Secure offboarding in Microsoft 365: a checklist for employee departures

A poorly managed former-employee account in Microsoft 365 keeps access to email, files and federated applications long after the person has left, if the offboarding process is limited to disabling sign-in. This checklist covers the secure offboarding of an employee in Microsoft 365, step by step.

Block sign-in and revoke active sessions immediately

The first step is to block the account's sign-in and explicitly revoke all active sessions and refresh tokens. Blocking sign-in alone doesn't close already-open sessions: a valid token can keep granting access for hours if it isn't explicitly revoked. This step must run on the same day as the departure, not in the next maintenance cycle.

Review forwarding rules, mailbox delegations and OAuth apps

Before assuming the account is isolated, check whether the user configured automatic forwarding rules in Exchange, whether they delegated mailbox access to someone else (a delegation that can survive the departure), and which third-party OAuth apps have consent over their account. Any of the three can keep an access channel to the account's information even with sign-in blocked.

Transfer the mailbox, OneDrive and Teams ownership

Convert the mailbox to shared or transfer it to a manager so no business-relevant email is lost, and transfer OneDrive file ownership to a manager or another location using Microsoft's migration tool. Also review Teams teams and channels where the user was the sole owner: without a prior transfer, those teams can end up with no administrator after the departure.

Revoke devices, licenses and apply retention

Unlink or remotely wipe managed devices associated with the account (Intune), remove the user from all security and distribution groups, apply the applicable retention policy (with Purview if relevant) and, finally, free up the Microsoft 365 license. Document every step: it's the evidence you'll need if a dispute or later investigation arises.

FAQ

Is disabling the account in Entra ID on the departure date enough?

It's not sufficient on its own. Disabling the account blocks new sign-ins, but doesn't revoke already-active sessions and tokens, and doesn't remove forwarding rules, delegations or OAuth app consents that can keep access independent of the password or account state.

What if the employee had a Conditional Access exclusion of their own?

You need to review and remove any Conditional Access exclusion associated with the account as part of offboarding, because a forgotten exclusion can leave that identity without the MFA or managed-device protections that apply to the rest of the organization.