Depending upon which source you believe, somewhere between 30 percent and 50 percent of ex-employees retain access to their previous employer’s cloud systems after termination! And while most ex-employees are trustworthy, this represents a huge security (and legal) risk for your company. If no one is actively monitoring the account, bad guys could go unnoticed and have full access to the same data as that ex-employee.
Follow these simple steps to securely offboard an employee. These photos assume that the account is a “cloud-only” account and that the device is not Intune enrolled (even though we would recommend that you have all devices Intune enrolled!).
Before we get to the pictures, you should first determine whether you might need access to this data later. If you think you might, consider placing the user on a legal hold (certain license types are required). If you just want to keep access to the email, you can convert it to a shared mailbox and remove the license (to save you money!).
Our recommendation: Keep the licensing in place for 30 days and give any department managers, employees, or others plenty of time to make sure that any important data has been transferred to someone in your company.
Be careful, once you remove a license from a user in Microsoft 365 all the data will be deleted in 30 days and there is no way to recover it (not even Microsoft can recover it!). If you are just not sure, feel free to reach out to our team for some advice!
These steps should be carried out by someone with the Global Administrator or User Administrator role in your company (they will need access to the Microsoft 365 Admin Center).
Step 1: Block Access and sign out of active sessions.
Sign out of all sessions. This will revoke any active sessions. This is important for mobile devices that are not enrolled in Intune. Remember, this will only sign the user out of their sessions, it will not remove the data that they may have on their phone or mobile device (that is why you need Intune!).
Block sign-in. If you do not plan to sign-in to this account, you can choose to block sign-ins.
Reset password. Even if you are blocking the sign-in, we still recommend resetting the password. You do not want to fall victim to a password spray or password stuffing attack because the ex-employee had bad password hygiene.
Want to do a quick check of your company's password hygiene - our team can do a free dark web analysis for your company's password data. Click below to learn more.
Step 2: Manage access to the mailbox.
Manage email forwarding. If you want to forward any inbound emails to another team member, you can set those settings here.
Manage automatic replies. If you would like to warn senders that the employee is no longer active at the company and give them instructions on who to contact instead, you can enter that information here.
Convert to a shared mailbox. If you just want to retain the data in the mailbox and/or give someone else access to the mail without using a license, consider this option.
Step 3: Remove any unused or unneeded licenses.
Remove Licenses and apps. If you need to make any licensing changes, you can do that on this screen. Remember, if you remove a license then the data will be deleted in 30 days. You can always convert a mailbox to a shared mailbox or change the license to a less expensive license.
Step 4: Give access to the user’s files in OneDrive. 
Create link to files. You can give another employee access to the ex-employee's OneDrive by clicking Create link to files. We recommend having the new employee copy any files that they may need to their OneDrive within 30 days.
Remember, these screenshots make several assumptions about your Microsoft 365 environment, so if you are not 100% sure, make sure to check with your IT department, Microsoft Partner, or feel free to contact us for some advice!
