10 Steps to Foolproof User Deprovisioning in Office 365

Every organization develops its own ebb and flow for onboarding and offboarding employees—as one employee exits, another enters. However, cloud office systems, like Office 365, have disrupted this routine by providing more open and immediate access to collaborative tools. No matter the size of an organization, there are a number of critical steps an admin must take to properly deprovision a user—and a variety of reasons to do so.

An improperly deprovisioned employee can result in data loss and security breaches, and in today’s fast-paced work environment, either can be catastrophic. Deprovisioning users correctly shouldn’t be thought of as solely a safeguard against disgruntled employees, but rather as a good measure to prevent accidental data exposures.

1. Remotely wipe the user’s company device(s)

Depending on your organization’s policy, the first step should be to remotely wipe all corporate data off of your employee’s devices. For company-owned devices, you can execute a full device wipe. Organizations that operate with a bring your own device (BYOD) policy should have procedures in place to wipe company data off of a user’s device while leaving personal data intact.

Office 365 offers built-in Mobile Device Management (MDM) capabilities that allow for a full wipe or selective wipe of devices. If your organization’s policy does not allow for a remote wipe on company-owned devices, you can remotely lock the device and collect it from the employee.

2. Reset the user’s Active Directory password and block access to Office 365 data

After you’ve wiped the employee’s device, you need to reset their Active Directory password so they can no longer access their account.

You can reset passwords in local Active Directory or Azure Active Directory depending on how your Office 365 tenant is set up (on-premises vs. hybrid).

Another step many companies take in order to secure data is to hide the user from the Global Address List (GAL) and block access to Office 365 data.

It’s important to note that even if a user is blocked, rules and SMTP forwarding will still work. If a disgruntled employee sets up rules or SMTP forwarding to a personal email account before their account is blocked, sensitive data has the potential to leave your organization’s control. You’ll want to make sure that you disable any malicious rules or SMTP forwarding, which can be done either through the Exchange Control Panel or via Powershell.

Please note: If you are unable to perform a remote lock or wipe, this step is incredibly important.

3. Grant full access of the user’s mailbox to an IT admin and/or user’s manager

After deprovisioning a user, accessing their email may be necessary. Managers may need to comb the mailbox for important ongoing communications; IT admins may need access for security or data retention reasons.

Whoever is given access, whether it is a manager, an IT admin, or both, will be capable of performing later steps like searching, archiving, and moving emails in the mailbox.

4. Set up an Out of Office reply

If the user’s manager requests it, you should set up an automatic reply that lets senders know the user is no longer able to answer emails. You can also take this opportunity to identify the employee who should be contacted instead, such as the user’s replacement or manager.

5. Add the user’s manager as a co-owner of OneDrive for Business folders

The user may have stored business-related files that need to be retrieved in OneDrive for Business.

Since OneDrive for Business is built on top of SharePoint’s architecture, you’ll need to add the manager as a co-owner of the user’s SharePoint site. The manager will then be able to search for and retain important resources like the deprovisioned user’s OneDrive for Business files.

6. Search the existing user’s mailbox and OneDrive for Business folders for information to retain

The timing of a departing employee is rarely ideal, meaning many documents or communications need be completed or followed up on. After being given access, managers should search the user’s OneDrive for Business folders and their mailbox for any important information.

For example, if the manager requests every TPS Report the user has ever created, a search can be performed for the keyword “TPS Report” to find all relevant files that need to be retained.

7. Archive the user’s mailbox to .pst, if requested or required

Though this step is optional, it provides for an additional backup. Companies commonly create a .pst file, which stores copies of messages, calendar, contacts, and tasks within Office 365. However, .pst files are hard to manage, and many companies are moving away from them altogether.

The alternative is to take advantage of inactive mailboxes, a feature that allows you preserve the content of the deleted user’s mailbox.

8. Move the user’s mailbox to a subfolder in a manager’s mailbox or new shared mailbox

By moving the user’s mailbox to a subfolder in the manager’s mailbox, you allow the manager to search through and use the mailbox of the deprovisioned user.

If more than one person requires access to the deprovisioned user’s emails, a shared mailbox can be more convenient; also, emails won’t take up storage in the manager’s mailbox.

Note: Companies can choose to simply grant full access to the user’s mailbox rather than moving the user’s mailbox to a subfolder in the manager’s mailbox or new shared mailbox.

9. Delete the user’s account and remove licenses, unless alternative retention policy applies

Deleting a user will free up a license for a new employee to use, but make sure you have a plan for the newly available license, as unused licenses can rack up significant costs). If you plan to remove the user’s license entirely, know that all data associated with that service will be deleted. After deleting the user’s account, data is still recoverable for up to 30 days; this is considered a “soft delete.”

With BetterCloud for Office 365, you can uncover unused licenses across an organization with Licenses Alerts. Try it out here —->  Install BetterCloud for Office 365 FREE

This is actually the final manual step in deprovisioning a user. The last step is automatic and will take place exactly 30 days after the user’s account has been deleted.

In some cases, organizations will need to retain data for an extended period of time, or follow special procedures for data destruction, due to legal or regulatory reasons. Adhere to your organization’s retention policy if it differs from Microsoft’s.

Learn how to troubleshoot deleted user accounts in Office 365.

10. Hard delete in 30 days

A hard delete of data will take place on the user’s account automatically after 30 days; this is a default Office 365 policy. After a hard delete takes place, data will no longer be recoverable.

Though it is a unique use case, an admin can perform a manual hard delete before the 30-day window expires. A user’s unique principal name (UPN), typically their email address, is made available after a hard delete. You cannot provision a new user with the same UPN/email address until the hard delete takes place.

Manual hard deletion of a user can be done through PowerShell or the BetterCloud for Office 365 application.

Why properly deprovisioning users is essential

Cloud office systems like Office 365 continue to alter the responsibilities of IT admins around the world. In the 1950s, organizations would never have allowed terminated employees to walk out of the building with sensitive documents in hand—and neither should you. The difference is that employees today have access to exponentially more data and leave companies much more frequently. That’s why something as simple as deprovisioning a user should be understood, and its importance never underestimated.