Free Consultation!
Microsoft 365 Offboarding Procedures: A Step-by-Step Guide to Secure Data and Reclaim Devices
When an employee leaves your company, securing their data and ensuring a smooth transition is essential. Whether you’re dealing with Microsoft 365 mailboxes, third-party applications, or compliance issues, having a comprehensive offboarding process in place will protect your business from data loss or unauthorized access. This guide will walk you through actionable steps to ensure a secure and seamless offboarding experience, including data governance through Microsoft Purview.
Why Data Backups Are Crucial
Step 1: Always Perform Regular Backups
Backing up user data (such as Microsoft 365 mailboxes, OneDrive, and SharePoint) is a critical safeguard. Affordable backup solutions can start as low as $20/month for up to 10 users, covering OneDrive, SharePoint, and email.
Best Practice: Always back up user data before making any changes. A good backup ensures you can restore critical information if needed. Look for backup providers offering automatic daily backups for Microsoft 365 environments, ensuring a fail-safe against data deletion or other issues.
Standard Operating Procedures (SOP) for Employee Exits
Step 2: Have a Clear SOP in Place
Managing offboarding tasks systematically prevents confusion and ensures that everything—from disabling accounts to reclaiming devices—is handled appropriately.
What Should Your SOP Include?
-
- Request to revoke account access
- Secure email forwarding
- Steps for reclaiming devices and reviewing their contents
- Export of personal data like contacts and passwords
- New Addition: Reset passwords and remove MFA devices immediately to block unauthorized access.
Best Practice:
Always document your offboarding procedures and review them periodically to ensure they are up-to-date.
Managing Microsoft 365 Data When Employees Leave
Step 3: Block Access to Microsoft 365 Services
- Block the employee’s sign-in to prevent unauthorized access.
- New Addition: Revoke OAuth tokens for any third-party applications the employee connected to Microsoft 365.
Step 4: Save Mailbox Contents
- Export the mailbox data to a PST file for legal or business continuity.
- Consider placing a Litigation Hold if compliance requires data preservation.
- Caveat: If you place a Litigation Hold or Discovery Hold on a mailbox or OneDrive, you cannot reclaim the license until the hold is released. You will need to remove the hold before you can release the license.
Step 5: Forward Email to Another Employee
- Forward the former employee’s email or convert their mailbox to a shared one to ensure continuity of communication.
- New Addition: When forwarding email, ensure there’s an expiration date for this forwarding rule to prevent indefinite inbox clutter.
Step 6: Manage OneDrive and SharePoint Access
- Reassign access to OneDrive or SharePoint to another employee.
- New Addition: Move OneDrive files to a SharePoint library for easier long-term access. Make the employee’s mailbox a shared mailbox to avoid unnecessary licensing costs.
Step 7: Remove and Reclaim Microsoft 365 Licenses
- Reclaim the Microsoft 365 license and reduce the number of licenses to avoid paying for unused accounts.
Best Practice: After getting approval to deactivate a user, change the password, disable the account, and block user login to prevent unauthorized access.
Data Governance with Microsoft Purview
Step 8: Ensure Data Compliance with Microsoft Purview
- Use Microsoft Purview’s Information Protection to classify and secure sensitive information stored in emails, OneDrive, or SharePoint.
- Apply Retention Policies or Litigation Holds via Microsoft Purview to ensure that crucial data is not deleted and meets regulatory compliance for audits or legal requirements.
- Discovery Hold in Purview can help you place a hold on the employee’s mailbox and OneDrive to prevent data deletion. However, you cannot remove the license associated with the account until this hold is lifted.
- New Addition: Use Insider Risk Management and Data Loss Prevention (DLP) in Purview to monitor any unusual activities or data transfers as an employee leaves the organization. This ensures that no sensitive data is misused or mishandled during offboarding.
For more information, check Microsoft’s step-by-step documentation on managing terminated users on learn.microsoft.com.
Managing Third-Party Application Licenses
Step 9: Review All Third-Party Accounts and Licenses
- Reclaim licenses for Dropbox, Box, Adobe, and other software.
- Ensure data from these services is secured and transferred appropriately.
Step 10: Revoke Access to Third-Party Applications
- Remove the employee from third-party services and revoke any remaining access tokens.
Device Reclamation: Autopilot and Intune Steps
Step 11: Reclaim and Secure Company Devices
- Disable access via Intune or Autopilot.
- Perform a remote wipe to remove all corporate data.
Step 12: Backup Important Files
- Back up device contents, even if the employee left no critical work behind. This ensures data recovery in case files are needed later.
Step 13: Hold the Device for Review
- Review the device’s contents for sensitive information. Best practice is to keep devices for 30-90 days before assigning them to new users.
Additional Steps: Exporting Contacts and Managing Passwords
Step 14: Export Email Contacts
- Use Outlook or a similar tool to export email contacts into a CSV or PST file.
Step 15: Manage Saved Passwords
- Ensure browser-saved passwords (e.g., in Chrome or Edge) are securely exported and transferred if necessary.
Final Checklist
- Perform a backup of Microsoft 365 data (Mailbox, OneDrive, SharePoint).
- Block access to Microsoft 365.
- Reset passwords and remove MFA devices.
- Save and forward mailbox contents.
- Export contacts and saved browser passwords.
- Reclaim and wipe devices via Intune/Autopilot.
- Review and hold devices for 30-90 days.
- Reclaim and manage third-party licenses (Dropbox, Box, Adobe, etc.).
- New Addition: Use Microsoft Cloud App Security to detect any shadow IT activities (unauthorized third-party applications).
- New Addition: Block all active sessions, including MFA sessions, to prevent unauthorized access.
Conclusion
Implementing these steps in your offboarding procedures will protect your company’s data and ensure compliance with internal and external regulations. By including additional layers like Microsoft Purview for data governance, litigation holds, and insider risk management, you ensure a more comprehensive offboarding process. Whether you’re managing this yourself or outsourcing IT services, a clear plan will save you time, money, and stress.
Need assistance managing your Office 365 or third-party services? Contact Mile Square Technology Group for expert guidance on data protection and secure offboarding.
REQUEST A CALL BACK.
Request a Callback. Interested in discussing your IT consulting needs with an expert? Simply provide your contact information, and we’ll reach out to you soon
You’re welcome to contact us that way too.