How to Handle Departing Employees: M365 Offboarding Checklist

Need safer Microsoft 365 offboarding?

MSP Corp helps Canadian organizations tighten identity, endpoint, email, OneDrive, Teams, and admin processes so employee exits do not leave behind risky access, lost files, or licensing waste.

Request a Quote Get Managed IT Support

Departing employees create a strange mix of urgency and nuance. You need to stop access quickly, but you also need to keep the business running. You may need their mailbox for customer communication, their OneDrive for project files, their Teams memberships for ownership transfer, their mobile device wiped or retired, and their Microsoft 365 license reclaimed without deleting something the company still needs.

The safest approach is not “delete the user.” It is a controlled offboarding workflow: confirm the exit type, preserve the right data, revoke access, transfer ownership, remove unmanaged paths, recover the license, and verify the result. Microsoft’s own former-employee guidance separates these tasks into access blocking, mailbox preservation, mobile device handling, email forwarding or shared mailbox conversion, OneDrive and Outlook access, license removal, and account deletion.^{1, 3, 4, 6}

What should happen when an employee leaves?

A clean offboarding process answers six questions before the employee’s access is removed:

For a normal, friendly departure, you can usually plan this workflow over several days. For an involuntary termination, compromised account, insider-risk concern, or privileged administrator exit, the timeline changes. Microsoft Entra guidance specifically lists compromised accounts, employee termination, and insider threats as scenarios where administrators may need to revoke all access.²

The M365 offboarding checklist at a glance

The table below is the practical version. Adapt it to your HR process, security policy, and Microsoft licensing model.

Key takeaway: offboarding should be a workflow with evidence, not a one-click account deletion.

Step 1: Classify the departure before making changes

Not every departure needs the same handling. The first step is to classify the exit so IT can balance speed, data preservation, and risk.

The classification should be visible in the ticket. A departing salesperson with no admin privileges, a finance leader with sensitive exports, and a systems administrator with global admin rights should not follow the same risk path.

Step 2: Prepare the access inventory

The biggest offboarding misses usually happen outside the obvious Microsoft 365 account. Before the final access cutoff, create a fast access inventory.

Microsoft 365 and identity

• Microsoft Entra ID account
• Assigned licenses and service plans
• Admin roles, privileged identity assignments, and delegated admin rights
• Microsoft 365 groups, security groups, distribution lists, and dynamic groups
• Teams memberships and ownership
• SharePoint permissions, site ownership, sharing links, and external sharing exceptions
• Exchange mailbox permissions, forwarding rules, aliases, and shared mailbox access
• Conditional Access exclusions and named location exceptions

If your identity environment is messy because of acquisitions, old domains, duplicate accounts, or multiple tenants, address it as part of a broader identity consolidation effort. If your organization is merging Microsoft 365 environments, a structured plan for multiple tenant consolidation can prevent offboarding from becoming even harder.

Devices and endpoints

• Windows laptops, desktops, phones, tablets, and virtual desktops
• Intune enrollment status and compliance status
• BitLocker recovery key access and device ownership
• Local administrator accounts and cached credentials
• Remote access tools and support agents
• Personally owned devices with corporate apps or profiles

For BYOD devices, Microsoft Intune’s Retire action removes company data, managed apps, settings, and MDM profiles while preserving personal data, whereas wipe is a stronger action that resets the device and removes personal and organizational data. Match the action to the device ownership model and your policy.⁹ For companies still formalizing this, a clear BYOD security policy helps make offboarding decisions less subjective.

Third-party and SaaS access

• CRM, finance, HRIS, payroll, ticketing, project management, marketing, and password manager accounts
• VPN, firewall, SASE, ZTNA, and remote desktop access
• OAuth apps with delegated access to Microsoft 365 data
• Vendor portals, domain registrars, cloud consoles, social accounts, and shared inboxes
• AI tools, browser plugins, copilots, automation tools, and data connectors

OAuth app permissions deserve special attention. Microsoft Defender for Cloud Apps can show user-installed OAuth applications that have access to Microsoft 365 data, what permissions those apps have, and which users granted access.¹⁰ This matters because disabling a Microsoft 365 account is not the same as auditing every third-party app or connector that touched company data.

Step 3: Preserve business data before deleting anything

Departing employee data usually falls into three buckets: business records the company must keep, personal or unnecessary content that should not be broadly shared, and content that requires legal, compliance, or privacy review. Your offboarding process should separate those buckets before data is moved.

