Microsoft

Office 365 – How to Handle Departed Users (Part 2 of 2)

As a result of a decision made by either the employee or the employer, users will inevitably leave your organization. Whether you call these user “separations”, “terminations” or “offboarding”, the impact to IT is the same: network access needs to be secured and the user’s data needs to be addressed.
When using cloud services such as Office 365, there are additional aspects to consider which will make your process different than in an on-premises scenario. There may be a licensing impact which can equate to costs and you are dependent upon another party (Microsoft) for handling the disposal of data.
In this two part series, I will cover some of the ways to handle Office 365 data for users that have left your organization. Part 1 of this series covered how to handle the user’s mailbox in Exchange Online. This article, part 2, will cover how to handle the user’s OneDrive for Business data.

As in the previous article, if the Active Directory account is left or only disabled as opposed to deleted, nothing happens. However, if the Active Directory account is deleted or removed from the DirSync scope, then the timer begins on the OneDrive data removal.

Advanced Preparation

Part of this process involves some up-front preparation. Notification regarding data removal in OneDrive for Business is dependent upon the user’s “Manager” attribute being populated in Active Directory. If that value is not populated on the deleted user account, then there is a failover to the SharePoint Online “Secondary Owner” assuming it has been assigned. You can populate the “Secondary Owner” by opening the SharePoint Online Admin Center by going to “User Profiles” and then “Setup My Sites”. From here, you will see an option to assign the “Secondary Owner” in the section “My Site Cleanup”.

If the user’s manager cannot be determined, the assigned “Secondary Admin” will receive the notifications that the manager would have received.

User Deletion

When a OneDrive for Business user is deleted, the “My Site Clean Up timer job” will eventually run. At that time, the SharePoint Online profile is marked for deletion and an email notification will be sent to the user’s manager or the secondary admin stating that access has been granted to the manager / secondary admin and that the site will be deleted after 30 days.

A second email is sent with 3 days left stating the same and then at the conclusion of the 30 days, the data is deleted.

In Pictures…

The above process is probably best shown in pictures, I’ve put together this flow chart that hopefully helps illustrate the process. Click the image to see a larger version.

What To Do With The Data

This is where there really aren’t a lot of great options just yet… So the manager or secondary admin has access to the OneDrive for Business data but moving it out of the deleted user’s profile is not real easy. You can access the OneDrive for Business site via the URL in the notification email but the browser really doesn’t let you do much with more than one file at a time. You can click the “Sync” link to configure the sync client for that site and then you have access to the files via Explorer and can copy them where you please. Alternatively, there are some third-party migration tools that can then be used to migrate the data. I think asking the user’s manager to preserve the data and move it with the access they’ve been granted is asking a bit much in many cases, hopefully we see some improvements here in the future.

Summary

  • You should configure the “Secondary Owner” in SharePoint Online (go do it now!)
  • Preservation of data a task delegated to the departed user’s admin by default

Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.

Thoughts on “Office 365 – How to Handle Departed Users (Part 2 of 2)”

  1. Do you know if it’s possible to set the OneDrive site of the departed user under LegalHold to keep it available even after the 30 day “deletion” limit ?

  2. Hi there, question, with the eDiscovery hold option does the license need to remain active or can that be redistributed and the user deleted?
    Thanks for your help,
    S.

  3. Hi there, Joe is possible to extend the amount of time office 365 will keep the inbox once the user account has been deleeted from active directory. My understanding is that it keeps the inbox for 30 days and then it deletes it. Without placing the user on inactive or on hold, could this extended.
    Another question is what if the user is deleted from active directory and within two weeks the users comes back. Without restoring the user account within active directory, The only option is to grant the new users created for that user to the inbox of his past user account. Wouldn’t this get deleted however regardless after 30 days?

  4. Great Read thanks. But what happens if you Disable the user in AD and remove the license in office365? will that trigger the My Site Clean Up timer job or?

  5. Hello,
    How do shared links and documents behave when an Office 365 account is set to be deleted? Are the links broken or do the documents still work?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Joe Palarchio

More from this Author

Subscribe to the Weekly Blog Digest:

Sign Up
Categories
Follow Us
TwitterLinkedinFacebookYoutubeInstagram