How to deal with leavers in Office 365

Charity Digital Resource Centre logo

When someone leaves your organisation, it’s important to make sure that you secure any confidential files and data. Thankfully, if you use Office 365, you have a good level of control to manage this process.

There are a variety of options available to you, allowing you to completely remove access from mobile devices, delete accounts, or move accounts to replacement employees.

To find out how to do all of this, scroll through the resources below or click the links to visit specific sections.

Note: All of the below assumes that your Office 365 account has ‘global administrator’ permission. I will be using Microsoft’s Internet Explorer 11 as some features are only available to Internet Explorer.

General things to do

Before an employee leaves, you should first ask them to delete all of their personal data on their mailbox, SharePoint or any other places on the organisation’s IT system. Unsubscribe any email subscriptions that they may have before leaving. Emptying the Recycle Bin is a must, as their mailboxes and other documents will be accessed by the IT administrator and their line manager.

Talk to the leaver’s line manager about what to do with their mailboxes and documents; do they want to keep all of the leaver’s emails, SharePoint or OneDrive documents etc.? Will there be a replacement? Who will need to have the same access permissions?

Grant yourself full access to the leaver’s account, otherwise you won’t be able to archive their mailbox and move their documents to another location.

Once the employee has left, remember to reset their Office 365 password.

Back to Top

Mobile devices

Are mobile devices linked to Office 365?

Ask if the employee has linked their mobile devices to their Office 365 account. You can check whether they have on the Office 365 portal, by doing the following:

1. Login to the Office 365 sign-in page with administrator permission.
2. Click on ‘Users’ and then ‘Active Users’ on the left pane.
3. Search and click on the leaving employee’s name.
4. Once the employee details have been displayed, click on ‘Edit Exchange Properties’ on the right pane. This will open up a new tab on your web browser.
5. Click on ‘Mailbox Features’ on the left pane.
6. Under ‘Mobile Devices’, click on ‘View Details’.
7. On this dialog window it will display what mobile devices are connected to this account.

If there are mobile devices connected to Office 365, you can either ask the employee to remove this on their mobile devices or, if the employee left under less than favourable circumstances, you can remotely wipe their mobile devices to prevent them from accessing corporate data from the device.

Remotely wiping mobile devices

Warning: This will wipe all the data (personal and corporate data) on the leaver’s mobile device and reset it to factory default settings.

To remotely wipe their mobile device, follow the steps from 1 – 8 and then do the following:

9. In the ‘Mobile Device Details Webpage Dialog’ window, click on the mobile device name that you want to remove from your Office 365.
10. Then click on the 4th icon Icon that displays ‘Wipe Data’.
11. Click ‘save’ twice.

Back to Top

Replacement staff

If there is a replacement staff member, you can just rename the leaver’s account to the new staff name and keep the emails intact by doing the following:
1. Login to the Office 365 sign-in page with administrator permission.
2. Click on ‘Users’ and then ‘Active Users’ on the left pane.
3. Search and click on the leaver’s name.
4. Click Edit on the right pane.
5. This will bring up the details of the account, rename ‘First Name’, ‘Last Name’, ‘Display Name’ and ‘Username’.
6. Select the appropriate domain for the new staff’s login for Office 365.
7. Click on ‘Additional Details’ and change the appropriate details.
8. Click on ‘Email Address’ on the left pane and add any other email address to this mailbox.

8.1. Enter other email addresses and select the appropriate domain for the email.

8.2. Click ‘Add’ then ‘Ok’. The new email address will be added to the email address list.

Warning: Don’t remove any email addresses from the leaver’s account, as the new staff may need to be able to receive any outstanding emails that haven’t been dealt with. You can remove them at a later date once you have informed all your contacts.

9. Click ‘Save’.
10. Reset the password and let the new employee know the login details.

It may take up to 24 hours for these changes to be updated across all the services on Office 365.

Back to Top

No replacement

If there is no replacement, you will need to decide if the data on this account needs to be archived, deleted, or left inactive on Office 365 (on an inactive account, this will incur on-going charges).

Leavers’ email addresses

Decide what to do with the leaver’s email address, as your clients and contacts might not know that your employee has left. You can add the leaver’s email address to another mailbox, shared mailbox or distribution group.

Checking what email addresses are attached to the leaver’s mailbox

1. Login to the Office 365 sign-in page.
2. Click Admin on the top right corner (navigation bar) and select ‘Exchange’.
3. On the ‘Exchange Admin Center’ page, click on ‘Mailboxes’ under ‘Recipients’.
4. Search and double-click on the leaver’s name – this will pop up a window for the leaver’s mailbox properties window.
5. Click on ‘Email Address’. This will display a list of email addresses that are attached to the leaver’s mailbox.
6. Make a note of these, as you need to decide who will deal with any incoming emails.
7. Add a temporary email address i.e. username.old@domain.com.
8. You can then remove any email addresses by selecting them and click on Minus to remove (except for the one you just added).
9. Then click ‘Save’.

Attaching the leaver’s email address to another mailbox or shared mailbox

You can divert the leaver’s emails to another mailbox or shared mailbox before deleting their account by going to ‘Exchange Admin Center’, then:

1. Click on either ‘Mailbox’ or ‘Shared Mailbox’.
2. Search and double click on the name that you like to add the email addresses to.
3. In the dialog window, click on email address on the left pane.
4. Click on Plus and leave SMTP by default.
5. Enter the leaver’s email address and click ok.
6. Repeat steps 4 and 5 to add other email addresses.
7. Click ‘Ok’ and ‘Save’.

