The primary mission for Microsoft 365 admins? Of course, it’s effective Microsoft 365 user management and securing the organization data! We get it – the balancing act of managing Microsoft 365 user offboarding can be just as crucial as the onboarding hustle.
Why are Microsoft 365 Offboarding Procedures Crucial?
As we all know, threats are now increasing, and Microsoft security pros are constantly working on it. Ever thought what are the loopholes we left in our organization that become the entry point of the attacks? Weak passwords and the absence of baseline security policies are significant, but one entry point that stands out is – Terminated users’ account.
For example, when these accounts fall into the hands of cybercriminals, it can lead to unauthorized access to sensitive organizational information. So, the critical tasks required during offboarding must be flawlessly executed to prevent any vulnerabilities.
7 Best Practices for Employee Offboarding in Microsoft 365
Here are some of the employee exit checklists to be done on Microsoft 365 admin center, Microsoft Entra admin center, and Exchange Online admin center for effective offboarding process.
1. Block former employees from logging into Microsoft 365 services:
Microsoft 365 admin center → Active user → Select respective Microsoft 365 user → Block sign-in.
2. Disable user account in Microsoft 365:
Microsoft Entra admin center → Users → All users → Select respective Microsoft 365 user → Account status → Uncheck “Account enabled” checkbox.
3. Remove all Microsoft 365 licenses of a terminated employee:
Microsoft Entra admin center → Users → All users → Select respective Microsoft 365 user → Licenses → Select respective subscription → Remove licenses.
4. Remove users from all Microsoft 365 groups:
Microsoft Entra admin center → Users → All users → Select respective Microsoft 365 user → Select all groups → Remove memberships.
5. Convert a user mailbox to a shared mailbox: (Needed to access important mails in former employee’s mailbox)
Exchange admin center → Recipients → Mailboxes → Select the former employee’s mailbox → ‘Others’ tab → Convert to shared mailbox → Confirm.
Note: If quick data access is a priority and privacy isn’t a major concern, converting to a shared mailbox can be a quick solution. However, this may expose personal information and create security risks, impacting compliance. Instead, consider using inactive mailboxes to manage ex-employee email data securely.
6. Save mailbox contents of a former employee:
Exchange admin center → Recipients → Mailboxes → Select the former employee’s mailbox → ‘Others’ tab → Manage litigation hold → Configure “Hold duration (days)” → Save.
7. Delete user account in Microsoft 365:
Microsoft Entra admin center → Users → All users → Select respective Microsoft 365 user → Delete.
Performing these tasks manually in Microsoft 365 admin centers requires switching back and forth, creating a headache for administrators. Luckily, there are solutions like automated employee offboarding using PowerShell and Power Automate! However, diving into cmdlets and flows requires a deep knowledge to get the job done efficiently.
So, where to turn for the best Microsoft 365 offboarding process and an automated one too? That’s where the “Lifecycle workflows in Microsoft Entra ID” come in to automate Microsoft 365 offboarding procedures.
Automate Microsoft 365 User Offboarding Using Lifecycle Workflows
Entra ID’s lifecycle workflows automate tasks for user lifecycle management, focusing on joiner-mover-leaver (JML) stages. This feature ensures consistent identity and access management, streamlining tasks on Microsoft 365 users efficiently.
You can automate Microsoft 365 user onboarding with lifecycle workflows, and similarly, facilitate efficient offboarding procedures. When coming to offboarding, Microsoft Entra’s lifecycle workflows offer four built-in templates for performing tasks based on the leaver lifecycle. They are,
- Pre-offboarding of an Employee – Before an employee leaves, certain tasks need to be done in advance, like removing them from specific Microsoft 365 groups and teams, to ensure a smooth transition and maintain data security.
- Offboard an Employee – On the employee’s official leave date, essential tasks are executed to terminate access, including disabling the account, removing users from groups/Teams, and block user access to O365 data for enhanced Microsoft 365 security.
- Post-offboarding of an Employee – Post-employee departure, further actions are taken, including access removal, and removing Microsoft 365 licenses to prevent unnecessary costs in Microsoft 365.
- Real-time Employee Termination – Efficiently perform offboarding tasks immediately with the flexibility to specify any onboarding tasks that should be “executed on demand”. This allows you to address specific tasks relevant to the employee’s departure in a timely manner.
Now, let’s look at them in detail to know how you can streamline the offboarding process with available lifecycle workflows templates effectively.
Create Automated User De-Provisioning Process in Microsoft 365
We consistently gravitate towards ready-to-use solutions, and similarly, you can use these four pre-set lifecycle workflow templates designed for common user departure scenarios.
1. Set Up Microsoft 365 Pre-offboarding Task with Lifecycle Workflows
This template simplifies offboarding during an employee’s notice period by automating their removal from specific Microsoft 365 groups and Teams. It ensures access to essential groups until they leave or retire, automating the entire process hassle-free!
Default Employee Offboarding Template Configuration:
Name | Offboard an employee |
Description | Configure pre-offboarding tasks for employees before their last day of work |
Category | Leaver |
Trigger type | Trigger and Scope Based |
Days from event | 7 |
Event timing | Before |
Event user attribute | employeeLeaveDateTime |
Scope type | Rule Based |
Rule | – |
Default Tasks Included | Remove user from selected groups Remove user form selected Teams |
2. Automate Microsoft 365 Offboarding Tasks on Last Day of Work
This template becomes incredibly handy on the actual day of departure. It does the essential tasks automatically – removing users from all M365 groups and Teams, disabling user accounts in Microsoft 365, and more. Missing these crucial steps can seriously affect your Microsoft 365 security! But you don’t have to worry; this template takes care of every Azure AD user de-provisioning task itself.