Email and calendar

For most businesses, the cleanest mailbox handoff is to convert the user mailbox to a shared mailbox, grant access to the right successor, and prevent the former employee from signing in. Microsoft states that when a user mailbox is converted to a shared mailbox, existing email and calendar information is retained and multiple people can access it instead of one person.³

Be careful with three details:

• Convert before removing the license. Microsoft notes the user mailbox needs a license before you convert it to a shared mailbox, and after conversion you can remove the license from the user account.³
• Do not delete the old account too early. Microsoft notes the old user account anchors the shared mailbox.³
• Check mailbox size and hold requirements. Shared mailboxes without a license have limits, and holds may require the right Exchange Online licensing.^{3, 6}

For customer-facing roles, configure an auto-reply and monitored handoff. Avoid silent forwarding with no owner, because it can turn into an unmanaged shadow mailbox. For legal, HR, finance, or regulated roles, confirm retention and eDiscovery requirements before changing mailbox state.

OneDrive

OneDrive is often where offboarding goes wrong. A manager may need client files, project notes, or draft documents, but broad access to a former employee’s OneDrive can expose personal, HR, or unrelated sensitive information. The better process is targeted access, targeted copy or move, then removal of temporary admin access once the handoff is done.

Microsoft’s current OneDrive deletion guidance says the cleanup process begins when a user account is deleted from Microsoft Entra ID, not merely when sign-in is blocked or a license is removed. The deleted user appears in the Microsoft 365 admin center for 30 days, and the default OneDrive retention period is also 30 days, although admins can change it in SharePoint admin center.⁵

That timing matters. If you delete first and plan later, you start a retention clock. If you preserve first and delete later, you reduce the chance of rushing through recovery.

SharePoint, Teams, and Microsoft 365 groups

Teams and SharePoint are shared spaces, but they still have owners. When an employee leaves, check whether they are the sole owner of any Teams, private channels, shared channels, SharePoint sites, Planner plans, lists, or Power Automate flows. Assign a new owner before removing the user from groups.

This is also the right time to review guest sharing and sensitive files. Departures often reveal that permissions have grown organically for years. If your files are also part of AI or Copilot readiness, align offboarding with Microsoft 365 Copilot readiness and AI governance, because over-permissioned content can become easier to surface through search and AI experiences.

Step 4: Revoke access in the right order

For a normal departure, access can be revoked at the agreed final working time. For a high-risk exit, HR, the manager, IT, and security should coordinate the exact minute changes begin. The order matters because modern Microsoft 365 access uses sessions, refresh tokens, devices, apps, and connected services.

Step 5: Handle devices based on ownership and risk

Devices should be addressed quickly because they can contain cached files, tokens, offline mail, local admin rights, browser sessions, downloaded reports, or synced OneDrive content.

If your team offers round-the-clock support, define exactly who handles after-hours employee terminations, urgent account disablement, device lockout, and access verification. A documented understanding of what is included in 24/7 IT support prevents confusion during urgent exits.

Step 6: Transfer ownership of the work, not just the mailbox

Offboarding is complete only when business ownership is transferred. A mailbox handoff helps, but it does not cover all the places work lives.

For IT leaders, this is where offboarding overlaps with service desk quality. The ticket should not simply say “user disabled.” It should show what was transferred, what was retained, what was removed, and who accepted ownership. If your support model struggles with these handoffs, revisit how support responsibilities escalate across Tier 1 to Tier 3.

Step 7: Review forwarding, delegation, and mailbox rules

Email rules are a common blind spot. Before final closure, review:

• External forwarding rules
• Inbox rules that delete, hide, or move messages
• Delegate access
• Shared mailbox permissions
• Send As and Send on Behalf permissions
• Mobile device partnerships
• SMTP AUTH and legacy authentication exposure where still present

If the departure follows suspicious activity, treat hidden forwarding rules as potential indicators. Microsoft Purview Audit can be used to search user and admin activity, with Microsoft noting that audit search provides access to critical audit event data for investigating user activities.¹¹ If a mailbox may have been abused, pair offboarding with an incident response plan and a basic triage workflow.

Step 8: Audit OAuth apps, AI tools, and unsanctioned integrations

Modern employees often connect third-party apps to Microsoft 365. Some are legitimate productivity tools. Others create unnecessary data exposure. Offboarding should include a review of user-consented apps, especially for employees in finance, HR, sales, IT, engineering, and executive roles.

Microsoft Defender for Cloud Apps can show which OAuth applications have access to Microsoft 365 data, what permissions they have, and which users granted those permissions.¹⁰ This is useful during offboarding because connected apps may have more access than the business realizes.

Step 9: Remove or reassign licenses carefully

License cleanup matters because unused licenses create cost waste. But removing a license too early can create data retention and access problems. Microsoft’s guidance says you can remove a former employee’s Microsoft 365 license and delete it from your subscription or assign it to another user, but you should understand holds and data access before removal.⁶

Use this decision path:

1. Check legal or compliance hold needs. If a mailbox needs to be accessible for eDiscovery or legal reasons, confirm licensing and hold requirements first.⁶
2. Convert the mailbox if needed. Convert to a shared mailbox before removing the user license when the mailbox must remain available.³
3. Preserve required OneDrive data. Copy or move business files before the user account deletion process starts the OneDrive cleanup clock.⁵
4. Remove unneeded service plans. Reclaim licenses only after data and access decisions are documented.
5. Update the license inventory. Track reclaimed licenses, reassigned licenses, and any paid shared mailbox or archive requirements.

