As a result of a decision made by either the employee or the employer, users will inevitably leave your organization. Whether you call these user “separations”, “terminations” or “offboarding”, the impact to IT is the same: network access needs to be secured and the user’s data needs to be addressed.
When using cloud services such as Office 365, there are additional aspects to consider which will make your process different than in an on-premises scenario. There may be a licensing impact which can equate to costs and you are dependent upon another party (Microsoft) for handling the disposal of data.
In this two part series, I will cover some of the ways to handle Office 365 data for users that have left your organization. This article, part 1, will cover how to handle Exchange Online data or more specifically, the user’s mailbox. Part 2 of this series covers how to handle the user’s OneDrive for Business data.
Securing Network Access
Before we talk about the data, we need to secure the data by removing the departed user’s access. This process is usually initiated by a notification from HR or the user’s manager. When the user’s mailbox is in Exchange Online, there are additional considerations to watch out for.
Active Directory: Disable or Delete?
Once notification is received that a user has left the organization, one of the first actions generally taken is to disable the user’s Active Directory account. While most organizations will disable the account for a period of time before actually deleting the account, it’s recommended to establish a period of time for how long you will keep that disabled account around otherwise the number of disabled accounts can get out of control. Disabling the account as opposed to immediately deleting it is important as a deletion of the account would be synchronized to Office 365 which in turn deletes the account in Azure AD along with the user’s mailbox. Once deleted in Office 365, the mailbox is recoverable for 30 days and then it is gone unless we take some of the actions below.
If we’re using AD FS, disabling the Active Directory account essentially disables the access to Office 365. Since AD FS authenticates to Active Directory, a disabled, expired or locked out account in Active Directory will not allow a successful authentication.
If Password Sync is being used instead of AD FS, we have to rely on the DirSync / AADSync synchronization cycle to occur in order for the account in Azure AD to be disabled. By default, this could be up to three hours however you can also force a manual sync. Another option here would be to change the user’s password before disabling the account which would result in an immediate sync of the new password. For more info on some of the nuances of Password Sync, check out “Office 365 – DirSync Password Sync: Did You Know?“.
The assumption would be now that the user’s account is disabled, there should be way no way to access the mailbox. Unfortunately, some client protocols cache the user’s authentication and will allow access even after the account is disabled. This is nothing specific to Office 365, this same scenario occurs in an on-premises environment. The article “Exchange Best Practices for Untrusted Mailbox Users” provides a good overview of the recommended steps here. At a high-level, you should disable any connected ActiveSync devices and disable the client protocols on the mailbox.
What To Do With The Data
Now that we’ve removed the departed user’s access, it’s time to handle the data. This is where you’ll see some deviation from your existing on-premises procedures. The assumption here would be that you’ve only disabled the user’s Active Directory account and the Office 365 license is still in place.
Who Needs Access To The Data?
One of the first tasks is to determine who needs access to the user’s mailbox. Is it the user’s manager? A coworker? Or is access simply needed by admins and possibly legal? What we do with the data will be determined by who needs access to it.
How Long Is The Data Needed?
Here’s where you really need to establish a policy or you’ll end up with a process that is not very manageable. If part of your process includes granting access to the mailbox to a manager or other non-admin, you should establish a time period that you’ll allow that access for. As long as another user is accessing the departed user’s mailbox, it means that you’re leaving the disabled Active Directory in place and possibly the user’s license.
Recovering The Office 365 License
While you’re likely carrying a balance of spare Office 365 licenses, you may want to recover the Office 365 license from the departed user so it can be assigned elsewhere. One way to do this is to convert the user’s mailbox to a shared mailbox which does not require a license. Previously this was not always feasible as shared mailboxes were limited to 10 GB but that limitation has since been removed and they now allow for 50 GB just like a user mailbox. The process to convert to a shared mailbox is relatively easy whether you use PowerShell or the new “Single-Click Conversion” option in the portal. After converting the mailbox, you can remove the Office 365 license however the Active Directory user account is still necessary.
Retaining Data For Access By Admins / Legal
If the only people that need access to the mailbox data are admins or legal, we can make the mailbox an “inactive mailbox”. This is done by placing the mailbox on “Litigation Hold” or “In-Place Hold” and then removing the license; at this point, the Active Directory account can also be deleted. The mailbox can be placed on hold for a specific period of time or indefinitely; keep in mind that you must have a license that allows for the “Litigation Hold” or “In-Place Hold” feature. Once a mailbox is made “inactive”, it’s essentially been put into the delete process but the hold stops the mailbox from actually being deleted. This leaves the mailbox accessible by admins or legal via the eDiscovery tools until the hold is removed; if you would like retain the data forever, that is an option as well. If it a later point it is determined that a non-admin needs access to the mailbox data, you can either “recover” the mailbox or “restore” the mailbox contents into another mailbox.
- Disabling an account does not necessarily remove access to the mailbox immediately
- Deleting an account will mark the mailbox for deletion unless other action is taken
- Converting the mailbox to a shared mailbox can free up the Office 365 license
- Converting the mailbox to an “inactive mailbox” can free up the license and allow the Active Directory account to be deleted
See Part 2 of this series covers how to handle the user’s OneDrive for Business data.
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.