If and when an employee or external team member leaves your organization — particularly to (ahem) go to a competing company — you’re likely to ask yourself how to secure your network’s data and protect access to key resources, right? Right. As Microsoft’s website makes clear, this is a frequently asked question of their team. Despite its importance (and the commonality of this issue), though, blocking user access and deactivating Microsoft 365 accounts isn’t always as straightforward as it could or should be. But don’t worry — if you’re currently wondering how to deprovision Microsoft 365 accounts, we’re here to help.
First off, it’s important to remember that sharing access to resources is not always a bad thing, so long as it’s done intentionally and securely. It allows you to boost collaboration, easily share files and calendar invites, participate in group chats, etc. The challenges come when an employee leaves your organization and you’re looking to resecure your network.
So, how can you remove these past employees and ensure your information and accounts are safeguarded? We’ve laid out the process, step-by-step (in accordance with Microsoft best practices), below.
To prevent a former employee or external user from logging into your system, the fastest and most efficient measure to take is to force their sign-out and then change the user’s password. To do this, follow the steps below (as outlined by Microsoft).
Next up, you’ll want to block the user’s access to all Microsoft 365 Services, including email (e.g., Exchange Online), following the steps below (again, as outlined by Microsoft).
Remember: It can take up to 24 hours to block a user, so you’ll definitely want to reset their password first to truly limit access, per the guidance in Step Two!
Once you’ve reset a past employee or external user’s password and blocked their access to Microsoft 365 services and email, it’s time to save the user’s content and information — including any documents they were working on (which might be handy for the person taking over their role), emails from their account, etc.
To do this, Microsoft suggests adding the now-blocked user’s email address to Outlook on your desktop, then exporting the data to a .pst file. You can then import the data to other email accounts as needed.
You’ll want to follow similar steps on the users’ mobile and tablet devices as well, ensuring no business data slips through the cracks and remains in their hands after their time of employment.
If you want to keep the user’s mailbox and contents available, you can also just convert their mailbox to a shared mailbox or inactive mailbox. Before you do, you should also put a litigation hold on the user’s mailbox to ensure that the content does not get deleted. You should also make someone an “owner” of the shared mailbox, either their manager or another account that may need to review content in the user’s mailbox.
All right. Let’s say you’ve successfully blocked a user from accessing your services and saved any and all relevant information from their account — now’s the time to remove their Microsoft 365 license and then (finally!) delete their account. This will formally remove them from your system and prevent you from paying for unused licenses; it’s a win-win.
Per Microsoft’s instructions:
Ba-da-bing, ba-da-boom, you’ve successfully removed a defunct user and deprovisioned a Microsoft 365 account — congrats! But this doesn’t mean you’re completely in the clear when it comes to protecting your network, particularly if you’re still working with external users OR if the deleted user has accounts on other SaaS platforms that your company uses. Fortunately, CoreView can help you there as well.
See how you can automate user onboarding and offboarding with CoreView. today.