Microsoft 365 User Offboarding Checklist for Small Business

An employee leaves and you need to shut down their access. Maybe they resigned, maybe they were let go, maybe you have an hour before their last meeting ends and they walk out the door. Either way, the steps you take in the next few hours determine whether their account becomes a security liability or a cleanly closed chapter. Most small businesses do some of these steps and miss others, which is how former employees end up with working credentials weeks later or how email from clients disappears into a mailbox nobody is monitoring. This checklist covers every step in order.

Before You Start

Have the following information ready before you begin the offboarding process:

• The user’s full name and sign-in address
• Whether their email needs to be forwarded or converted to a shared mailbox
• Whether anyone needs access to their files (OneDrive, SharePoint)
• Whether they have any company-owned devices enrolled in Intune
• Who their manager is (they may need to inherit delegated access or files)

If the departure is involuntary or there is any concern about data exfiltration, start with Step 1 immediately. Do not wait for HR paperwork or an official last day. The longer a terminated employee retains access, the higher the risk.

Step 1: Block Sign-In

This is the first thing you do, and it should happen the moment the employee’s access should end. In the Microsoft 365 admin center, go to Users > Active users, select the user, and click “Block sign-in.” This prevents the user from authenticating to any Microsoft 365 service going forward.

Blocking sign-in does not immediately terminate active sessions. The user may remain logged in on devices where they already have an active session until their current access token expires. To address this, proceed to Step 2.

Step 2: Revoke All Active Sessions

In the Entra admin center (formerly Azure AD), go to the user’s profile and click “Revoke sessions.” This invalidates all refresh tokens and forces re-authentication on every device and application. Since you already blocked sign-in in Step 1, the re-authentication will fail and the user will be locked out immediately.

This step is critical for involuntary departures. Without revoking sessions, a terminated employee could continue accessing email, Teams, and files on their phone or home computer for hours after being blocked, depending on token lifetime settings.

Step 3: Reset the Password

Reset the user’s password to something random and complex. This is a belt-and-suspenders measure on top of blocking sign-in and revoking sessions. It ensures that even if there is an edge case where a token persists, the old password is no longer valid.

Do not set a simple temporary password. Use a long, randomly generated string. Nobody will ever need to log in with this password again.

Step 4: Remove MFA Methods

In the Entra admin center, go to the user’s authentication methods and remove all registered MFA devices. This includes authenticator apps, phone numbers, and hardware keys. If you do not remove these, the MFA registration persists even while the account is blocked, and if the account is ever unblocked accidentally, the former employee’s phone is still a valid second factor.

Step 5: Set Up Email Forwarding or Convert to Shared Mailbox

This is where the business decision comes in. You have two common options for handling the departed employee’s email:

Forward email to their manager or replacement. In the Exchange admin center, go to the user’s mailbox settings and set up email forwarding. This is the quick option when someone else needs to receive the incoming mail temporarily. Set a date to remove the forwarding, typically 30 to 90 days, so it does not run indefinitely.

Convert to a shared mailbox. This is usually the better long-term option. A shared mailbox preserves the mailbox contents, allows multiple people to access it, and does not require a license. In the admin center, go to the user’s mailbox and select “Convert to shared mailbox.” After conversion, you can remove the M365 license and the mailbox remains accessible to anyone you grant permissions.

Converting to a shared mailbox is particularly important when the departed employee had client-facing email. Clients who reply to old email threads will reach the shared mailbox instead of bouncing, and the assigned team members can respond. This is the approach we recommend in most cases.

If the employee’s mailbox has litigation hold or compliance requirements, do not delete the mailbox or remove the license until you have confirmed with legal or compliance that retention obligations are met.

A third option that some businesses use is to set up both: convert to a shared mailbox for long-term access to historical email, and also set up a forwarding rule so that new incoming messages go to the replacement employee’s mailbox. This way the historical archive is preserved and accessible, but day-to-day incoming email does not require someone to check a separate mailbox. The forwarding rule can be removed after a transition period while the shared mailbox remains available indefinitely.

Step 6: Remove from Distribution Lists and Groups

Go through the user’s group memberships and remove them from all distribution lists, Microsoft 365 Groups, Teams, and security groups. In the admin center, you can see group memberships on the user’s profile page.

Pay attention to Microsoft 365 Groups that are connected to Teams. Removing the user from the group also removes them from the associated Team and its files. If they were the only owner of a Group or Team, assign a new owner before removing them, otherwise the Group becomes orphaned and harder to manage later. Having a well-organized Teams structure with clear ownership makes this step significantly easier.

Also check for any shared calendars the departing employee owned. If they maintained a team calendar or resource calendar, ownership needs to be transferred.

Step 7: Revoke Third-Party App Permissions

In the Entra admin center, go to Enterprise applications and check what third-party applications the user had consented to. Revoke any app permissions associated with their account. This prevents OAuth tokens from persisting in third-party services even after the M365 account is blocked.

