Have an employee leaving and need to block access to data and email?
To do this:
- Go to Active Users.
- Select the user you want to block and choose Reset password.
- Expand OneDrive Settings.
- Next to Sign-out, select Initiate.
Note: Sign-out for some apps might not be immediate. Follow up with more actions in this article:Remove a former employee from Office 365
Sign out now!
If you need to get an employee out of Office 365 immediately, here’s what you do:
- Sign in to Office 365 with your admin account at https://admin.microsoft.com/.
Sign in with your Office 365 admin account.
- In the Office 365 admin center, choose the user, and reset their password (don’t send it to them).
- While still at the user’s properties page, expand OneDrive Settings, and then choose Initiate.
Within an hour – or after they click out of the current Office 365 page they are on – they will be prompted to sign in again. (The refresh token is good for an hour, so the timeline depends on how much time is left on their token and whether they navigate out of their current webpage.)
CAVEAT: If the user is in Outlook on the web, just clicking around in their mailbox, they may not be kicked out immediately. As soon as they click a different tile, such as OneDrive, or refresh their browser, the sign out is initiated.
To use PowerShell to sign out a user immediately, see Revoke-AzureADUserAllRefreshToken cmdlet.
For more information about it takes to get someone out of email, see What you need to know about terminating an employee’s email session.
Overview of all the steps to remove an employee and secure data
A question we often get is, “What should I do to protect data when an employee leaves the organization?” This article explains how to block access to Office 365 and the steps you should take to secure your data.
Here’s a quick overview. Each step is explained in detail in this article.
| Step | Why do this |
| 1. Save the contents of the user’s mailbox | This is useful for the person who is going to take over the employee’s work, or in case of litigation. |
| 2. Forward the user’s email to another employee | This lets you keep the former employee’s email address active, even though you’re going to remove their license. You can remove the license, but don’t delete the account.
If you have customers or partners still sending email to the former employee’s address, this gets them to the person taking over the work. |
| 3. Wipe and block the user’s mobile device | Removes your business data from the phone or tablet. |
| 3a. What if the person used their personal computer to access OneDrive and SharePoint? | If they used a personal computer instead of a company-issued computer to download files from OneDrive and SharePoint, there’s no way for you to wipe those files they stored. |
| 4. Block user access to Office 365 data and email | It prevents the person from accessing their old Office 365 mailbox and data.
Tip: When you block a user’s access, you’re still paying for their license. You have to delete the license from your subscription to stop paying for it (step 5). |
| 5. Remove and delete the user’s Office 365 license | When you remove a license, you can assign it to someone else. Or, you can delete the license so you don’t pay for it until you hire another person.
When you remove or delete a license, the user’s old email, contacts, and calendar are retained for 30 days, then permanently deleted. |
| 6. Delete the former employee’s user account | This removes the account from your Office 365 admin center. Keeps things clean. |
| 7. Get access to a former employee’s OneDrive and mail data | You can move their documents to another location not associated with their account. |
You need to be a member of the Office 365 global admin role to perform these steps.
Save the contents of a former employee’s mailbox
There are two ways you can save the contents of the former employee’s mailbox:
- Add the former employee’s email address to your version of Outlook 2013 or 2016, and then export the data to a .pst file. You can import the data to another email account as needed. To learn how to do this, see Get access to and back up a former user’s data.OR
- Place a Litigation Hold or In-Place Hold on the mailbox before the deleting the user account. This is much more complicated than the first option but worth doing if: your Enterprise plan includes archiving and legal hold, litigation is a possibility, and you have a technically strong IT department.Once you convert the mailbox to an “inactive mailbox,” administrators, compliance officers, or records managers can use In-Place eDiscovery tools in Exchange Online to access and search the contents.Inactive mailboxes can’t receive email and aren’t displayed in your organization’s shared address book or other lists.To learn how to place a hold on a mailbox, see the TechNet article Manage inactive mailboxes in Exchange Online.
Forward a former employee’s email to another employee
In this step, you assign the former employee’s email address to another employee, or convert the user’s mailbox to a shared mailbox that you’ve created.
If you set up email forwarding, any new emails sent to the former employee will now be sent to the current employee. If you convert the mailbox to a shared mailbox, all the old email will be available, too.
- IMPORTANT: If you’re setting up email forwarding or a shared mailbox, at the end, you can remove the user’s license so you stop paying for it, but do not delete the actual account. It needs to be there to anchor the email forwarding or shared mailbox.
- Sign in to Office 365 at https://portal.office.com/adminportal/home.
Sign in with your Office 365 admin account.
- In the Office 365 admin center, select Users.
- Choose the employee that you want to block.
- Click Mail Settings. Next to Email Forwarding choose Edit.
- Turn on Forward all email sent to this mailbox. In the Forwarding address box, type the email address of the current employee (or shared mailbox) who’s going to get the email.
- Choose Save.
- Remember, don’t delete the account. You can remove the license so you aren’t paying for it, and the user can’t sign in to Office 365.
Wipe and block a former employee’s mobile device
If your former employee had a organization phone, you can use the Exchange admin center to wipe and block that device so that all organization data is removed from the device and it can no longer connect to Office 365.
- Sign in to Office 365 at https://portal.office.com/adminportal/home.
Sign in with your Office 365 admin account.
