February 4, 2021 | Reading time 12 minutes

Microsoft 365 Terminated Employee Best Practices

Learn the best practices that will help you preserve the files of a Microsoft 365 Terminated Employee and protect your company from data loss/leakage.

For organizations using Microsoft 365, employee leaving is a concern for both an HR manager and an IT admin. If you perform the offboarding procedure incorrectly, it can cause a data loss or data leak with the following consequences. If you are in the process of terminating an employee and figuring out what to do when an employee leaves, you’re in the right place.

As a leading data protection company for Microsoft 365 applications, SpinOne has rich experience helping companies secure their data after their employees leave. We witnessed many incorrectly conducted offboarding procedures that exposed the company to many data-related risks.

We have collected eight best practices for Microsoft 365 terminated employees to reduce risks and ensure access is removed correctly. Implementing these best practices can help organizations adhere to their employee termination security policies and minimize the risks of data leakage.

Microsoft 365 Terminated Employee Best Practices for Offboarding

How to manage an account and data belonging to an Office 365 user leaving your company? Here are the best practices you may find beneficial:

  1. Reset the password
  2. Block the account sign-in
  3. Set up email forwarding
  4. Preserve ex-employee’s data cost-efficiently
  5. Disconnect mobile devices
  6. Discover and manage the app’s access
  7. Add email alias
  8. Remove the MS Office 365 license.

Now let’s dive into details.

1. Reset the password

What is the first thing to do in Microsoft 365 when an employee leaves your company? The first step is removing access for terminated employees to corporate data by changing the password. You need to reset the password instead of just blocking the user sign-in because the latter can take up to 24 hours. In the 24-hour time window, an employee potentially can hard-delete or download confidential information.

Resetting a password takes effect immediately, and that’s why it’s the first course of action.

  1. Log in to Microsoft 365 Admin’s account and go to the Admin center
  2. Select Users, then Active Users
  3. Select a user and click Reset a password (a key icon)
  4. On the Reset password page, generate a new password automatically or create it yourself and reset the password. From now on, an ex-employee won’t be able to access corporate account and data
  5. Optionally, you can send a new password to your admin’s email or any other email
  6. Select the user’s name again, and on the Account tab, select Sign out of all sessions.

Note: To initiate sign-out for other administrators, global administrator privileges are required. For non-administrator users, the action can be performed by a User Administrator or a Helpdesk Administrator user.

2. Block the user from signing in to the Microsoft 365 account

After you reset the password, make sure the former employee won’t be able to reset it themselves in the future and block them from signing in to your Office 365 account.

  1. Visit the admin center and click Users > Account management > Search Users
  2. Choose the employee’s name on the Search Users tab; on the right, you’ll see the window with the option to Block this user.
  3. Select Block the user from signing in, and then select Save.

3. Set up email forwarding, or create a shared mailbox

Before you delete the ex-employee account, create an alias, or notify their email contacts that they’re no longer available, you should set up email forwarding or create a shared mailbox. By doing so, you preserve all the important connections for future use. It enables business partners and clients can continue contacting your company using a former employee’s old email.

Note: after you remove the license and delete the account, these options won’t work.

To set up email forwarding:

  1. Log in to Microsoft 365 Admin’s account and go to the Admin center;
  2. Select Users, then Active Users;
  3. Select a user. Under Mail, find Manage email forwarding;
  4. Choose Forward all emails sent to this mailbox. Enter the forwarding address, and select whether you wish to retain a copy of forwarded emails..
  5. Select Save changes.

Note: don’t delete the account of the user whose email you’re forwarding or remove their license! If you do, email forwarding will stop.

With this option, you’ll be receiving only new emails. To access both old and new emails, create a shared mailbox:

  1. Visit the Exchange admin center.
  2. Click Recipients > Mailboxes.
  3. Select the user mailbox. Under Convert to Shared Mailbox, select Convert.

With this option, you can access both old and new emails for free if the mailbox is under 50 GB.

Along with forwarding emails, you would also want to notify the email senders about changes in the email recipients. For this, set up Office 365 auto-reply for terminated employee:

  1. Sign in to the Microsoft 365 admin portal.
  2. Expand Admin Centers, and choose Exchange.
  3. Under Recipients > Mailboxes, select the mailbox that you want to change.
  4. Select Others, and then select Manage automatic replies under Automatic replies.

4. Preserve former employee’s data

You most likely need to preserve business-critical ex-employee’s data like emails, SharePoint, and OneDrive files for compliance, legal, or business continuity reasons. Maintaining an account is possible, yet it’s pretty expensive (check out the price comparison here), especially if we’re talking about E5 subscriptions that cost $35 per month.

Archiving is the way to preserve data without paying for an account’s full price. You can use third-party backup software to archive user’s data to retain it for future use.

SpinOne – our backup and cybersecurity platform – is often used as an offboarding solution for Office 365 where you can preserve an archived user account, available for all Office 365 subscription plans. When our Office 365 clients terminate their employees, we turn the user’s backup accounts into an archive, keeping all the data safely preserved and accessible in one click for just $1.80/month.

