Microsoft 365 Offboarding Best Practices
Objective
The following guide is intended to instruct you on how to properly offboard users from your Office 365 environment according to Microsoft’s best practices. We will review the required actions for hybrid Azure AD and cloud-only environments and identify the best practices for both. Effective offboarding of users reduces help desk tickets, administrative headaches, and operational costs while also maintaining a healthy security estate.
Considerations
- When it comes to user offboarding, one of the most important things to plan for is data retention. A good data retention plan will ensure that your company's intellectual property is appropriately maintained, and the appropriate users/administrators are provisioned with the access they need to that data.
- Making sure your organization has adequate licensing to implement automated methods of data retention will save you a lot of time and frustration.
- The offboarding procedure will differ based on the Sync Status of a user, as denoted in your Microsoft 365 Admin Center. Below, you will see two screenshots, each one depicting how the different Sync Statuses are represented.
Screenshots of O365 Synced Users vs. In-Cloud Users
Synced from on-prem AD status icon and description
Cloud only Identity status icon and description
How to Offboard Active Directory Synced Users
- Disable user account in on-prem AD
- After disabling the user account in your on-prem AD, you may choose to either wait approximately 30 minutes for the automated Azure AD Sync process to occur or you can run the Azure AD Sync PowerShell cmdlets to force synchronization.
- Check your Microsoft 365 Admin Center to verify replication of the disabled user status.
- From the Microsoft 365 Admin Center > Users portal, Initiate sign-out of all O365 sessions.
- If your organization is using Intune MDM/MEM, Remove company data from BYOD devices or factory reset after backing up the data.
-
Apply proper data retention procedures
- Review disabled user's OneDrive for Business and determine if data needs to be kept before license removal.
-
From Microsoft Admin Center > Exchange > Recipients > Mailboxes, convert the user's mailbox to a Shared Mailbox.
- Shared Mailboxes can have up to 50GB of data without a license assigned to them.
-
Provide delegate admin access and configure email forwarding to any users who will be responsible for monitoring the Shared Mailbox.
- Configuring email forwarding from either the Exchange Admin Center or the Microsoft 365 Admin Center will have the added benefit of removing any personal forwarding rules that were configured by the offboarded user.
- Navigate to Microsoft Admin Center > Users to add Automatic replies to update senders about the impending deprecation of the mailbox and alternate email address for future messages.
- With the user's mailbox converted to a Shared Mailbox, you can now safely remove licenses from the user's account.
- To wrap things up, remove the delegate admin access after a pre-determined period and delete the user account, as defined by your organization's offboarding policy.
How to Offboard In-Cloud Users
- From the Microsoft 365 Admin Center > Users portal, Initiate sign-out of all O365 sessions.
- Block sign-in of user account.
- If your organization is using Intune MDM/MEM, Remove company data from BYOD devices or Factory reset after backing up the data.
-
Apply proper data retention procedures.
- Review disabled user's OneDrive for Business and determine if data needs to be kept before licensing removal.
-
From Mailbox Admin Center > Exchange > Recipients > Mailboxes, convert the user's mailbox to a Shared Mailbox
- Shared Mailboxes can have up to 50GB of data without a license assigned to them.
-
Provide delegate admin access and configure email forwarding to any users who will be responsible for monitoring ongoing emails to that account.
- Configuring email forwarding from either the Exchange Admin Center or the Microsoft 365 Admin Center will have the added benefit of removing any personal forwarding rules that were configured by the offboarded user.
- Navigate to Microsoft Admin Center > Users to add Automatic replies to update senders about the impending deprecation of the mailbox and the alternate email address for future messages.
- With the user's mailbox converted to a Shared Mailbox, you can now safely remove licenses from the user's account.
- To wrap things up, remove the delegate admin access after a pre-determined period, as defined by your organization's offboarding policy.