October 6, 2021
min read
Roy Martinez
With over 16 years in Microsoft and IT infrastructure, Roy uses his SharePoint, Power Automate, and Microsoft Teams expertise to help organizations develop strategies for adoption, collaboration, automation, and governance.

If and when an employee or external team member leaves your organization — particularly to (ahem) go to a competing company — you’re likely to ask yourself how to secure your network’s data and protect access to key resources, right? Right. As Microsoft’s website makes clear, this is a frequently asked question of their team. Despite its importance (and the commonality of this issue), though, blocking user access and deactivating Microsoft 365 accounts isn’t always as straightforward as it could or should be. But don’t worry — if you’re currently wondering how to deprovision Microsoft 365 accounts, we’re here to help.

First off, it’s important to remember that sharing access to resources is not always a bad thing, so long as it’s done intentionally and securely. It allows you to boost collaboration, easily share files and calendar invites, participate in group chats, etc. The challenges come when an employee leaves your organization and you’re looking to resecure your network.

So, how can you remove these past employees and ensure your information and accounts are safeguarded? We’ve laid out the process, step-by-step (in accordance with Microsoft best practices), below.

Step One: Reset A User’s Password to Restrict Access

To prevent a former employee or external user from logging into your system, the fastest and most efficient measure to take is to force their sign-out and then change the user’s password. To do this, follow the steps below (as outlined by Microsoft).

  1. In the admin center, go to the Users → Active Users page.
  2. Select the box next to the user’s name, and then select Reset password.
  3. Enter a new password, and then select Reset. (Don’t send it to them.)
  4. Select the user’s name to go to their properties pane, and on the Account tab, select “Sign out of all sessions.”

Step Two: Block A User’s Access to Microsoft 365 Services and Email

Next up, you’ll want to block the user’s access to all Microsoft 365 Services, including email (e.g., Exchange Online), following the steps below (again, as outlined by Microsoft).

  1. In the admin center, go to the Users → Active users’ page.
  2. Select the name of the employee that you want to block, and under the user’s name, select the symbol for Block this user.
  3. Select “Block the user from signing in,” and then select Save.
  4. Next, go to the Exchange admin center.
  5. In the Exchange admin center, navigate to Recipients → Mailboxes.
  6. Select the user mailbox from the list and then, in the Details Pane (on the right-hand side), select Manage email apps settings under email apps. Turn Off the slider for all the options; Mobile (Exchange ActiveSync), Outlook on the web, Outlook desktop (MAPI), Exchange web services, POP3, and IMAP. Select Save.

Remember: It can take up to 24 hours to block a user, so you’ll definitely want to reset their password first to truly limit access, per the guidance in Step Two!

Step There: Secure Mailbox/Communications

Option 1: Save A User’s Content and Information

Once you’ve reset a past employee or external user’s password and blocked their access to Microsoft 365 services and email, it’s time to save the user’s content and information — including any documents they were working on (which might be handy for the person taking over their role), emails from their account, etc.

To do this, Microsoft suggests adding the now-blocked user’s email address to Outlook on your desktop, then exporting the data to a .pst file. You can then import the data to other email accounts as needed.

You’ll want to follow similar steps on the users’ mobile and tablet devices as well, ensuring no business data slips through the cracks and remains in their hands after their time of employment.

Option 2: Convert Mailbox to a Share Mailbox

If you want to keep the user’s mailbox and contents available, you can also just convert their mailbox to a shared mailbox or inactive mailbox. Before you do, you should also put a litigation hold on the user’s mailbox to ensure that the content does not get deleted. You should also make someone an “owner” of the shared mailbox, either their manager or another account that may need to review content in the user’s mailbox.

Step Four: Remove A User’s Microsoft 365 License, Delete Their Account

All right. Let’s say you’ve successfully blocked a user from accessing your services and saved any and all relevant information from their account — now’s the time to remove their Microsoft 365 license and then (finally!) delete their account. This will formally remove them from your system and prevent you from paying for unused licenses; it’s a win-win.

Per Microsoft’s instructions:

  1. In the admin center, go to the Users → Active users’ page.
  2. Select the name of the employee that you want to block, and then select the Licenses and Apps tab.
  3. Clear the checkboxes for the license(s) you want to remove, and then select “Save changes.”
  4. Return to the Users → Active users’ page.
  5. Select the name of the employee that you want to delete.
  6. Under the user’s name, select “Delete user.”

Ba-da-bing, ba-da-boom, you’ve successfully removed a defunct user and deprovisioned a Microsoft 365 account — congrats! But this doesn’t mean you’re completely in the clear when it comes to protecting your network, particularly if you’re still working with external users OR if the deleted user has accounts on other SaaS platforms that your company uses. Fortunately, CoreView can help you there as well.

For a detailed look at how best to secure your organization’s resources, request a personalized CoreView demo today.

Get a personalized demo today

Created by M365 experts, for M365 experts.