Default Employee Offboarding Template Configuration:
Name | Post-offboarding of an employee |
Description | Configure pre-offboarding tasks for employees on their last day of work |
Category | Leaver |
Trigger type | Trigger and Scope Based |
Days from event | 0 |
Event timing | On |
Event user attribute | employeeLeaveDateTime |
Scope type | Rule Based |
Rule | – |
Default Tasks Included | Disable user account Remove user from all groups Remove user from all Teams |
3. Execute Employee Termination Tasks with Lifecycle Workflows
After an employee’s termination, it’s crucial to revoke their Microsoft 365 licenses. Why? Because even if the license isn’t in use, it’s still costing you money, and someone else might need it! Also, to maintain good user account hygiene in Microsoft 365, it’s essential to delete the user account, and you can automate this process using the provided template.
Default Employee Offboarding Template Configuration:
Name | Pre-offboarding of an employee |
Description | Configure pre-offboarding tasks for employees after their last day of work |
Category | Leaver |
Trigger type | Trigger and Scope Based |
Days from event | 7 |
Event timing | After |
Event user attribute | employeeLeaveDateTime |
Scope type | Rule Based |
Rule | – |
Default Tasks Included | Remove all licenses for user Remove user from all Teams Delete User Account |
4. Automate Microsoft 365 Offboarding Tasks in Real Time with Workflows
Imagine you need to handle the deprovision of Microsoft 365 accounts immediately, without relying on predefined templates. In such cases, this workflow comes in handy.
For instance, if an employee suddenly departs or is removed from the company, you can employ this template. Once you have completed configuring this, you can use the “Run on demand” option. There you need to specify the respective users and specific tasks that need to be done at that instance.
Note: This template operates solely on demand and doesn’t have any predefined execution conditions.
Apart from the pre-defined offboarding templates, if you wish you create a template of your own, then you need to rely on “Graph API”. There is no possibility via MS Entra ID, and so we need to create custom workflows using Microsoft Graph API .
How to Automate Microsoft 365 Offboarding Tasks with Entra Workflows?
Let’s plan a lifecycle workflow deployment for the following post-offboarding tasks in Microsoft 365.
✅ Remove a former employee from all Teams.
✅ Remove user from all Microsoft 365 groups.
✅ Remove all licenses for user.
✅ Remove all access package assignments for user.
✅ Disable user account in Microsoft 365.
✅ Send email to manager after user’s last day.
Before proceeding further, You need to make sure that you have looked over on how to create automated lifecycle workflows in Entra ID for better understanding. Additionally, make sure that you have set “employeeLeaveDateandTime” via Microsoft Graph API. If not, the flow will fail to do the tasks you configured.
- License: You need a Microsoft Entra ID Governance license to set up lifecycle workflows in Microsoft 365.
- Roles: Make sure to be a global administrator or lifecycle workflows administrator for configuring workflows in your organization.
Once done, you can proceed to follow the below steps to create an employee offboarding template:
1. Sign into the Microsoft Entra admin center.
2. Scroll to Identity Governance and select Lifecycle Workflows.
3. Click on “+Create Workflow” and choose the post-offboarding of an employee workflow template.
Now, you need to configure the three tabs.
4. Configure the “Basics” Tab in Lifecycle Workflows:
- Workflow Details: Give your workflow a suitable name and description.
- Trigger Details: You can configure the trigger information based on your need.
- Trigger type: It is set to Trigger and Scope Based by default.
- Days from event: Define the exact number of days the workflow should be triggered after the employee’s leave date.
5. Click “Next: Configure Scope”.
6. Specify the “Configure Scope” Tab in Lifecycle Workflows:
- Scope Type: It is set to “Rule based” by default.
- Rule: Define the expression with the respective department. Here we specified it as “Sales”.
7. Click “Next: Review Tasks.”
8. Configure the “Review Tasks” Tab in Lifecycle Workflows:
You can configure the respective tasks using the “+ Add task” option in the Workflows tasks tab.
- Remove user from all Teams.
- Remove users from all groups.
- Remove all licenses for user.
- Remove all access package assignments for user.
- Disable user account.
- Send email after user’s last day.
9. Click “Next: Review +Create.”
10. Finally, review all the configured settings and proceed to create the workflow.
You can use the “Enable schedule” option in the “Review +Create” tab to schedule run the post-offboarding workflows.
Now that you have successfully configured a workflow to handle post-offboarding tasks. You can test its functionality using the “Run on demand” option from the workflow overview page.
- This allows you to manually initiate the workflow on the employee you need to offboard in Microsoft 365. It also helps you identify any potential misconfigurations or errors in executing these tasks for terminated users.
In the case of gaining information on Microsoft 365 offboarding best practices, you can make use of Security Copilot in Microsoft Entra! This will provide comprehensive information on offboarding task failures, workflow execution, and other relevant details, ensuring a streamlined offboarding process.
Automate the Hardest Part of Employee Offboarding with Lifecyle Workflows!
Finally, with lifecycle workflows, ensure you never miss important user offboarding duties because your personal assistant automates it all. Just customize the offboarding workflow templates according to your needs and standardize your Microsoft 365 user deprovisioning or offboarding process. Not only about the offboarding process, but you can also manage Microsoft 365 employee role changes using lifecycle workflows efficiently.
I hope this blog helped you gain valuable information on automated Microsoft 365 user offboarding with lifecycle workflows. Feel free to reach us through the comments section if you have any issues.