This step is frequently missed and it matters. If the user had granted a third-party app access to read their email or files, that app may retain a token that continues working even after the user’s direct access is blocked. Revoking consent closes that gap.

Step 8: Handle OneDrive Files

When a user account is deleted, their OneDrive files are retained for 30 days by default (configurable up to 10 years in SharePoint admin settings). During this retention period, the user’s manager, as set in Entra, automatically receives access to the OneDrive contents.

Before deleting the account, decide what to do with the files:

• If the files need to be preserved long-term, copy them to a SharePoint document library or another user’s OneDrive
• If the manager needs access, verify the manager assignment in Entra so the automatic delegation works correctly
• If the files contain sensitive data that should not persist, work with the manager to review and migrate what is needed, then allow the retention period to expire

Do not assume OneDrive files are backed up. Microsoft’s retention is not backup. If files are deleted during the retention period, they may not be recoverable. If the files are important, copy them to a permanent location before proceeding with account deletion. This is one of the key reasons business-critical files should live in SharePoint rather than individual OneDrive accounts – SharePoint files are unaffected by user departures.

Step 9: Wipe or Retire Devices

If the departing employee had company-owned devices enrolled in Intune, you can remotely wipe them from the Intune admin center. A full wipe resets the device to factory defaults. A selective wipe removes only company data and apps while preserving personal data, which is the appropriate choice for BYOD scenarios.

If the device is being returned, a full wipe followed by redeployment to the next user is the cleanest approach. If the employee used a personal device under a BYOD policy, a selective wipe removes company email, files, and apps without affecting their personal content.

For devices not enrolled in Intune, you are limited to removing the M365 account from the device. In this case, blocking sign-in and revoking sessions (Steps 1 and 2) are your primary protections. Setting up Intune for device management before you need it makes this step significantly easier when offboarding happens.

Step 10: Remove or Reassign the License

Once the mailbox is converted to a shared mailbox (or email forwarding is set up and you no longer need the mailbox as a full user), remove the M365 license from the account. This stops the monthly billing for that user.

If you are not ready to delete the account entirely, you can remove the license while keeping the account in a blocked state. The shared mailbox will continue to function without a license as long as it stays under the 50 GB limit.

If you have other employees who need a license, you can reassign the now-free license to them immediately in the admin center under Billing > Licenses.

Step 11: Document the Offboarding

Record what was done, when, and by whom. This documentation matters for audit trails, compliance requirements, and internal accountability. At minimum, log:

• Date and time the account was blocked
• Who performed the offboarding
• Disposition of the mailbox (forwarded, converted, deleted)
• Disposition of OneDrive files (migrated, assigned to manager, retention)
• Devices wiped or retired
• License removed or reassigned

If your business is subject to HIPAA or other compliance frameworks, this documentation may be required as part of your access control obligations.

Common Offboarding Mistakes

Deleting the account immediately instead of converting the mailbox. Once an account is deleted and the retention period expires, the email is gone. Always convert to a shared mailbox first if there is any chance someone will need access to that email history.

Forgetting to revoke sessions. Blocking sign-in without revoking sessions leaves a window where the former employee can continue using M365 on devices with active sessions. Always do both.

Not checking group ownership. If the departing employee was the sole owner of Teams, Microsoft 365 Groups, or SharePoint sites, those resources become ownerless and harder to manage. Assign new owners before removing the user.

Letting licenses sit unused. Every month a license sits assigned to a blocked account that has already been converted to a shared mailbox is money wasted. Remove the license as soon as the shared mailbox conversion is complete. If you are not sure what each license tier includes and whether a user was on the right plan to begin with, see our Microsoft 365 licensing guide.

Skipping the documentation step. It feels like busywork when you are in the middle of an offboarding, but having a record of exactly what was done and when matters. If a former employee claims they lost access to personal files that were on a company device, or if an auditor asks when access was revoked, you need the documentation. A simple spreadsheet with the date, the employee name, and the steps completed is sufficient. It does not need to be elaborate, it just needs to exist.

Timing Matters

The speed of offboarding depends on the circumstances. For a planned resignation with a two-week notice period, you have time to coordinate with the manager, plan the mailbox disposition, and schedule the offboarding steps for the employee’s last day. For an involuntary termination, Steps 1 through 4 should happen within minutes of the termination decision, ideally while the conversation is still happening. The remaining steps can follow in the hours and days after.

If your business does not have a standard offboarding process, the first involuntary departure will expose every gap at the worst possible time. Building this checklist into your operations before you need it urgently is significantly better than trying to figure it out under pressure. For distributed teams, pair this checklist with our remote employee IT offboarding checklist, which covers the extra steps around device retrieval, VPN revocation, and personal cloud sync that on-site offboarding does not have to worry about.

Sequentur handles M365 user offboarding as part of our managed Microsoft 365 services. If you want to make sure departures are handled securely and completely every time, reach out through our contact page to talk about your setup.