As a result of a decision made by either the employee or the employer, users will inevitably leave your organization. Whether you call these user “separations”, “terminations” or “offboarding”, the impact to IT is the same: network access needs to be secured and the user’s data needs to be addressed.
When using cloud services such as Office 365, there are additional aspects to consider which will make your process different than in an on-premises scenario. There may be a licensing impact which can equate to costs and you are dependent upon another party (Microsoft) for handling the disposal of data.
In this two part series, I will cover some of the ways to handle Office 365 data for users that have left your organization. This article, part 1, will cover how to handle Exchange Online data or more specifically, the user’s mailbox. Part 2 of this series covers how to handle the user’s OneDrive for Business data.
Securing Network Access
Before we talk about the data, we need to secure the data by removing the departed user’s access. This process is usually initiated by a notification from HR or the user’s manager. When the user’s mailbox is in Exchange Online, there are additional considerations to watch out for.
Active Directory: Disable or Delete?
Once notification is received that a user has left the organization, one of the first actions generally taken is to disable the user’s Active Directory account. While most organizations will disable the account for a period of time before actually deleting the account, it’s recommended to establish a period of time for how long you will keep that disabled account around otherwise the number of disabled accounts can get out of control. Disabling the account as opposed to immediately deleting it is important as a deletion of the account would be synchronized to Office 365 which in turn deletes the account in Azure AD along with the user’s mailbox. Once deleted in Office 365, the mailbox is recoverable for 30 days and then it is gone unless we take some of the actions below.
AD FS
If we’re using AD FS, disabling the Active Directory account essentially disables the access to Office 365. Since AD FS authenticates to Active Directory, a disabled, expired or locked out account in Active Directory will not allow a successful authentication.
Password Sync
If Password Sync is being used instead of AD FS, we have to rely on the DirSync / AADSync synchronization cycle to occur in order for the account in Azure AD to be disabled. By default, this could be up to three hours however you can also force a manual sync. Another option here would be to change the user’s password before disabling the account which would result in an immediate sync of the new password. For more info on some of the nuances of Password Sync, check out “Office 365 – DirSync Password Sync: Did You Know?“.
Authentication Caching
The assumption would be now that the user’s account is disabled, there should be way no way to access the mailbox. Unfortunately, some client protocols cache the user’s authentication and will allow access even after the account is disabled. This is nothing specific to Office 365, this same scenario occurs in an on-premises environment. The article “Exchange Best Practices for Untrusted Mailbox Users” provides a good overview of the recommended steps here. At a high-level, you should disable any connected ActiveSync devices and disable the client protocols on the mailbox.
What To Do With The Data
Now that we’ve removed the departed user’s access, it’s time to handle the data. This is where you’ll see some deviation from your existing on-premises procedures. The assumption here would be that you’ve only disabled the user’s Active Directory account and the Office 365 license is still in place.
Who Needs Access To The Data?
One of the first tasks is to determine who needs access to the user’s mailbox. Is it the user’s manager? A coworker? Or is access simply needed by admins and possibly legal? What we do with the data will be determined by who needs access to it.
How Long Is The Data Needed?
Here’s where you really need to establish a policy or you’ll end up with a process that is not very manageable. If part of your process includes granting access to the mailbox to a manager or other non-admin, you should establish a time period that you’ll allow that access for. As long as another user is accessing the departed user’s mailbox, it means that you’re leaving the disabled Active Directory in place and possibly the user’s license.
Recovering The Office 365 License
While you’re likely carrying a balance of spare Office 365 licenses, you may want to recover the Office 365 license from the departed user so it can be assigned elsewhere. One way to do this is to convert the user’s mailbox to a shared mailbox which does not require a license. Previously this was not always feasible as shared mailboxes were limited to 10 GB but that limitation has since been removed and they now allow for 50 GB just like a user mailbox. The process to convert to a shared mailbox is relatively easy whether you use PowerShell or the new “Single-Click Conversion” option in the portal. After converting the mailbox, you can remove the Office 365 license however the Active Directory user account is still necessary.
Retaining Data For Access By Admins / Legal
If the only people that need access to the mailbox data are admins or legal, we can make the mailbox an “inactive mailbox”. This is done by placing the mailbox on “Litigation Hold” or “In-Place Hold” and then removing the license; at this point, the Active Directory account can also be deleted. The mailbox can be placed on hold for a specific period of time or indefinitely; keep in mind that you must have a license that allows for the “Litigation Hold” or “In-Place Hold” feature. Once a mailbox is made “inactive”, it’s essentially been put into the delete process but the hold stops the mailbox from actually being deleted. This leaves the mailbox accessible by admins or legal via the eDiscovery tools until the hold is removed; if you would like retain the data forever, that is an option as well. If it a later point it is determined that a non-admin needs access to the mailbox data, you can either “recover” the mailbox or “restore” the mailbox contents into another mailbox.
In Pictures…
Since the above process is a bit wordy, I’ve put together this flow chart that hopefully helps illustrate the process. Click the image to see a larger version.
Summary
- Disabling an account does not necessarily remove access to the mailbox immediately
- Deleting an account will mark the mailbox for deletion unless other action is taken
- Converting the mailbox to a shared mailbox can free up the Office 365 license
- Converting the mailbox to an “inactive mailbox” can free up the license and allow the Active Directory account to be deleted
More…
See Part 2 of this series covers how to handle the user’s OneDrive for Business data.
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.
Hello,
Was there a part 2 of 2? Thank you!
Excellent write-up! Easy to read/follow.
John-
I appreciate the feedback. Part 2 should be coming around the end of the month, just waiting for some testing to wrap up. You can subscribe to be notified or check back on this article and it should have a link.
Thanks!
Joe
Agreed, do you have a Part 2? Part 1 was very informative!
Thanks for the feedback Jake!
I just wrapped up part 2, look for it to be live on Monday.
Hey Joe, great article. Can you please clarify the scenario where you want to convert the user’s mailbox to a shared mailbox? I’m under the impression that the shared mailbox will be deleted in 30 days after you mark the account as disabled in AD. What if I want to keep it longer?
Greg-
A disabled Active Directory account should have no impact on the mailbox. Shared mailboxes and resources mailboxes typically have disabled accounts associated with them as there is no reason to login as that account.
Thanks for the feedback!
Joe
Joe, Good explanation. I haven’t found the method to delete the shared mailbox. Example: convert to shared mailbox, delete E1 license from user. Months later there is no longer a need for the shared mailbox. How do I delete it?
Anthony-
You should be able to delete it via PowerShell or the EAC.
Thanks
Joe
Joe,
Another consideration is federation not using ADFS, such as Ping Federate. In a O365 hybrid mode, we are syncing to azure AD not passwords and using on premise AD for SSO with Ping. We would like to ensure upon termination that the user cannot access Azure AD linked services. We also have to consider the active sessions provided through the STS token. What do you recommend?
Problem with password sync environment is that when user account is disabled in Local AD It is automatically delete in Office 365 after syncing with Azure AD Connect. So every time I have to restore that account and then convert to share mailbox.
Just wondering…. if you create a shared mailbox that requires you to keep the disabled user in AD (if you delete the user the Shared Mailbox gets deleted). If they user is also setup with a OneDrive for business account then you actually do have to delete the user to get the drive to roll over to the manager. So how do you accomplish both the retention of the OneDrive data and keep the shared mailbox?
Would love to see an update to this article since a lot has changed since it was written.
I have a question regarding Offboarding. How would you best handle auto-reply because people need the information that the user is no longer working here, but you wanna make sure they still are offboarded.
if i block sign a user and remove the license those setup forwarding and delegation disabled too?