Microsoft 365 offboarding should immediately protect the tenant while preserving approved business data, transferring ownership, and documenting every access and license change.
Begin With an Approved Departure Notice
The offboarding request should identify the employee, department, manager, final working date, exact access-removal time, departure type, device location, mailbox instructions, data owner, and special legal or security requirements.
Coordinate with human resources and management. An immediate termination, planned resignation, retirement, contractor completion, and extended leave may require different timing.
Identify the User's Microsoft 365 Footprint
Review the account, aliases, licenses, administrator roles, groups, Teams, SharePoint sites, shared mailboxes, mailbox delegation, OneDrive, enterprise applications, devices, phone assignments, forms, workflows, Power Automate flows, and other owned resources.
Do not rely only on the Active users page. The employee may own resources or access applications outside the primary Microsoft 365 license.
Prepare ownership transfer before deletion
Identify mail, files, groups, Teams, forms, workflows, applications, and vendor relationships that require a new owner.
Block Sign-In at the Approved Time
Block the user from signing in according to the approved departure time. Confirm that the account status changed and record the administrator and completion time.
For high-risk departures, coordinate the action with device recovery, network access, building access, financial systems, and other applications.
Reset the Password and Revoke Sessions
Reset the account password using the approved process and revoke active sessions so existing browser, mobile, and application sessions are forced to reauthenticate.
Review authentication methods, registered devices, application passwords, security keys, tokens, and connected applications. Blocking sign-in should be part of a broader containment process.
Remove Administrator Roles
Remove Microsoft 365 and Microsoft Entra administrator roles, Exchange roles, SharePoint administration, Teams administration, application administration, and other privileged assignments.
Verify the final privileged-role list. A former employee may have a separate administrator account or vendor identity that is not disabled with the ordinary user account.
Do not assume one disabled account removed all privilege
Check separate admin accounts, service accounts, emergency contacts, application roles, and vendor portals.
Preserve the Mailbox
Determine whether the mailbox should be retained, converted to a shared mailbox, delegated temporarily, forwarded, exported, placed under retention, or handled through another approved method.
Complete the preservation step before removing the license when the chosen process requires an active mailbox. Verify current Microsoft guidance and the organization's retention requirements before deleting the account.
Configure Mailbox Access Carefully
When another employee needs access, record the business owner, permission type, approval, purpose, and expiration date. Avoid providing indefinite mailbox access without review.
Use automatic replies or forwarding only when approved. Forwarding should identify the owner and review date.
Preserve and Transfer OneDrive Data
Identify the manager or approved data owner. Transfer or provide access to required business files and record what was preserved.
Review sharing links, personal storage, synchronized local files, and files referenced by Teams or applications. Do not assume that every business file is already in a shared location.
Transfer Teams, Groups, Sites, and Shared Resources
Remove the user from Teams, Microsoft 365 groups, distribution groups, security groups, SharePoint sites, and shared mailboxes according to business need.
Transfer ownership of Teams, groups, sites, plans, forms, shared calendars, and other resources. Confirm that each critical resource still has an active owner.
Transfer Automations and Applications
Review Power Automate flows, Power Apps, enterprise applications, single sign-on assignments, service principals, connectors, application tokens, and workflows owned by the employee.
Test critical processes after ownership transfer. Automations may fail when the original owner is blocked, deleted, or loses a license.
Review Mobile Devices and Managed Endpoints
Identify Microsoft Intune managed devices, Microsoft Entra joined devices, mobile application management, company phones, laptops, security keys, and Windows Hello credentials.
Recover the device, preserve data when required, retire or wipe it through the approved process, and remove stale device records only after verification.
Remove Licenses at the Correct Time
Remove or reassign Microsoft 365 licenses after mailbox, OneDrive, application, retention, and workflow requirements have been addressed.
Record each license removed and confirm whether the subscription quantity should also be reduced through the reseller or billing process.
Review Aliases and Mail Flow
Decide whether the former employee's primary address or aliases should be retained, reassigned, forwarded, converted to a shared address, or removed.
Review transport rules, distribution groups, contact records, and public website information so messages reach an active owner.
Review Guests and External Access
The employee may also have guest identities, partner tenant access, external Teams access, or vendor accounts. Coordinate removal with the relevant external organizations.
Document accounts that cannot be removed directly and the person responsible for follow-up.
Preserve Evidence and Audit Information
Retain the departure approval, access-removal time, role changes, session revocation, mailbox decision, OneDrive transfer, group removals, device actions, license recovery, and final verification.
Restrict the record because it may contain employment, security, and legal information.
Delete the Account Only After Review
Account deletion should occur only after business data, retention, legal hold, mailbox, OneDrive, application ownership, audit, and recovery requirements have been reviewed.
Microsoft retention and restoration windows are limited and can change. Confirm current guidance before deletion and document the approved timing.
Perform a Post-Offboarding Review
For administrators, executives, finance employees, or complex departures, review sign-in activity, forwarding, mailbox rules, application tokens, service accounts, group membership, and device status after the initial offboarding.
Correct gaps and update the role profile or offboarding procedure.
Microsoft 365 Offboarding Checklist
- Receive the approved departure notice and timing.
- Inventory accounts, roles, licenses, groups, and devices.
- Block sign-in and revoke sessions.
- Remove administrator and application roles.
- Preserve and transfer mailbox data.
- Preserve and transfer OneDrive data.
- Transfer Teams, groups, sites, forms, and workflows.
- Remove shared access and delegation.
- Recover and secure managed devices.
- Remove or reassign licenses.
- Review aliases, forwarding, guests, and external access.
- Verify completion before deleting the account.
Frequently Asked Questions
Should the account be deleted immediately?
No. Block access first, then preserve data, transfer ownership, handle licenses, review retention, and obtain approval before deletion.
Is removing the license enough?
No. The organization must also block sign-in, revoke sessions, remove roles and shared access, preserve data, handle devices, and transfer ownership.
Should the mailbox be converted to a shared mailbox?
It can be appropriate when approved employees need continued access, but confirm storage, retention, licensing, and legal requirements first.
When Professional Support Helps
Professional support can build the offboarding checklist, identify hidden access, preserve mailbox and OneDrive data, transfer ownership, remove licenses, and document completion.
Need help applying this?
Manage Microsoft 365 users and access securely.
J3 Systems Group LLC can review users, licenses, administrator roles, groups, shared mailboxes, authentication, onboarding, and offboarding.