Offboarding an employee from Microsoft 365 requires revoking their access immediately while preserving their email, files, and data for business continuity. Doing this in the wrong order can result in permanent data loss or a security gap where the departing employee retains access to company systems. This guide walks through every step in the correct sequence.
What You Need
- Global Administrator access to Microsoft 365
- Knowledge of which files, emails, and data the departing employee owns
- A plan for who should receive access to the employee's mailbox and files (typically their manager or replacement)
Why Order Matters
The single most common mistake is deleting the user account before preserving their data. Once the account is deleted, you have 30 days to restore it before everything is permanently gone. The correct sequence is: block access first, preserve data second, delete the account last.
Step 1: Reset the Password and Block Sign-In
This should happen immediately, ideally on or before the employee's last day. Every minute the account remains accessible after the employee has left is a security risk.
- Go to admin.microsoft.com > Users > Active users
- Click on the departing employee's name
- Click Reset password at the top of their account page
- Select Auto-generate password and uncheck Require this user to change their password when they first sign in (it does not matter since they will not be signing in again)
- Click Reset password
- Next, click Block sign-in on the same user's account page
- Check the box for Block this user from signing in and click Save changes
Blocking sign-in revokes all active sessions across all devices, including Outlook desktop, Teams, mobile apps, and any browser sessions. The user will be signed out everywhere within about 60 minutes. If you need immediate session revocation, go to the user's account page, click the Account tab, and click Revoke sessions.
If your organization uses Huntress Managed ITDR alongside Microsoft Entra ID, any suspicious sign-in attempts from the former employee's credentials after this point will be flagged and investigated by Huntress's 24/7 SOC team automatically.
Step 2: Convert the Mailbox to a Shared Mailbox
Converting the departing employee's mailbox to a shared mailbox is the best way to preserve their email. A shared mailbox does not require a license, so you stop paying for it immediately, and all email history is retained indefinitely.
- Go to the Exchange admin center
- Click Recipients > Mailboxes
- Click on the departing employee's mailbox
- Click Convert to shared mailbox (under the Others section at the bottom)
- Confirm the conversion
After converting, add the employee's manager or replacement as a member of the shared mailbox:
- Go back to admin.microsoft.com > Teams & groups > Shared mailboxes
- Click on the newly converted shared mailbox
- Under Members, click Edit and add the appropriate people
The alternative is setting up email forwarding to another user. However, forwarding only captures new incoming mail. It does not preserve the departing employee's email history, sent items, or folder structure. Converting to a shared mailbox preserves everything.
If your company needs to retain email data for compliance or legal reasons beyond what the shared mailbox provides, Dropsuite provides independent backup of Microsoft 365 mailboxes, OneDrive, and SharePoint. Athencia includes Dropsuite in its managed stack, which means you can restore email data from any point in time, even if something goes wrong during offboarding.
Step 3: Transfer OneDrive Files
The departing employee's OneDrive contains their personal work files. You need to transfer these before deleting the account.
- Go to admin.microsoft.com > Users > Active users
- Click on the departing employee's name
- Click the OneDrive tab
- Under Get access to files, click Create link to files
- This generates a link that opens the employee's OneDrive. Share this link with their manager or replacement.
The delegate has 30 days from the date the account is deleted to access and move files. After 30 days, the OneDrive data is permanently deleted.
To move the files permanently:
- Open the link to the employee's OneDrive
- Select all relevant files and folders
- Click Move to and choose a location in a SharePoint document library or another user's OneDrive
- Verify the files transferred successfully
If you need to extend the 30-day window, go to the SharePoint admin center (admin.microsoft.com > Admin centers > SharePoint) > Settings > OneDrive retention and increase the retention period (up to 3,650 days).
Step 4: Remove from Groups and Transfer Ownership
The departing employee may be a member or owner of Microsoft 365 groups, Teams channels, distribution lists, and shared mailboxes. You need to handle each:
- Go to Users > Active users > click the employee's name > Groups tab
- Review every group they belong to
- For groups where they are the sole owner, add a new owner before proceeding. If the only owner is removed, no one can manage the group.
- Remove the employee from all groups
For Microsoft Teams specifically:
- Open the Teams admin center at admin.teams.microsoft.com
- Go to Teams > Manage teams and check each team the employee belonged to
- If they owned any teams, transfer ownership to another user
- Remove them from all teams
Step 5: Revoke Access to Third-Party Apps
Departing employees often have access to third-party applications through their Microsoft 365 account. These need to be revoked.
- Go to the Entra admin center > Identity > Users > select the departing user
- Click Applications to see which enterprise applications they accessed
- Revoke any app-specific permissions
- Under Consents and permissions, review and remove any OAuth consents the user granted to third-party apps
This step is frequently overlooked. OAuth consents can persist even after the user's password is reset, allowing third-party apps to continue accessing company data through tokens the user previously authorized.
Step 6: Review Sign-In Logs
Before deleting the account, check the sign-in logs for any suspicious activity during the employee's final days.
- In the Entra admin center, go to Identity > Monitoring & health > Sign-in logs
- Filter by the departing user's name
- Look for sign-ins from unusual locations, bulk file downloads, or access to sensitive applications
This requires Entra ID P1 licensing, which is included with Microsoft 365 Business Premium. Business Basic and Business Standard do not include sign-in log retention or the ability to filter by user.
Step 7: Delete the User Account
Only delete the account after you have confirmed that the mailbox is converted, files are transferred, and group ownership is reassigned.
- Go to admin.microsoft.com > Users > Active users
- Select the departing employee
- Click Delete user
- Confirm the deletion
After deletion:
- The account moves to Users > Deleted users and stays there for 30 days. During this window, you can restore the account if needed.
- After 30 days, deletion is permanent and the account cannot be recovered.
- The license assigned to the deleted user becomes available for reassignment immediately.
Offboarding Checklist
Use this checklist to make sure nothing is missed:
- Password reset and sign-in blocked
- Active sessions revoked
- Mailbox converted to shared mailbox
- Manager or replacement added to shared mailbox
- OneDrive files transferred or access granted
- Group memberships reviewed and employee removed
- Group and Teams ownership transferred where needed
- Third-party app access and OAuth consents revoked
- Sign-in logs reviewed for suspicious activity
- User account deleted
- License reclaimed and available for reassignment
Need Help?
Employee offboarding involves security, compliance, and data preservation decisions that are easy to get wrong. If you want to make sure nothing falls through the cracks, contact Athencia. We handle offboarding for managed clients and can audit your current process for gaps.
