Office 365 employee leaves your company is changing the password. You need to reset the password instead of just blocking the user sign-in because the latter can take up to 24 hours. In the 24-hour time window, an employee potentially can hard-delete or download confidential information.

Resetting a password takes effect immediately, and that’s why it’s the first course of action.

1. Log in to Office 365 Admin’s account and go to the Admin center

2. Select Users, then Active Users 

3. Select a user and click Reset a password (a key icon)

How to offboard an employee in Office 365

4. Generate a new password automatically or create it yourself and reset the password. From now on, an ex-employee won’t be able to access corporate account and data

5. Optionally, you can send a new password to your admin’s email or any other emails

2. Block the user from signing in to MC Office 365 account

After you reset the password, make sure the former employee won’t be able to reset it themselves in the future and block them from signing in to your Office 365 account.

1. Visit the admin center and click Users > Active users page.

2. Choose the employee’s name; on the right, you’ll see the window with the option to Block this user.

How to terminate Office 365 employee

3. Select Block the user from signing in, and then select Save.

3. Set up email forwarding, or create a shared mailbox

Before you delete the ex-employee account, create an alias, or notify their email contacts that they’re no longer available, you should set up email forwarding or create a shared mailbox. By doing so, you preserve all the important connections for future use. It enables business partners and clients can continue contacting your company using a former employee’s old email.

Note: after you remove the license and delete the account, these options won’t be working. 

To set up email forwarding:

  1. Log in to Office 365 Admin’s account and go to the Admin center;
  2. Select Users, then Active Users;
  3. Select a user. Under Mail, find Manage email forwarding;
  4. Choose a forwarding email address (it may be a former employee’s manager or successor).

With this option, you’ll be receiving only new emails.

To create a shared mailbox:

1. Visit the Exchange admin center.

2. Click Recipients > Mailboxes.

3. Select the user mailbox. Under Convert to Shared Mailbox, select Convert.

With this option, you can access both old and new emails for free if the mailbox is under 50 GB.

4. Preserve former employee’s data 

You most likely need to preserve ex-employee’s data like emails, SharePoint, and OneDrive files for compliance, legal, or business continuity reasons. Maintaining an account is possible, yet it’s pretty expensive (check out the price comparison here), especially if we’re talking about E5 subscriptions that cost $35 per month.

Archiving is a way to preserve data without paying for an account’s full price. You can use third-party backup software to archive user’s data to retain it for future use. With SpinBackup, you can preserve an archived user account for just $1.80/month, available for all Office 365 subscription plans. 

Try to archive your ex-employees’ data with no strings attached –

Get a Free 15-Day Trial

5. Disconnect mobile devices from the corporate data

To enforce your corporate MDM/BYOD policies and procedures, you may need to disconnect the leaving employee’s mobile device from access to corporate data. Here’s how:

  1. Log in to Office 365 Admin’s account and go to Outlook 
  2. Select Settings and View all Outlook settings
  3. Click General and select Mobile Devices
  4. You’ll see the list of mobile phones. Select the one you want to remove
  5. Click Wipe Device

Apart from following the corporate policies, revoking access from an ex-employee’s device is a great way to reduce the probability of data leakage.

6. Discover and manage app’s access

There are two major apps-related tasks you should do while offboarding an employee:

  1. Disconnect a user from your apps. When your colleague leaves a company, make sure that their account can not be used to access your apps anymore. This action is a way to prevent unauthorized access, which is required for security compliance reasons.
  2. Disconnect unmanaged apps installed by the user. According to Microsoft, 80% of employees use unsanctioned apps. Apps without a review from an IT team may pose significant security and compliance risks. Of course, you can ask a leaving employee about apps and extensions they had installed without your approval. But that’s not a data-driven approach. What you can do is discover all apps connected to your Office 365 data and remove them if needed. 

Both tasks can be completed using a CASB. Microsoft offers its own CASB solutionCloud App Security.

7. Add an email alias

How do you handle email when an employee leaves and you need to delete their account? The best way to preserve a former employee’s address is to create an email alias. An alias is an additional email address for an existing Outlook account. Note that a user can be assigned with more than one alias.

To set up an alias:

  1. Log in to Office 365 Admin’s account and go to the Admin center;
  2. Select Users, then Active Users;
  3. Select a user. Under Account, find Manage username and email;
  4. Assign an alias

8. Remove the Microsoft Office 365 license and reassign or delete it

When you did all the steps above, it’s time to figure out what to do with the former employee’s Microsoft license. The first step is to remove (reattach) it from the user account:

1. In the Microsoft admin center, one more time, go to Users and click Active users page;

2. Find the employee you want to remove the license from;

3. Select the Licenses and Apps tab;

4. Untick the checkboxes near the license(s) you want to remove, and then click Save changes.

After you removed the account’s license, you can access the account data for 30 days before it is deleted. Even if you delete the account itself, you still have 30 days of access to this information. After 30 days, Microsoft will permanently erase this information from their servers, so ensure you have this information backed up /archived by then.

At this stage, you still have an active license you’re paying for. You can assign it to the new employee or any other user, or you can delete it from your subscription and stop paying for it. In this case, you’ll need to buy a new license when you onboard the employee.

To delete the license from Microsoft 365:

1. Go back to the Microsoft admin center, click Billing > Your products;

2. Pick the subscription to delete the license from and click on it;

3. Click on Remove licenses;

Ho to delete an O365 license of a former employee

4. In the Remove Licenses tab, under New Quantity, change the current number of the licenses to the number you want to keep in your subscription. For example, the total number now is 7 and you want to remove 1, so you need to enter 6;

5. Press Save.

How to delete a license in Microsoft 365

Done!

Now the former employee is securely offboarded from your Microsoft Office 365 environment.

Interested to learn more about the best Office 365 security practices? Here’s a checklist for you.

Read the O365 Security Checklist!