Browse all topics
All guidesGlossary
Microsoft 365 essentials

Microsoft 365 offboarding process

A complete offboarding workflow for departing users — account, data, licence, and audit handling.

When a user leaves the organisation, offboarding their Microsoft 365 account properly matters for security (compromised credentials no longer dangerous), legal (preserving content under retention), licensing (recover the seat), and operational (the user's manager and team don't lose access to important content).

The standard sequence

A typical offboarding workflow, triggered by HR's "last day" event:

Day of departure (or before)

  1. Disable the account in Entra ID — prevents further sign-ins, but preserves the data.
  2. Revoke active sessions — invalidates all tokens the user holds.
  3. Reset password to a strong unique value (the departing user shouldn't know it).
  4. Convert mailbox to shared mailbox (optional) — preserves the mailbox without consuming a licence; manager or team can access.
  5. Set out-of-office reply — informs senders the person has left and where to redirect.
  6. Hide from address book — the user no longer appears in directory lookups.
  7. Forward incoming mail to manager temporarily (optional) — for transition.

Within 30 days

  1. Reassign OneDrive content — the user's manager or designated person inherits ownership.
  2. Reassign Microsoft 365 Group ownership — groups the user owned need new owners.
  3. Reassign SharePoint site collection admin — sites the user administered need new admins.
  4. Remove from groups — explicit memberships removed (license-based assignments stop automatically).
  5. Revoke specific app SSO access — apps integrated via SAML / OIDC that don't auto-deprovision via SCIM.
  6. Reclaim Microsoft 365 licence — once data is preserved, remove the licence to recover the cost.

After 30 days (or per retention policy)

  1. Delete the account if retention requirements are met — typically 30–90 days post-disable.
  2. Mailbox becomes inactive — preserved by retention policies but no longer active.

Litigation hold and retention

For accounts subject to litigation hold or retention policies:

  • Don't delete the mailbox while it's on hold — content is preserved but the mailbox object persists as an inactive mailbox.
  • Inactive mailboxes are searchable in eDiscovery indefinitely.
  • After litigation is resolved, the hold can be removed and standard retention takes over.
  • Once retention expires, the inactive mailbox is auto-deleted.

This pattern lets you decommission users while preserving their content for legal purposes — important for any departure where future legal action is possible.

Automation via Lifecycle Workflows

For organisations with Microsoft Entra ID Governance, lifecycle workflows automate much of this:

  • Trigger — N days before / on / after the user's last day (from HR data).
  • Tasks — disable account, remove from groups, generate notification, trigger Logic App for app-specific deprovisioning.

The result is consistent, auditable offboarding without per-departure manual work.

Litigation considerations

For departures with elevated legal sensitivity (terminations, redundancies with potential disputes, role-changes during M&A):

  • Place mailbox on litigation hold before any deletion.
  • Preserve OneDrive content under retention.
  • Capture mailbox state at a specific point in time.
  • Document the offboarding with timestamps.

Consult legal counsel for the right preservation duration.

What managers need

When a team member leaves, the manager often needs:

  • Access to the departed user's mailbox — typically as a shared mailbox or via temporary delegation.
  • Access to the departed user's OneDrive — typically reassigned to the manager.
  • Knowledge transfer before departure if possible.
  • Reassignment of group ownerships the departed user held.

The offboarding workflow should surface these to the manager proactively.

Common pitfalls

  • No defined "post-departure access" policy — does the manager get the mailbox forever, or for 90 days, then it's archived?
  • License reclamation forgotten — disabled but still licensed accounts wasting money.
  • Group ownership orphaned — groups owned by departed users become unmanageable.
  • App SSO not revoked — departed users still have access to SaaS apps that don't auto-deprovision.
  • Devices not wiped — Intune-managed devices need explicit wipe and unenroll.
  • MFA methods not revoked — Authenticator app on departed user's phone may still have valid keys.

For organisations with regular departures, defining the offboarding workflow with clear timelines, owners, and audit trail prevents the slow accumulation of orphaned access. A well-run offboarding takes hours of automation effort to set up and saves months of remediation later.