Sereno logo in dark blue featuring clean, modern lowercase typography representing the Sereno IT services brand.
Contact us
SERENO LEARNING HUB

How to Offboard an Employee from Microsoft 365 Without Leaving Security Gaps

  • Last updated on:

Last Updated on February 17, 2026 by Sereno Web

Employee carrying a cardboard box of personal office belongings marked with a security shield and lock icon, representing secure employee offboarding from Microsoft 365

When an employee leaves, most businesses focus on the obvious steps. Disable their email account, collect their laptop, and move on. On paper, it feels like the job is done.

In reality, Microsoft 365 offboarding is one of the highest risk moments for data security in any organisation. Not because people are careless, but because Microsoft 365 environments are far more connected than they look from the surface.

Email is only one part of the picture. The same login can also unlock files in OneDrive and SharePoint, Teams chats and channel documents, synced laptops and phones, and a long list of third party business apps. Add shared mailboxes, external file links, and saved sessions across multiple devices, and it becomes very easy for access to linger in places no one thinks to check.

That is why offboarding should not be treated as admin. It is a security event.

But knowing that is not enough. Most security gaps do not happen because businesses ignore offboarding completely. They happen because there is no clear, structured way to do it properly in Microsoft 365, and no shared understanding of what secure offboarding actually involves.

In this article, we will walk through what secure Microsoft 365 offboarding looks like in practice, the areas that matter most, and the places security gaps commonly appear when the process is not handled deliberately.

In this article, we cover:

What offboarding really means in Microsoft 365

Microsoft 365 is not a single system. It is a set of services that share one identity.

In most organisations, an employee’s work login is managed in Microsoft Entra ID. You can think of Entra ID as the company’s digital staff directory and sign-in gatekeeper. It is where the business defines who a person is, whether they can sign in, and what they are allowed to access.

That single login is what Microsoft 365 and many other tools use to recognise the user and grant access. It is effectively the key that opens multiple doors.

In practice, that one work login can be the key for:

  • Outlook and Exchange for email, calendar, mailbox rules, and shared mailbox access
  • Teams for chat, meetings, calls, and files shared in channels
  • SharePoint and OneDrive for files, permissions, sharing links, and sync to devices
  • Windows sign in if devices are Entra ID joined or hybrid joined
  • Intune, which decides whether a device is managed, compliant, and allowed to access data
  • Single sign on to business apps like CRM, finance, HR, e-signature, and project tools
  • Multi factor authentication apps like Microsoft Authenticator, including trusted device registrations

So secure offboarding is not “disable email”. It is the controlled shutdown of a digital identity and everything connected to it, without breaking the business in the process.

Two offboarding scenarios

The same offboarding tasks apply in most cases, but the order and urgency change depending on the situation

Planned exit

This is the “notice period” scenario. You know the person is leaving, you know the date, and in theory you have plenty of time to do things properly. You can agree who will take over their inbox, move any important files into a shared place, update customers so they are not left emailing a dead address, and arrange the return of laptops and phones.

The danger here is not that you are under pressure. The danger is that it feels like you are not under pressure.

Because there is time, small tasks get parked. “We will sort the mailbox next week.” “We will move their OneDrive later.” “They still need access to finish the handover, so leave it for now.” Those decisions are reasonable in the moment, but they create drift. Access and permissions stay in place longer than they should, people forget what has and has not been done, and the offboarding turns into a last day scramble.

That last day scramble is where gaps appear. Someone blocks the sign in but forgets to revoke sessions. The laptop is still syncing OneDrive. A shared mailbox access list is not cleaned up. A Teams or SharePoint site loses its only owner. None of that happens because the business did not care. It happens because the work was spread across two weeks, owned by nobody, and then rushed in the final hour.

A planned exit is actually the easiest offboarding to get right, but only if you treat it like a checklist with dates, not a loose set of jobs that “will get done before they go”.

