Home»Backup and Data Loss Prevention»Office 365 Terminated Employee Best Practices

Office 365 Terminated Employee Best Practices

Learn the best practices that will help you to preserve the files of an Office 365 Terminated Employee and protect your company from data loss/leakage.

For organizations using Microsoft Office 365, employee leaving is a concern for both an HR manager and an IT admin. If you perform the offboarding procedure incorrectly, it can cause a data loss or data leak with the following consequences. If you are in the process of terminating an employee and figuring out what to do when an employee leaves, you’re in the right place.

As a leading data protection company for Office 365 applications, SpinOne has rich experience helping companies secure their data after their employees leave. We witnessed many incorrectly conducted offboarding procedures that exposed the company to many data-related risks. 

We have collected eight best practices for Office 365 terminated employees to reduce risks and ensure access is removed correctly. Implementing these best practices can help organizations adhere to their employee termination security policies and minimize the risks of data leakage.

Office 365 Terminated Employee: 8 Best Practices for Offboarding

How to manage an account and data belonging to Office 365 user leaving your company? Here are the best practices you may find beneficial:

  1. Reset the password
  2. Block the account sign-in
  3. Set up email forwarding
  4. Preserve ex-employee’s data cost-efficiently
  5. Disconnect mobile devices
  6. Discover and manage app’s access
  7. Add email alias
  8. Remove the MS Office 365 license.

Now let’s dive into details.

1. Reset the password 

What is the first thing to do in Office 365 when an employee leaves your company? The first step is removing access for terminated employees to corporate data by changing the password. You need to reset the password instead of just blocking the user sign-in because the latter can take up to 24 hours. In the 24-hour time window, an employee potentially can hard-delete or download confidential information.

Resetting a password takes effect immediately, and that’s why it’s the first course of action.

1. Log in to Office 365 Admin’s account and go to the Admin center

2. Select Users, then Active Users 

3. Select a user and click Reset a password (a key icon)

Office 365 Terminated Employee

4. Generate a new password automatically or create it yourself and reset the password. From now on, an ex-employee won’t be able to access corporate account and data

5. Optionally, you can send a new password to your admin’s email or any other emails

2. Block the user from signing in to MC Office 365 account

After you reset the password, make sure the former employee won’t be able to reset it themselves in the future and block them from signing in to your Office 365 account.

1. Visit the admin center and click Users > Active users page.

2. Choose the employee’s name; on the right, you’ll see the window with the option to Block this user.

3. Select Block the user from signing in, and then select Save.

3. Set up email forwarding, or create a shared mailbox

Before you delete the ex-employee account, create an alias, or notify their email contacts that they’re no longer available, you should set up email forwarding or create a shared mailbox. By doing so, you preserve all the important connections for future use. It enables business partners and clients can continue contacting your company using a former employee’s old email.

Note: after you remove the license and delete the account, these options won’t be working. 

To set up email forwarding:

  1. Log in to Office 365 Admin’s account and go to the Admin center;
  2. Select Users, then Active Users;
  3. Select a user. Under Mail, find Manage email forwarding;
  4. Choose a forwarding email address (it may be a former employee’s manager or successor).

With this option, you’ll be receiving only new emails.

To create a shared mailbox:

1. Visit the Exchange admin center.

2. Click Recipients > Mailboxes.

3. Select the user mailbox. Under Convert to Shared Mailbox, select Convert.

With this option, you can access both old and new emails for free if the mailbox is under 50 GB.

4. Preserve former employee’s data 

You most likely need to preserve business-critical ex-employee’s data like emails, SharePoint, and OneDrive files for compliance, legal, or business continuity reasons. Maintaining an account is possible, yet it’s pretty expensive (check out the price comparison here), especially if we’re talking about E5 subscriptions that cost $35 per month.

Archiving is the way to preserve data without paying for an account’s full price. You can use third-party backup software to archive user’s data to retain it for future use.