Attaching the leaver’s email address to a distribution group

If you want more than one person to receive a copy of the leaver’s emails, you can either create or attach it to an existing distribution group. To do this, go to ‘Exchange Admin Center’, then:

1. Click on ‘Groups’ for distribution groups.
2. Search and double-click on the distribution group name.
3. Click on ‘Delivery Management’ and ensure ‘Senders Inside and Outside of My Organisation’ is selected.
4. Click on ‘Email Options’.
5. Click on Plus and leave ‘SMTP’ by default.
6. Enter the leaver’s email address and click ‘Ok’.
7. Repeat 5 and 6 to add other email addresses.
8. Click ‘Save’.

Archiving a mailbox

If you decide to archive the leaver’s mailbox and store it at another location, you will need to use Outlook to export the mailbox to a PST file.

To do this, firstly create a new Outlook profile and connect this to the leaver’s mailbox on Office 365. Then export the mailbox to a PST file. This may take a while, depending on how large the mailbox is. Once done, you can store the PST file to another location.

Converting a mailbox to a shared mailbox

There is another alternative, which is to convert it to a shared mailbox on your Office 365 tenant. Microsoft will not charge you for a shared mailbox as long as your shared mailbox does not exceed 10 GB of storage space.

The problem with shared mailboxes is that you cannot access the shared mailbox directly. Instead, you have to use an account with a license within your Office 365 tenant to access it.

1. To convert the mailbox, you have to connect to Office 365 using PowerShell .
2. You will need to run the following command within PowerShell:

Set-mailbox user@domain.com –type shared

Note: leaver@domain.com would be the leaver’s email address.

3. Then, grant access to this mailbox (this will auto-map the shared mailbox to Outlook). To do this, run the following command:

Add-MailboxPermission -Identity leaver@domain -User Manager@domain -AccessRights FullAccess -InheritanceType All

Note: Manager@domain.com would be the existing person to access the converted shared mailbox.
You can add -AutoMapping $False at the end of this command to remove auto-mapping on Outlook.

4. Run the following command in PowerShell to check if the mailbox has been converted to a shared mailbox:

Get-Mailbox leaver@domain | select Displayname, UserPrincipalName, RecipientTypeDetails | ft –AutoSize

Back to Top

Remove from distribution groups

To remove any distribution groups that the leaver’s account is a member of:

1. Go to ‘Exchange admin center’.
2. Click on mailboxes.
3. Search and double click on the leaver’s name.
4. Click on ‘member of’ on the left pane.
This will display all the distribution groups that this account is a member of, make a note of this list.
5. Click on ‘Cancel’ and ‘Yes’ to “Close this tab?” to exit.
6. On the ‘Exchange Admin Center’ page, click on ‘Groups’.
7. Look for the group that the leaver is a member of and double-click on it – this will bring up the group dialog window.
8. Click on ‘Membership’ on the left pane.
9. Select the leaver name and click on Minus to remove.
10. Click ‘Save’.
Repeat steps 610 to remove the leaver from other distribution groups.

Back to Top

OneDrive for Business

OneDrive for Business is a bundle that comes with Office 365 used for storing and organising your work documents. All of the files that you store on OneDrive for Business are private until you share them, so when employee leaves your organisation, you should check to see if there are any documents on it before deleting the leaver’s account.

There are 2 ways to access it; you can either reset the password on Office 365 and access it directly or add yourself or the line manager to ‘Site Collection Administrators’ on the leaver’s site collection.

To grant access to the leaver’s OneDrive:
1. Login to the Office 365 sign-in page.
2. Click on ‘Admin’ on the top right corner (navigation bar), and select ‘SharePoint’.
3. In the ‘SharePoint Admin Center’, click on user profiles.
4. Under ‘People’, click on ‘Manage User Profiles’.
5. Enter the leaver’s name and click on ‘Find’. The leaver’s name will appear in the search results below.
6. Move your mouse cursor on top of the leaver’s name and click on the drop down menu to the right of the name.
7. Click on ‘Manage Site Collection Owners’.
8. Enter your name or another username in the ‘Site Collection Administrators’ box.
9. Scroll down and click ‘Ok’.

Then, to access it:

10. Move your mouse cursor on top of the leaver’s name and click on the drop down menu to the right of the name.
11. Click on ‘Manage Personal Site’. This will display the leaver’s name on the left pane.
12. Click ‘Documents’. This will bring you to the leaver’s OneDrive.

Once done, you can check web URL on your web browser’s address box. It will display something like:

https://domain-my.sharepoint.com/personal/user2_domain/


You can copy this link or bookmark it to access it directly in the future.

Back to Top

Deleting the employee’s account

If you decide to remove the account due to there being no replacement and have diverted the incoming emails, archived the mailbox to another location and removed it from any distribution group, you can delete the leaver’s account.

To delete the employee from Office 365 and free up the licence:

1. Login to the Office 365 sign-in page.
2. Click on ‘Users’ and then ‘Active Users’ on the left pane.
3. Search the employee’s name and tick the box beside the name.
4. The account for the employee’s properties will appear on the right pane.
5. Click on Delete to delete from Office 365.
Back to Top

 

  • All is correct as of 16th December 2014, although Microsoft regularly update their interface so the exact process may change slightly.
  • Make sure you don’t delete anything that you may need at a later date, as we can’t be held responsible if you do.

 

By Andy Man
Charity Digital

 

 

Keep up to date with the latest news, blogs and releases by following us on Facebook.

Copyright © 2014 Charity Digital.
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License