Immediate or high risk exit

This is the scenario where you do not get a neat handover. It might be a dismissal, a dispute, a sudden resignation, or any situation where the business needs to reduce access right now. This often lands as a simple instruction like, “Please disable their access immediately.”

The key difference is urgency. You are not trying to tidy things up first. You are trying to contain risk first.

What makes Microsoft 365 tricky here is that switching off the account is not always the same as switching off access. If the user is already signed in on a laptop, browser, or phone, they may still have live sessions. They might still be able to open Outlook, view OneDrive files, or access Teams chats until those sessions are revoked. That is why high risk exits start with stopping sign ins and forcing every session to end, not just disabling the mailbox.

Then comes privileged access. If the person had admin roles, access to finance mailboxes, HR files, customer data, or sensitive SharePoint sites, you remove that next. You do not leave elevated permissions in place while you decide what to do with the mailbox. In this scenario, the order matters because the business impact of a missed step is immediate.

After access is under control, you can focus on continuity. Who needs to answer emails. Where their active documents live. Which automations, Power Automate flows, or shared systems were tied to them. If you try to do continuity first, you lose time and you increase the window where access is still live.

In short, a high risk exit is not about doing more steps. It is about doing the same steps in a different order. Containment first, continuity second, clean up last.

Start with one principle: stop access and stop sessions

Disabling a user stops new sign ins. It does not always end existing access immediately.

Most Microsoft 365 services use authentication tokens. A user may still have a valid session on a phone, a browser profile, or a desktop app. That is why secure offboarding starts with two linked actions:

  • Block sign in
  • Revoke sessions so the user is forced out of existing logins

If you only do the first one, you often create the illusion of control while existing sessions stay active in the background.

Stop access properly

This is the core identity step. It should be quick, repeatable, and done the same way every time.

In a typical Microsoft 365 tenant, secure access removal includes:

  • Block sign in for the user account
  • Revoke active sessions and refresh tokens
  • Reset password where appropriate
  • Remove registered MFA methods and trusted devices for higher risk exits

A practical detail many businesses miss is session revocation. If you want confidence that the user is not still signed into Outlook on their phone, this is the step that gives it to you.

Remove privileged access early

Not all accounts carry the same risk. If the departing employee has elevated access, you do not want that hanging around while you deal with mailboxes and files.

Remove or review:

  • Admin roles, including Global Admin and any specialised admin roles
  • Membership of privileged groups, including security groups tied to sensitive systems
  • Ownership of Teams, Microsoft 365 Groups, and SharePoint sites
  • Access to shared mailboxes, especially finance, HR, or leadership mailboxes

A simple rule helps. Remove privilege first, then do continuity work second.

Secure the devices

Identity controls access, but devices control what happens to data.

A user can be locked out of Microsoft 365 and still have:

  • Synced OneDrive folders on a laptop
  • Cached Outlook mail in an offline profile
  • Teams files downloaded locally
  • Browser downloads and saved passwords
  • Mobile apps with cached content

Company Laptops

If your laptops are managed with Intune, offboarding should include:

  • Confirm the device is encrypted, usually BitLocker on Windows
  • Retire or wipe the device if it is not returned promptly
  • Remove the user’s access and check the device’s compliance state

If you are not managing devices, you have less control than you think. Your offboarding becomes dependent on physical collection and goodwill.

Phones and tablets

Phones are often the forgotten gap because they feel less “serious” than laptops. In practice, they are where email, Teams, OneDrive, and MFA live.

If devices are enrolled, you can usually do a selective wipe, which removes corporate data without touching personal photos and apps.

If devices are not enrolled and you allow BYOD without app protection policies, you cannot guarantee corporate data removal. That is not a moral judgement. It is a technical reality, and your offboarding process should acknowledge it.

Handle email without creating new problems

Email is the most visible part of offboarding, and it is also where businesses make choices that create either operational chaos or security risk.