If licensing is already difficult to manage, MSP Corp’s IT procurement and Microsoft licensing support can help connect user lifecycle events with cost control, renewal planning, and subscription hygiene.

Turn offboarding into a repeatable managed IT workflow

We help standardize Microsoft 365 administration, end-user support, identity controls, backup decisions, and access reviews so every employee exit follows the same secure process.

Request a Quote Explore End-User IT Support

Step 10: Validate with logs and evidence

Verification is where a checklist becomes a control. Before closing the ticket, collect enough evidence to show that access was revoked, data was handed off, and exceptions were approved.

For Canadian organizations that handle personal information, documentation matters. The Office of the Privacy Commissioner of Canada says safeguards can include physical measures, up-to-date technological tools, and organizational controls such as security clearances, limiting access, staff training, and agreements.¹² In a privacy breach context, PIPEDA also requires organizations to keep records of every breach of security safeguards involving personal information under their control for two years.¹³

Special case: The departing employee is an administrator

Administrator exits deserve a stricter runbook. Admin accounts can touch identity, email, endpoints, backup, security tools, DNS, firewalls, cloud subscriptions, and remote support tools. If the departing person had privileged access, add these actions:

• Remove all privileged Microsoft Entra and Microsoft 365 admin roles.
• Review Privileged Identity Management assignments and eligible roles.
• Rotate shared admin credentials, break-glass credentials where policy requires, API keys, app secrets, SSH keys, backup console credentials, RMM credentials, and firewall/VPN secrets.
• Review service accounts the admin created or maintained.
• Inspect recent administrative activity in Microsoft Purview Audit, Entra logs, endpoint tools, backup tools, and remote access systems.
• Confirm no personal email, phone number, or authenticator method remains attached to admin, service, or break-glass accounts.
• Check for newly created accounts, role assignments, mailbox rules, external sharing changes, app registrations, and consented applications.
• Document all exceptions and obtain executive approval before leaving any privileged access active.

If the administrator exit is part of an acquisition, merger, or IT leadership change, combine this checklist with an IT post-acquisition stabilization process, because inherited admin access, old vendor accounts, and legacy tools are common risk areas.

Special case: The departure may involve a security incident

If there is any sign of suspicious activity, do not treat offboarding as routine. Preserve evidence first, coordinate with leadership, and follow your incident process.

When suspicious activity is involved, it may also be appropriate to run an incident triage workflow, document lessons learned with an RCA, and confirm whether Microsoft 365 backup coverage is adequate for restore scenarios.

Special case: Contractors, vendors, and temporary staff

Contractors are often harder to offboard than employees because they may sit outside HR systems, use guest accounts, work across multiple tenants, or rely on personal devices. Treat contractor offboarding as a lifecycle process:

• Use named accounts, not shared accounts.
• Set an account expiration date when the contract begins.
• Require a business owner for each contractor account.
• Limit access to specific groups, sites, channels, and apps.
• Review guest accounts and external sharing monthly.
• Disable access on the contract end date, not when someone remembers.

Microsoft Entra lifecycle workflows can help automate scheduled leaver processes, including removing licenses, removing a user from Teams, and deleting the user account in a scheduled offboarding scenario.⁷ Microsoft also documents on-demand lifecycle workflows for real-time terminations that remove the user from groups, remove Teams memberships, and delete the user account.⁸

What not to do when someone leaves

These mistakes are common, especially in organizations where IT is stretched thin or documentation is out of date.

A practical offboarding ticket template

Use this as a starting point for your internal ITSM tool.

How MSP Corp helps make offboarding safer

Offboarding is not difficult because the individual steps are impossible. It is difficult because the steps live across HR, management, Microsoft 365, Entra ID, Exchange, SharePoint, Teams, Intune, security tools, SaaS systems, devices, backups, and documentation. When those responsibilities are unclear, former employees can keep access too long, business files can disappear, and managers can lose visibility into critical work.

MSP Corp helps organizations bring this under control with managed IT services, Microsoft 365 management, Microsoft Entra services, Intune endpoint management, data governance and compliance, and co-managed IT support for internal teams that need extra capacity.

If your current provider cannot give you a reliable user lifecycle process, that may be one sign it is time to evaluate whether your MSP still fits your business. Departures should not depend on heroics, memory, or “the person who usually knows.” They should run from a documented process that protects the organization every time.

Frequently asked questions

Get a cleaner, safer way to manage employee exits

If offboarding still depends on manual memory, scattered spreadsheets, or an overworked internal team, MSP Corp can help you build a secure Microsoft 365 lifecycle process that protects access, data, devices, and continuity.

Request a Quote Talk to a Managed IT Expert