Employee offboarding in Microsoft 365 is one of the highest-risk IT events a company faces. A single missed step — a forgotten admin role, an unrevoked sharing link, an unconverted mailbox — can result in data exposure, compliance violations, or ongoing costs for unused licenses. This checklist covers every phase, in the right order, so nothing slips through.
Immediately Secure the Account— Do this first, before anything else
Reset the password immediatelyDo First
Change the password to something random the departing employee cannot guess. Do this before the conversation ends — or even before it begins if the departure is involuntary.
Revoke all active sessions and tokensDo First
In the Microsoft 365 admin center go to Users → Active users → select the account → Sign out of all sessions. This kills all active browser, desktop, and mobile app sessions instantly.
Admin path: Admin Center path: Users → Active users → [user] → Sign out of all sessions
Remove or disable MFA devicesDo First
Navigate to Azure AD → Users → [user] → Authentication methods and remove all registered MFA methods (authenticator apps, phone numbers, hardware tokens).
Admin path: Also check: Security → MFA → User settings to ensure no trusted devices remain.
Block the user sign-in
Set the account to "Sign-in blocked" in the admin center. This prevents login even if the password is known. Keep the mailbox active — blocking sign-in does not delete data.
Admin path: Admin Center: Users → Active users → [user] → Block sign-in
Remove from all distribution groups and shared mailboxes
Immediately remove the user from any groups that grant access to sensitive data, shared inboxes, or internal communications channels.
Handle Email Continuity— Ensure no business communication is lost
Set up an Out-of-Office auto-reply
Configure an automatic reply directing senders to the appropriate replacement contact. Set it before the employee's last day so incoming messages are handled immediately.
Admin path: Admin Center: Users → Active users → [user] → Mail → Manage automatic replies
Set up email forwarding to a manager
Forward all incoming email to the departing employee's manager or successor for 30–90 days post-departure. This prevents business-critical messages from going unread.
Admin path: Admin Center: Users → Active users → [user] → Mail → Manage email forwarding
Convert the mailbox to a shared mailbox
After the license is removed, convert to a shared mailbox. Shared mailboxes are free (up to 50 GB) and allow other users to access historical email without a paid license.
Admin path: Admin Center: Teams & groups → Shared mailboxes → Add a shared mailbox, or convert from the user account.
Place a Litigation Hold if required
If the employee is involved in any legal matter, HR investigation, or regulatory compliance scenario, place a Litigation Hold before the account is modified. This preserves all email indefinitely.
Admin path: Requires Exchange Online Plan 2 or Microsoft 365 E3/E5. Set in the Microsoft Purview compliance portal.
Export mailbox data if needed
Use the eDiscovery tools in Microsoft Purview to export the mailbox as a .PST file if long-term archiving outside Microsoft 365 is required by your retention policy.
Audit Microsoft Teams Access— Channels, apps, and connected integrations
Remove from all Teams and channels
The user's Messages remain after removal (they belong to the team, not the user), but remove them as a member from all private channels and external Teams they were invited to.
Reassign Teams ownership
If the departing employee was the sole Owner of any team, assign a new Owner before removing them. A team without an owner becomes unmanageable.
Admin path: Teams admin center → Teams → [team] → Members → promote another member to Owner first.
Review third-party app authorizations
Check Azure AD → Enterprise Applications for any apps the user granted delegated permissions to (Zoom, Slack, GitHub, etc.). Revoke tokens for apps that shouldn't persist.
Revoke Phone System / Calling Plan assignments
If the employee had a Teams Phone number, unassign the phone number and calling plan so it can be reallocated. Phone numbers incur ongoing costs when left assigned to disabled accounts.
Manage Licenses & Cost Recovery— Unassigned licenses are wasted budget
Unassign Microsoft 365 licenses
Once email is forwarded or converted to a shared mailbox, remove all paid license assignments. This immediately stops billing for that seat at the next billing cycle.
Admin path: Admin Center: Users → Active users → [user] → Licenses and apps → uncheck all licenses.
Reclaim add-on licenses
Check for individually assigned add-ons: Defender for Endpoint, Power BI Pro, Project, Visio, Audio Conferencing. These are easy to miss and each carries its own monthly cost.
Audit auto-renewal subscriptions
If the employee managed any Microsoft subscriptions or Azure resources independently, identify and either transfer ownership or cancel those resources.
Document the freed licenses
Record which licenses are now available in your license inventory. This prevents over-purchasing at the next renewal and provides an audit trail for finance.
Final Compliance & Audit Steps— Close the loop before deleting the account
Review the audit log for the last 30 days
Pull the Microsoft Purview audit log for the user's activity in the 30 days before their departure. Look for unusual bulk downloads, large file shares, or admin activity.
Admin path: Microsoft Purview → Audit → search by user and date range.
Check for delegated admin rights
Verify the user had no admin roles assigned in Azure AD or the Microsoft 365 admin center (Global Admin, Exchange Admin, SharePoint Admin, etc.) and remove any that exist.
Admin path: Azure AD → Roles and administrators → filter by user.
Remove from Entra ID (Azure AD) groups
Check for security groups, dynamic groups, and Azure AD role groups. Membership in these groups may grant access to resources outside of Microsoft 365.
Revoke any Azure resource access
If your organization uses Azure, check Azure RBAC role assignments for the user's identity. Remove Owner, Contributor, or Reader roles from any subscriptions or resource groups.
Delete or retain the account per your policy
After all data is preserved and access is removed, delete the account — or retain it in a blocked state for your required retention period (typically 30–90 days). Document the final action taken and the date.
Admin path: Warning: deletion starts the 30-day OneDrive countdown if not already managed.
We Handle M365 Offboarding for Every Org Size
Iron Cove Solutions has completed over 1,000 Microsoft 365 deployments and offboarding engagements since 2009. Whether you have 5 employees or 5,000, we have a managed package built for your scale and budget.
Enterprise (500+ Employees)
Advanced IT configurations, Exchange hybrid environments, complex SharePoint topologies, and cross-tenant scenarios. We handle it all.
Mid-Market (50–500 Employees)
Unique offboarding challenges at scale — often without a dedicated IT team large enough to manage every departure carefully.
Small Business (1–50 Employees)
Affordable managed offboarding support. One missed step can create a costly data breach or compliance violation — we prevent that.
Non-Profits (Any Size)
As Microsoft Cloud Accelerated Partners, we guide nonprofits through secure offboarding while minimizing cost and disruption.
Need Help With an Offboarding Right Now?
If you're dealing with an urgent involuntary departure — or you want a managed offboarding process that never misses a step — Iron Cove can help. We'll audit your current M365 environment and give you a clear action plan.