- In the Office 365 admin center, in the lower-left navigation pane, expand Admin centers and select Exchange.Your screen might look like one of the following images:
- In the Exchange admin center, navigate to Recipients > Mailboxes.
- Select the user, and under Mobile Devices, choose View details.
- On the Mobile Device Details page, under Mobile devices, select the mobile device, click Wipe Data
, and then click Block. - Click Save.Tip: Be sure you remove or disable the user from your on-premises Blackberry Enterprise Service. You should also disable any Blackberry devices for the user. Refer to the Blackberry Business Cloud Services Administration Guide if you need specific steps on how to disable the user.
Block a former employee’s access to Office 365 data
IMPORTANT: Blocking an account can take up to 24 hours to take effect. If you need to immediately prevent a user’s sign-in access, you should reset their password and then initiate a one-time event that will sign them out of Office 365 sessions across all devices. See Sign out now!
To block a user from signing in and accessing Office 365 data:
- Sign in to Office 365 at https://portal.office.com/adminportal/home.
Sign in with your Office 365 admin account.
- In the Office 365 admin center, select Users.
- Select the employee that you want to block, and then choose Edit next to Sign-in status in the user pane.
- On the Sign-in status pane, choose Sign-in blocked and then Save.
Block a former employee’s access to email (Exchange Online)
If you have Office 365 email as part of your Office 365 subscription, you need to log in to the Exchange admin center to follow these steps to block your former employee from accessing their email.
- Sign in to Office 365 at https://portal.office.com/adminportal/home.
Sign in with your Office 365 admin account.
- In the Office 365 admin center, in the lower-left navigation pane, expand Admin centers and select Exchange.Your screen might look like one of the following images:
- In the Exchange admin center, navigate to Recipients > Mailboxes.
- Select the user, and on the user properties page, under Mobile Devices, click Disable Exchange ActiveSync and Disable OWA for Devices and answer yes to both..
- Under Email Connectivity, click Disable and answer yes.
Remove and delete the Office 365 license from a former employee
So you don’t continue paying for a license after someone leaves your organization, you need to remove their Office 365 license and then delete it from your subscription. If you choose not to delete the license from your subscription, you can assign it to another user.
When you remove the license, all that user’s data is held for 30 days. You can access the data, or restore the account if the user comes back. After 30 days, all the user’s data (except for documents stored on SharePoint Online) is deleted permanently from Office 365 and can’t be recovered.
- Sign in to Office 365 at https://portal.office.com/adminportal/home.
Sign in with your Office 365 admin account.
- In the Office 365 admin center, select Users.
- Select the employee that you want to block, and then choose Edit next to Product licenses in the user pane.
- On the Product licenses pane, slide the license indicator to Off position and then choose Assign to remove the license.
The pane will state Products removed when the removal is done.
To reduce the number of licenses you’re paying for until you hire another person, do the following:
- In the Office 365 admin center, choose Billing > Subscriptions.
- Choose Add/Remove licenses to delete the license so you don’t pay for it until you hire another person.
When you add another person to your business, you’ll be prompted to buy a license at the same time, with just one click!
For more information about managing user licenses for Office 365 for business, see Assign licenses to users in Office 365 for business, and Remove licenses from users in Office 365 for business.
Delete a former employee’s user account
After you’ve saved and accessed all the former employee’s user data, you can delete the former employee’s account.
- Don’t delete the account if you’ve set up email forwarding or converted it to a shared mailbox. Both need the account to anchor the forwarding or shared mailbox.
- Sign in to Office 365 at https://portal.office.com/adminportal/home.
Sign in with your Office 365 admin account.
- In the Admin center, select Users.
- Select the employee that you want to delete, and then choose Delete user in the user pane and then choose Delete > Close.
When you delete a user, the account becomes inactive for approximately 30 days. You have until then to restore the account before it is permanently deleted.
Does your organization use Active Directory?
If your organization synchronizes user accounts to Office 365 from a local Active Directory environment, you must delete and restore those user accounts in your local Active Directory service. You can’t delete or restore them in Office 365.
For instructions, see this TechNet article: Delete a User Account.
If you are using Azure Active Directory, see the Remove-MsolUser PowerShell cmdlet.
What you need to know about terminating an employee’s email session
Here’s information about how to get an employee out of email (Exchange).
| What you can do | How you do it |
| Terminate a session (such as Outlook on the web, Outlook, Exchange active sync, etc.) and force to open a new session | Reset password |
| Terminate a session and block access to future sessions (for all protocols) | Disable the account. For example (in the Exchange admin center or using PowerShell):
Set-Mailbox [email protected] -AccountDisabled:$true |
| Terminate the session for a particular protocol (such as ActiveSync) | Disable the protocol. For example (in the Exchange admin center or using PowerShell):
Set-CASMailbox [email protected] -ActiveSyncEnabled:$false |
The above operations can be done in 3 places:
| If you terminate the session here | How long it takes |
| In the Exchange admin center or using PowerShell | Expected delay is within 30 min |
| In the Azure Active Directory admin center | Expected delay is 60 min |
| In an on-premises environment | Expected delay is 3 hours or more |
If you want to get a fast response for account termination, then use the Exchange admin center (use PowerShell) or Azure Active Directory admin center. In an on-premises environment, it can take several hours to sync the change through DirSync.
That’s it!
Of course there are further steps that can be taken into account. I personally think, these are the most important ones initially
Photo by Yann Allegre on Unsplash