Remove a former employee from Office 365

A question we often get is, "What should I do to protect data when an employee leaves the organization?" This article explains how to block access to Office 365 and the steps you should take to secure your data.

Here's a quick overview:

Step

Why do this

1. Block user access to Office 365 data and email

It prevents the person from accessing their old Office 365 mailbox and data.

Tip: When you block a user's access, you're still paying for their license. You have to delete the license from your subscription to stop paying for it (step 5).

2. Save the contents of the user's mailbox

This is useful for the person who is going to take over the employee's work, or in case of litigation.

3. Wipe and block the user's mobile device

Removes your business data from the phone or tablet.

4. Forward the user's email to another employee

This lets you keep the former employee's email address active, even though you're going to remove their license and delete their account.

If you have customers or partners still sending email to the former employee's address, this gets them to the person taking over the work.

5. Remove and delete the user's Office 365 license

When you remove a license, you can assign it to someone else. Or, you can delete the license so you don't pay for it until you hire another person.

When you remove or delete a license, the user's old email, contacts, and calendar are retained for 30 days, then permanently deleted.

6. Delete the former employee's user account

This removes the account from your Office 365 admin center. Keeps things clean.

7. Get access to a former employee's OneDrive and mail data

You can move their documents to another location not associated with their account.

You need to be a member of the Office 365 global admin role to perform the steps.

Block a former employee's access to Office 365 data

IMPORTANT: Blocking an account can take up to 24 hours to take effect. If you need to immediately prevent a user's sign-in access, you should reset their password.

To block a user from signing in and accessing Office 365 data:

  1. Sign in with your Office 365 global admin account at https://portal.office.com/adminportal/home.

  2. In the Office 365 admin center, select Users.

    Click on User.

  3. Select the employee that you want to block, and then choose Edit next to Sign-in status in the user pane. (In the old Office 365 admin center, click Edit Edit in the user's details pane.)

    Choose edit next to Sign-in status
  4. On the Sign-in status pane, choose Sign-in blocked and then Save. (In the old Office 365 admin center, click the Settings tab, under Set sign-in status choose Blocked, and then click Save.)

    Tip: Be sure you remove or disable the user from your on-premises Blackberry Enterprise Service. You should also disable any Blackberry devices for the user. Refer to the Blackberry Business Cloud Services Administration Guide if you need specific steps on how to disable the user.

Block a former employee's access to email (Exchange Online)

If you have Office 365 email as part of your Office 365 subscription, you need to log in to the Exchange admin center to follow these steps to block your former employee from accessing their email.

  1. Sign in with your Office 365 global admin account at https://portal.office.com/adminportal/home.

  2. In the Office 365 admin center, in the lower-left navigation pane, expand Admin centers and select Exchange.

    Your screen might look like either of the following images:

    Office 365 admin centers
  3. In the Exchange admin center, navigate to Recipients > Mailboxes.

  4. Select the user, and on the user properties page, under Mobile Devices, click Disable Exchange ActiveSync and Disable OWA for Devices and answer yes to both..

  5. Under Email Connectivity, click Disable and answer yes.

Save the contents of a former employee's mailbox

Once you've blocked the departed user's access to their mailbox, you should preserve the data. Exchange Online makes it possible for you to preserve the contents of deleted mailboxes by making the mailbox "inactive." A mailbox becomes inactive when a Litigation Hold or an In-Place Hold is placed on the mailbox before the corresponding Office 365 user account is deleted. Converting the mailbox to an “inactive mailbox” allows administrators, compliance officers, or records managers to use In-Place eDiscovery tools in Exchange Online to access and search the contents. Inactive mailboxes can't receive email and aren't displayed in your organization's shared address book or other lists.

To learn how to do this, see Manage inactive mailboxes in Exchange Online.

Wipe and block a former employee's mobile device

If your former employee had a organization phone, you can use the Exchange admin center to wipe and block that device so that all organization data is removed from the device and it can no longer connect to Office 365.

  1. Sign in with your Office 365 global admin account at https://portal.office.com/adminportal/home.

  2. In the Office 365 admin center, in the lower-left navigation pane, expand Admin centers and select Exchange.

    Your screen might look like either of the following images:

    Office 365 admin centers
  3. In the Exchange admin center, navigate to Recipients > Mailboxes.

  4. Select the user, and under Mobile Devices, choose View details.

  5. On the Mobile Device Details page, under Mobile devices, select the mobile device, click Wipe Data WipeDevice , and then click Block.

  6. Click Save.

Forward a former employee's email to another employee

You can choose to send any new email addressed to the former employee to another person by adding the former employee's email address to another employee. By doing this, any new emails sent to the former employee's email address will be sent to the employee you specify. All additional secondary email addresses that are assigned to the former employee will be deleted and can be reassigned as well.

  1. Sign in with your Office 365 global admin account at https://portal.office.com/adminportal/home.

  2. In the Office 365 admin center, select Users.

    Click on User.

  3. Select the employee that you want to block, and then choose Edit next to User name / Email in the user pane. (In the old Office 365 admin center, in the user's details pane, click Edit  Edit , and then click the Email address tab.)

    Choose edit next to Email address
  4. On the Edit email addresses pane, in the text box under Aliases, type the first part of the new email alias. If you added your own domain to Office 365, you can choose the domain for the new email alias by using the drop-down list. (In the old Office 365 admin center, you need to click Add new under Other email addresses first.)

    Enter email to Alias email addresses
  5. When you're done, click Save.

Remove and delete the Office 365 license from a former employee

So you don't continue paying for a license after someone leaves your organization, you need to remove their Office 365 license and then delete it from your subscription. If you don't delete the license from your subscription, you can assign it to another user.

When you remove the license, all that user's data is held for 30 days. You can access the data, or restore the account if the user comes back. After 30 days, all the user's data (except for documents stored on SharePoint Online) is deleted permanently from Office 365 and can't be recovered.

  1. Sign in with your Office 365 global admin account at https://portal.office.com/adminportal/home.

  2. In the Office 365 admin center, select Users.

    Click on User.

  3. Select the employee that you want to block, and then choose Edit next to Product licenses in the user pane. (In the old Office 365 admin center, click Edit Edit and then select the Licenses tab.)

    Choose edit next to Product licenses
  4. On the Product licenses pane, slide the license indicator to Off position and then choose Assign to remove the license. (In the old Office 365 admin center, under Assign licenses, clear the checkbox next to the license name and click Save.)

    Remove licenses

    The pane will state Products removed when the removal is done.

To reduce the number of licenses you're paying for until you hire another person, do the following:

  1. In the Office 365 admin center, choose Billing > Subscriptions.

  2. Choose Add/Remove licenses to delete the license so you don't pay for it until you hire another person.

    Use the arrows to delete licenses from your subscription.

    When you add another person to your business, you'll be prompted to buy a license at the same time, with just one click!

For more information about managing user licenses for Office 365 for business, see Assign or remove licenses for Office 365 for business

Delete a former employee's user account

After you've saved and accessed all the former employee's user data, you can delete the former employee's account.

  1. Sign in with your Office 365 global admin account at https://portal.office.com/adminportal/home.

  2. In the Admin center, select Users.

    Click on User.

  3. Select the employee that you want to delete, and then choose Delete user in the user pane and then choose Delete > Close.

    Delete user

When you delete a user, the account becomes inactive for approximately 30 days. You have until then to restore the account before it is permanently deleted.

See Also

Restore a user

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×