SpinOne – our backup and cybersecurity platform – is often used as an offboarding solution for Office 365 where you can preserve an archived user account, available for all Office 365 subscription plans. When our Office 365 clients terminate their employees, we turn the user’s backup accounts into an archive, keeping all the data safely preserved and accessible in one click for just $1.80/month. 


5. Disconnect mobile devices from the corporate data

If the Office 365 employee leaving the company had been using their personal devices to access corporate data, you need to disconnect it by enforcing your corporate MDM/BYOD policies and procedures. Here’s how to disconnect the leaving employee’s mobile device from accessing corporate data:

  1. Log in to Office 365 Admin’s account and go to Outlook 
  2. Select Settings and View all Outlook settings
  3. Click General and select Mobile Devices
  4. You’ll see the list of mobile phones. Select the one you want to remove
  5. Click Wipe Device

Apart from following corporate policies, revoking access from an ex-employee’s device is a great way to reduce the probability of data leakage.

Learn about Outlook backup software.

6. Discover and manage app’s access

There are two major apps-related tasks you should do while offboarding an employee:

  1. Disconnect a user from your apps. When your colleague leaves a company, make sure that their account can not be used to access your apps anymore. This action is a way to prevent unauthorized access, which is required for security compliance reasons.
  2. Disconnect unmanaged apps installed by the user. According to Microsoft, 80% of employees use unsanctioned apps. Apps without a review from an IT team may pose significant security and compliance risks. Of course, you can ask a leaving employee about apps and extensions they had installed without your approval.
    But that’s not a data-driven approach. What you can do is discover all apps connected to your Office 365 data and remove them if needed. 

Both tasks can be completed using a CASB. Microsoft offers its own CASB solutionCloud App Security.

7. Add an email alias

How do you handle email when an employee leaves and you need to delete their account? The best way to preserve a former employee’s address is to create an email alias. An alias is an additional email address for an existing Outlook account, and associated cloud storage. Note that a user can be assigned with more than one alias.

To set up an alias:

  1. Log in to Office 365 Admin’s account and go to the Admin center;
  2. Select Users, then Active Users;
  3. Select a user. Under Account, find Manage username and email;
  4. Assign an alias

8. Remove the Microsoft Office 365 license and reassign or delete it

When you did all the steps above, it’s time to figure out what to do with the former employee’s Microsoft license. The first step is to remove (reattach) it from the user account:

1. In the Microsoft admin center, one more time, go to Users and click Active users page;

2. Find the employee you want to remove the license from;

3. Select the Licenses and Apps tab;

4. Untick the checkboxes near the license(s) you want to remove, and then click Save Changes.

After you removed the account’s license, you can access the account data for 30 days before it is deleted. Even if you delete the account itself, you still have 30 days of access to this information. After 30 days, Microsoft will permanently erase this information from their servers, so ensure you have this information backed up /archived by then.

At this stage, you still have an active license you’re paying for. You can assign it to the new employee or any other user, or you can delete it from your subscription and stop paying for it. In this case, you’ll need to buy a new license when you onboard the employee.

To delete the license from Microsoft 365:

1. Go back to the Microsoft admin center, click Billing > Your products;

2. Pick the subscription to delete the license from and click on it;

3. Click on Remove licenses;

4. In the Remove Licenses tab, under New Quantity, change the current number of the licenses to the number you want to keep in your subscription. For example, the total number now is 7 and you want to remove 1, so you need to enter 6;

5. Press Save.


Now the former employee is securely offboarded from your Microsoft Office 365 environment.

Want to learn how you can save thousands of $ on Office 365 licenses? Then check out our article

Read the Article
Dmitry Dmitry Dontov CEO and Founder
About Author

Dmitry is the Founder and CEO of Spin.AI, a SaaS data protection company based in Palo Alto, California, and a former CEO of Optimum Web Outsourcing, a software development company from Eastern Europe. Dmitry is a tech entrepreneur and cybersecurity expert with over 20 years of experience in cybersecurity and team management. Dmitry has a strong engineering background in cybersecurity and cloud data protection, making him an expert in SaaS data security who has an ability to influence teams. Author of 2 patents. Member of Forbes Business Council.