5. Disconnect mobile devices from the corporate data

If the Office 365 employee leaving the company had been using their personal devices to access corporate data, you need to disconnect it by enforcing your corporate MDM/BYOD policies and procedures. Here’s how to disconnect the leaving employee’s mobile device from accessing corporate data:

  1. Log in to Office 365 Admin’s account and go to Outlook
  2. Select Settings and View all Outlook settings
  3. Click General and select Mobile Devices
  4. You’ll see the list of mobile phones. Select the one you want to remove
  5. Click Wipe Device

Apart from following corporate policies, revoking access from an ex-employer’s device is a great way to reduce the probability of data leakage.

Learn about Outlook backup software.

6. Discover and manage app’s access

There are two major app-related tasks you should do while offboarding an employee:

  1. Disconnect a user from your apps. When your colleague leaves a company, make sure that their account can not be used to access your apps anymore. This action is a way to prevent unauthorized access, which is required for security compliance reasons.
  2. Disconnect unmanaged apps installed by the user. According to Microsoft, IT administrators often estimate that their employees use around 30 to 40 cloud apps, but the actual average is far higher, with employees typically utilizing over 1,000 separate apps within the organization. Apps without a review from an IT team may pose significant security and compliance risks. Of course, you can ask a leaving employee about apps and extensions they had installed without your approval.
    But that’s not a data-driven approach. What you can do is discover all apps connected to your Office 365 data and remove them if needed.

Both tasks can be completed using a CASB. Microsoft offers its own CASB solution—Cloud App Security.

7. Add an email alias

How do you handle email when an employee leaves and you need to delete their account? The best way to preserve a former employee’s address is to create an email alias. An alias is an additional email address for an existing Outlook account and associated cloud storage. Note that a user can be assigned with more than one alias.

To set up an alias:

  1. Log in to Office 365 Admin’s account and go to the Admin center;
  2. Select Users, then Active Users;
  3. Select a user. Under Account, find Manage username and email;
  4. Assign an alias by adding the new name in the Username field, select a domain and choose Add.
  5. Choose Save Changes.
  6. Wait 24 hours for the new aliases to update in Microsoft 365.

8. Remove the Microsoft Office 365 license and reassign or delete it

When you have done all the steps above, it’s time to figure out what to do with the former employee’s Microsoft license. The first step is to remove (reattach) it from the user account:

  1. In the Microsoft admin center, one more time, go to Users and click the Active users page;
  2. Find the employee you want to remove the license from;
  3. Select the Licenses and Apps tab;
  4. Untick the checkboxes near the license(s) you want to remove, and then click Save Changes.

After you remove the account’s license, you can access the account data for 30 days before it is deleted. Even if you delete the account itself, you still have 30 days of access to this information. After 30 days, Microsoft will permanently erase this information from their servers, so ensure you have this information backed up /archived by then.

At this stage, you still have an active license you’re paying for. You can assign it to a new employee or any other user, or you can delete it from your subscription and stop paying for it. In this case, you’ll need to buy a new license when you onboard the employee.

To delete the license from Microsoft 365:

  1. Go back to the Microsoft admin center, click Billing > Your products;
  2. Pick the subscription to delete the license from and click on it;
  3. Click on Remove licenses;
  4. In the Remove Licenses tab, under New Quantity, change the current number of the licenses to the number you want to keep in your subscription. For example, the total number now is 7 and you want to remove 1, so you need to enter 6;
  5. Press Save.

Done!

Now the former employee is securely offboarded from your Microsoft 365 environment.

Was this helpful?

Thanks for your feedback!
Avatar photo

CEO and Founder

About Author

Dmitry Dontov is the CEO and Founder at Spin.AI.

He is a tech entrepreneur and cybersecurity expert with over 20 years of experience in cybersecurity and team management.

He also has a strong engineering background in cybersecurity and cloud data protection, making him an expert in SaaS data security.

He is the author of 2 patents and a member of Forbes Business Council.

Dmitry was Named 2023 Winner in the BIG Award for Business and Small Business Executive of the Year.


Featured Work:

How Can You Maximize SaaS Security Benefits?

Let's get started with a live demo

Latest blog posts

Data Loss Prevention in Salesforce for Businesses

In this article, we discuss data loss prevention in Salesforce. We review the main types of data in the CRM, the responsibility model, the reasons for data loss, and strategies to prevent it.

Steps to Test Your Disaster Recovery Plan Effectively

Steps to Test Your Disaster Recovery Plan Effectively

A Disaster Recovery Plan is an efficient tool that can help mitigate risks and decrease downtime and financial losses. However, […]

Importance of Backing Up Google Workspace Data Daily

Importance of Backing Up Google Workspace Data Daily

Many organizations today are heavily relying on cloud Software-as-a-Service offerings for business productivity, communication, and collaboration. One of the leading […]