You typically need to achieve three things:

  • Preserve business records
  • Keep customer and supplier communication flowing
  • Prevent the mailbox becoming a backdoor into other systems

Common approaches that work well:

Convert the mailbox to a shared mailbox

This gives the business access without leaving a user account active. It also helps with licensing, depending on your Microsoft 365 plan and mailbox size.

Add controlled access for the manager or replacement

Be specific about who gets access and for how long. Permanent open access for multiple people usually becomes messy and hard to audit.

Use an auto reply

An auto reply that directs contacts to the right person reduces missed messages and reduces reliance on forwarding.

Be careful with blanket forwarding

Forwarding everything to a manager feels convenient, but it can create privacy issues and confusion. It can also hide messages from the wider team if everyone assumes “the manager gets it”.

In higher risk exits, also check for mailbox rules. It is not uncommon to find a rule that forwards mail externally, moves messages into obscure folders, or auto deletes content. Those rules should be reviewed and removed as part of offboarding.

Secure files and sharing

Files are where the real security and continuity challenges sit, because business data often lives in personal storage locations.

OneDrive

OneDrive is personal in name, but it is routinely used as a working area for contracts, quotes, project plans, and operational documents.

Secure offboarding typically includes:

  • Grant the manager or a designated owner access to the user’s OneDrive for a defined time window
  • Review sharing links created by the user, especially “anyone with the link” shares
  • Transfer important working folders into a team location, usually SharePoint or a shared drive structure

A real world example: a sales manager leaves, their OneDrive contains the current pipeline spreadsheet, proposals, and signed order forms. If you delete the account too quickly or fail to hand over the OneDrive, the business loses momentum immediately.

SharePoint and Teams

Teams files are stored in SharePoint. This matters because you can remove someone from Teams and still have leftover permissions in SharePoint sites, especially if direct permissions were used.

For secure offboarding:

  • Remove the user from Teams and Microsoft 365 Groups
  • Review SharePoint site memberships for sensitive sites
  • Check for direct permissions assigned to the user
  • Ensure every Team and SharePoint site still has an owner after the user is removed

External links

External sharing is not automatically “bad”, but it must be controlled.

Offboarding is a good time to ask:

  • What did this user share outside the organisation
  • Are those shares still needed
  • Should any of them be replaced with a safer method, like sharing from a team site with tighter controls

Close down third party apps properly

If your organisation uses Entra ID for single sign on, disabling the user will remove access to many business apps. That is the upside of central identity.

The risk is that most businesses have a mix:

  • Some apps use single sign on
  • Some apps have local accounts and passwords
  • Some apps keep sessions alive for a long time
  • Some apps were set up by a department without IT involvement

Secure offboarding means checking the apps that matter most, not trying to guess every tool someone ever signed up for.

A practical approach is to maintain a list of your core business systems and make them mandatory offboarding checks. For most SMEs, that list includes finance, CRM, HR, project management, file transfer, password manager, and any customer support platform.

Also check for connected apps and OAuth permissions. Users often grant third party tools access to Microsoft 365 data, like mail, calendars, or files. Those permissions can persist and should be reviewed during offboarding.

Rotate shared access and secrets

This is the step that often separates a “looks fine” offboarding from a genuinely secure one.

Disabling a user does not remove what they know.

If the departing employee had access to shared secrets, rotate them:

  • Shared mailbox credentials, if they exist
  • Password manager vault access
  • Shared admin credentials, including local admin accounts
  • VPN accounts and credentials
  • API keys used in integrations
  • Service account passwords, especially those created informally for automations
  • Finance system approvals and payment permissions

A simple test helps. If the user could still access something without their Microsoft 365 login, you need to deal with it directly.

Password managers make offboarding safer and easier

A password manager is one of the simplest ways to reduce offboarding risk outside Microsoft 365.

