June 8, 2022
|
3
min read
Roy Martinez
With over 16 years in Microsoft and IT infrastructure, Roy uses his SharePoint, Power Automate, and Microsoft Teams expertise to help organizations develop strategies for adoption, collaboration, automation, and governance.

Microsoft recommends taking some specific actions when both onboarding and offboarding a user in Office 365. IT workflows that facilitate employee-onboarding efficiency allow for a streamlined experience in which the new user can gain access to the resources they need easily and without delay. And while this is certainly important, offboarding best practices are intended to safeguard an organization’s intellectual property, which is arguably even more important and is certainly more involved.

Below, we’ll walk through best practices for onboarding users, and take a look at the ways in which CoreView can simplify the process. Then, we’ll look at Microsoft’s recommended best practices for offboarding employees securely, which – although quite involved – are essential to ensuring that a former employee can no longer access M365 resources, while also maintaining the intellectual property he or she has accumulated in various M365 resources throughout their tenure with the company. And finally, we’ll look at how CoreView can make automating the offboarding process simple and intuitive.

Best Practices for Onboarding

Simplify the Creation and Storage of User Credentials

Creating and storing user credentials seems like a simple task, and it should be. However, in complex deployments of Microsoft 365, such as hybrid environments – those in which part of the M365 tenant lives on premise and the remainder is hosted in the cloud – creating and syncing credentials across these portions of the tenant can become quite complex.

When possible, it is best to create a single record of the user’s credentials in a single interface, rather than expending the effort of maintaining multiple sets of credentials across different portions of the environment. This will improve the end user’s experience, and reduce your support costs, because the user will be far less likely to forget his or her password, for example.

Leverage Office 365 Groups to Grant Permissions

Rather than granting permissions for a new user manually every time, it is best to apply a set of pre-written rules that govern the various types of access available to a given user. Office 365 groups are a great example of just this. By creating groups in advance, you can then much more easily and effectively grant permissions to a given class of user, rather than having to grant every permission manually every time someone is onboarded.

CoreView’s Solution to Onboarding

CoreView makes it simple to manage a user’s credentials and Office 365 group membership from a single IT interface in the cloud, which means regardless of the specifics of your O365 deployment, there is no need for IT staff to securely remote in to on-prem resources and reduces wait time for the slow syncing of data with native Microsoft tools. Moreover, this approach increases efficiency, reduces the potential for mistakes, and ultimately reduces your IT costs related to employee onboarding.

Best Practices for Offboarding

Block Access to Office 365 Services

The first step in decommissioning a user is to prevent the ability for that user to log in again. To do so, you’ll need to revoke a user’s credentials. In addition to blocking future login attempts, you’ll also want to revoke any active sessions that may still be valid, and thus allow the user to access a given resource without having to log in again.

Save the Mailbox Contents

After having blocked a user from being able to log in to your M365 resources, you’ll want to save the content of their mailbox in order to preserve any business-critical correspondence contained therein.

Microsoft describes two approaches to this process – exporting the mailbox’s contents to a .pst file in order to ingest it into another mailbox as needed, or placing a litigation hold on the mailbox. The first option is much simpler, but the second is recommended if your organization requires this for compliance reasons and your IT team is technically strong.

Wipe and Block any Mobile Devices

Next, you’ll need to remove any company data from the physical devices the former employee has been working on. To do so with native Microsoft resources, you’ll need to either use the Exchange Admin Center or Intune[SM1] , depending on the specifics of your mobile device management.

Convert to a Shared Mailbox & Grant Access to OneDrive Data

Converting a user’s mailbox to a shared mailbox allows other users to access the information contained in the mailbox, as all the email and calendar data remain intact. You might also elect to set up email forwarding for any new emails that are sent to the user’s email address, so as to retain business continuity.

You’ll also want to grant access to any data the former employee has left in OneDrive to a manager in his or her department to avoid losing any work that might have been stored there.

Remove the Office 365 License

In order to free up a license after an employee no longer needs it, you’ll need to remove it from the user’s account. You can then either delete the license or retain it in a pool of unassigned licenses in order to speed up your ability to assign it to a new user when the time comes to do so.

It is worth noting that after a license has been removed, a user’s data is retained for 30 days, during which time you can access it or restore the account if needed. After that time, all data aside from documents stored in OneDrive will be permanently deleted from M365.

Delete the User’s Account

Finally, you can delete the user’s account. However, you will need to retain the account in an inactive state if you’ve set up email forwarding.

How to Offboard Users Automatically with CoreView

Each of the steps outlined above are considered essential to ensuring your organization’s business-critical data after an employee has left the organization. However, these steps are obviously quite involved, and – more importantly – imperative to get right every time.  

That’s why organizations turn to CoreView for automated user management. With our solution, you can:

  • Automate repetitive user creation and removal tasks in Microsoft 365
  • Create no-code automations with 150+ out-of-the-box actions
  • Trigger actions in third-party SaaS apps via API
  • Seamlessly manage users in hybrid and multi-tenant environments
  • Implement advanced logic for branching, attestations, and approvals

See how CoreView’s automated user management tools work.

Get a personalized demo today

Created by M365 experts, for M365 experts.