Office 365 Offboarding
As an Office 365 administrator, ensuring a streamlined offboarding process is crucial to mitigate risks linked to improper user de-provisioning. Equally important is the need to safeguard data and manage access when an employee departs from the Office 365 environment. This article aims to provide guidance on best practices for Office 365 offboarding, focusing on minimizing data-related risks.
Significance of Effective Office 365 Offboarding
To safeguard your company from data loss or leakage, it is beneficial to retain the data of former employees. Reusing the license of an ex-employee can help reduce licensing costs. Retaining data is also essential to meet legal requirements. Additionally, when an employee, especially one from a customer-facing team, leaves the organization, it is crucial to minimize the impact on business communication.
Let's explore the steps you should take to protect your company from data loss and leakage when an employee departs from your Office 365 organization.
Best Practices for Handling Resigned Employees in Office 365
You can adopt the following best practices for an effective offboarding process. This includes blocking ex-employees from accessing company files, preserving the documents they created, and completing various administrative tasks associated with user removal.
- Logout User from All Office 365 Sessions: Securely terminate active sessions to prevent unauthorized access to company resources.
- Reset Password and Block Account Sign-In: Enhance security by resetting the password and blocking further sign-in attempts for the departed employee's account.
- Setup Email Forwarding: Facilitate seamless communication by setting up email forwarding to redirect important messages to relevant recipients.
- Convert User Mailbox to Shared Mailbox: Preserve mailbox data and enable continued access by converting the user's mailbox to a shared mailbox.
- Preserve Former Employees' Mailbox Data: Safeguard critical data by preserving the contents of the former employee's mailbox.
- Transfer Email Alias: Ensure continuity by transferring the email alias to the appropriate personnel.
- Move Leavers' OneDrive Data to Other Location: Securely relocate data stored in OneDrive to a designated location for future reference or access.
- Wipe and Block the User's Mobile Device: Enhance mobile device security by remotely wiping data and blocking access.
- Remove User from All Groups: Streamline access management by removing the departed user from all associated groups.
- Remove License: Optimize licensing resources by promptly removing the license associated with the departed employee.
By diligently following these steps, you ensure a comprehensive and secure offboarding process, protecting your organization's data and maintaining operational integrity.
Logout User from All Office 365 Sessions.
How do you sign out Users from all Office 365 Sessions?
Log in to the Microsoft 365 admin center, select Users > Active Users > Click on the user’s Display name you want to sign out of apps and sessions.
Under Accounts> Sign Out, select ‘Sign out of all sessions.’
It can take up to 15 mins to complete the process. The person can immediately sign back in unless you have blocked their sign-in status.
Block Account Sign-in and Reset Password.
To prevent a user from signing into Office 365, you can disable sign-in or reset the password.
How to Block Sign-in in Office 365?
In the admin center, select Users > Active Users > Click on the user’s Display name you want to block sign-in.
Click ‘Block signin’ and select the ‘Block this user from signing in’ check box.
‘Save’ the changes.
Blocking or disabling an account can take up to 24 hours to take effect. If you want to block users from signing in immediately, you can reset their password.
How to Reset Password in Office 365?
In the admin center, select Users > Active Users > Click on the user’s Display name you want to block sign-in.
Click ‘Reset password’ and provide a new password. (Don’t send it to them).
Setup Email Configuration
In the admin center, select Users > Active Users > Click on the former employee.
Go to the ‘Mail’ tab. Under ‘Email Forwarding,’ select ‘Manage email forwarding.’
Turn on ‘Forward all email sent to this mailbox.’ In the Forwarding address box, type the email address of the current employee who’s going to get the email.
Select ‘Save.’
How do you configure an out-of-office reply in Office 365?
In the admin center, select Users > Active Users > Click on the former employee.
Go to the ‘Mail’ tab. Select ‘Manage automatic replies’ and turn them on.
You can write separate customized messages for internal and external recipients as you wish.
If you configure email forwarding or auto-reply, you neither remove the license nor delete the former employee’s account.
Convert User Mailbox to Shared Mailbox
Admins can convert a user mailbox to a shared mailbox to preserve data and connections for future use. After conversion, multiple persons can access a shared mailbox through delegation. Also, you can remove the license from a shared mailbox if it meets the following conditions.
Mailbox size is less than 50GB.
Mailbox is not under litigation hold.
In-place archiving is disabled in the mailbox.
How to Convert User Mailbox to Shared Mailbox?
Go to Exchange admin center –>Recipients –>Mailboxes.
Select the mailbox which you want to convert.
Under ‘More Actions,’ click ‘Convert to shared mailbox’ and ‘Confirm‘.
It will show progress like “Mailbox is being converted from regular type to shared type.”
Preserve Former Employee’s Mailbox Data
Even when you don’t want to keep the email id active by converting it to a shared mailbox or configuring email forwarding, you can preserve ex-employees’ mailbox data for litigation purposes.
How to Preserve Former Employee’s Data?
You can convert the mailbox to a .pst file.
Place litigation hold or in-place hold.
Convert a mailbox to an inactive mailbox.
Transfer an Email Alias
Suppose you want to delete the former employee’s account and keep the email id active. In that case, you can remove the email alias from them and assign it to other users. You can use this method to preserve the left employee’s address.
How to Assign Email Alias?
In the admin center, select Users > Active Users > Click on the user’s name to whom you want to assign the alias.
Under Account>Aliases, click ‘Manage username and email.’
Assign an alias.
A user can have multiple aliases.
Move Leavers’ OneDrive Data to Other Location:
If you delete the user account as part of the deprovisioning process, you will lose all the data associated with that account after 30 days. It includes OneDrive and Outlook data.
How to Move Former Employee’s OneDrive Data to SharePoint?
In the admin center, select Users > Active Users > Click on the former employee.
On the user properties page, select ‘OneDrive.’ Under ‘Get access to files,’ select ‘Create link to files.’
Select the link to open the file location. Download the files to your computer or select ‘Move to’ or ‘Copy to’ to move or copy them to your own OneDrive or a shared library.
If you only remove the license without deleting the account, the former employee’s data will be accessible even after 30 days.
Wipe and Block Former Users’ Mobile Device
If the former employee had an organization phone, you can remove all organization data and block them from accessing company data.
How to Wipe and Block Former Employee’s Mobile?
Log in to the Exchange admin center. Navigate to Recipients > Mailboxes.
Select the old user. Go to ‘Mobile Devices’ and select ‘View details.’
Under the Mobile Device Details page, select the mobile device, select ‘Wipe Data,’ and then select ‘Block.’
Click ’Save.’
Remove User from All Groups
You can remove the former employees from all distribution lists, and it helps keep groups free of stale accounts.
How to Remove a User from All Groups?
In the admin center, select Users > Active Users > Click on the former employee.
On the user properties page, select Groups>Manage groups.
Click all the groups and select ‘Remove.’
Select ‘Yes’ in the confirmation pop-up.
Remove License from Former Employee
After performing the required leaver processes, you can remove the licenses from the former employees. You can assign those licenses to another user. It helps to reduce the license cost.
How to Remove a license from Old Employee?
In the admin center, select Users > Active Users > Click on the former employee.
Under ‘License and apps,’ Untick the checkboxes near the licenses you want to remove, and then click ‘Save.’
You can restore their data for up to 30 days after you delete them.
When an employee departs from Office 365, there is a potential risk of losing business-critical data unexpectedly. I trust that these straightforward Office 365 offboarding processes will assist you in fulfilling both your business and legal requirements.