If the password manager is linked to Microsoft Entra ID for single sign on, blocking the user in Microsoft 365 also blocks access to their password vault. That helps close a common gap where Microsoft access is removed, but the leaver can still sign into finance, CRM, suppliers, or other tools using saved credentials.

It also encourages long unique passwords that people do not realistically remember, which lowers the risk of someone reusing a password after they leave. If the password manager also provides MFA, removing the Microsoft identity and revoking sessions can cut off both the passwords and the second factor they relied on.

Operationally, it improves handover too. Shared credentials can be transferred to a new owner or revoked cleanly, without passwords being emailed around or stored in spreadsheets.

Clean up, retain, and document

Once access is removed and continuity is secured, you want to finish cleanly.

This typically includes:

  • Remove licences where appropriate
  • Remove the user from groups, mailing lists, and distribution lists
  • Decide retention and deletion timelines based on policy, not habit
  • Record what was done, when, and by whom

Deletion is often done too early or never done at all. Both create problems. Deleting too early creates emergency recoveries and lost data. Never deleting creates a long tail of stale identities, confusing ownership, and unnecessary licence spend.

A simple runbook you can actually follow

If you need a sequence that works for most Microsoft 365 environments, use this:

  1. Confirm last working day and time, and whether the exit is planned or immediate
  2. Block sign in and revoke sessions
  3. Remove admin roles and sensitive group memberships
  4. Secure devices, wipe or retire as needed
  5. Decide mailbox approach, shared mailbox is often the cleanest
  6. Preserve OneDrive access temporarily and transfer key business files
  7. Check Teams and SharePoint ownership and permissions
  8. Disable access in critical third party apps and remove connected app permissions
  9. Rotate shared passwords, keys, and service accounts
  10. Clean up licences, set retention, and document completion

This is what “offboard without leaving security gaps” looks like in practice. It is joined up. It is predictable. It is defensible.

The gaps we see most often

If you want to stress test your current process, these are the common weak points:

  • Account is disabled, but sessions were not revoked, so the phone stays signed in
  • OneDrive is ignored, then someone realises key files were only stored there
  • External sharing links remain active and nobody knows they exist
  • A Team or SharePoint site loses its only owner, and management becomes difficult
  • Power Automate flows or scheduled processes stop working because they were tied to the user
  • Third party apps outside SSO still have active local logins
  • Shared passwords or API keys are not rotated because they do not feel like “Microsoft 365”

None of these gaps are rare. They are normal outcomes of treating offboarding as admin rather than a security event.

What offboarding looks like with managed IT

With managed IT, offboarding is treated like a defined process, not a one off task that depends on who is available that day. There is a runbook, a clear owner, and a set order of operations. Access is removed in a controlled way, active sessions are forced to end, devices are secured, and business data is handed over properly, without guesswork or last minute chasing.

That structure matters in Microsoft 365 because one identity connects everything. Email is just the visible part. The same account can still be signed in on a phone, still syncing OneDrive to a laptop, still able to open Teams chats, or still linked to third party apps. Managed IT ties those moving parts together, so the business is not relying on “we disabled the mailbox so it should be fine”.

In practice, it means every leaver goes through the same checks. Entra ID actions are completed, privileged roles are removed early, mailbox and OneDrive access is handed over with clear limits, Teams and SharePoint ownership is confirmed, connected apps are reviewed, shared secrets are rotated, and the whole exit is documented so you can prove what was done and when.

At Sereno IT Support, this is the approach we build into day to day support. The goal is simple. Offboarding that is predictable, secure, and tidy, so a leaver does not turn into a security gap or a Monday morning emergency.

Share this post on

Got a specific IT support use case to discuss?

We’re here to answer any question you might have. Get in touch today!

Contact our team

Grow Your Cyber Security Awareness

Join our quarterly newsletter to receive our experts’ insights, best practices, tips and market updates to help grow your business IT security.

You can unsubscribe anytime. For more details, review our Privacy Policy.

More to explore