Offboard users from Microsoft 365

Many organizations use Microsoft 365 to manage their employees' digital identities, either on its own or alongside other identity providers (IdPs) such as Google Workspace or Okta. You can also use Microsoft 365 to grant your employees and contractors access to various apps, including email, file storage and office apps. 

When an employee or contractor leaves your organization, it's important to revoke their access to Microsoft 365 so that:

  • They can no longer access their account, including Microsoft 365 Email, OneDrive, Teams and other apps.
  • They can no longer use their Microsoft 365 credentials to log in to other apps using single-sign-on (SSO), either via SAML2 or OIDC.
  • You can allocate their license to another user or surrender it to reduce your license costs.  

If you have connected Trelica to Microsoft 365, you can configure an offboarding workflow to automate this process when employees or contractors leave your organization. 

Microsoft 365 uses Microsoft Entra ID (formerly Azure AD) as a directory service. If you are using Entra ID as your IDP but are not using Microsoft 365, you can still use the Entra ID workflow steps to revoke individuals' access and delete their accounts. You may want to add other workflow steps to manage forwarding emails and transferring files for the relevant apps.

Recommendations for IdP offboarding 

Offboarding workflows typically use the "Person leaves" workflow trigger and can address a single app or multiple apps. If you're using Microsoft 365 as an IdP, we recommend you create a dedicated workflow for offboarding from Microsoft 365 and run this workflow first. There are two reasons for this:

  • As an IdP, Microsoft 365 typically provides SSO access to a large number of apps. By offboarding terminated employees or contractors from Microsoft 365 first, you can typically revoke access to many apps - and thereby secure access to many of your systems - in one step.  
  • Having a dedicated workflow allows you to monitor and report on progress of offboarding individuals from Microsoft 365 easily, which can be useful for demonstrating compliance. 

If required, you can trigger another workflow after the key offboarding steps in your Microsoft 365 offboarding workflow. 

The "Person leaves" workflow trigger uses the individual's termination date. To avoid a person being offboarded by mistake due to a mistyped date, we recommend including a confirmation step at the start of each offboarding workflow. For example, you can send a Teams or Slack message or an email to the individual's line manager with a confirmation button to initiate the next step. For more information about configuring the workflow trigger and confirmation step, see Automate employee offboarding

Remove a former employee or contractor from Microsoft 365 

Microsoft recommends taking the following steps to remove a former employee and secure their data when they leave your organization:

  1. Prevent a former employee from logging in and block access to Microsoft 365 services.
  2. Save the contents of a former employee's mailbox (if a litigation hold is required).
  3. Wipe and block a former employee's mobile device.
  4. Forward a former employee's email to another employee or convert to a shared mailbox.
  5. Give another employee access to OneDrive and Outlook data.
  6. Remove and delete the Microsoft 365 license from a former employee.
  7. Delete a former employee's user account.

You can configure an offboarding workflow to perform several of these steps automatically via Trelica's integrations with Entra ID and other Microsoft apps. For steps that are not supported by Microsoft's APIs, you can use the workflow to create tasks or send messages (via Teams or Slack) in order to request actions and track progress.

As an example, a typical Microsoft 365 offboarding workflow might include the following steps:

  1. Confirm the individual is leaving on the specified date and should be offboarded using Send Teams/Slack message or Send email.
  2. When confirmation is received, Revoke access to Microsoft 365 and Entra ID. This also revokes SSO access to other apps.
  3. Filter assets to identify the devices that have been assigned to the terminated employee or contractor and use the Send Teams/Slack message or Send email step to send the list to the person responsible for recovering the devices or wiping them remotely. 
  4. Manage any incoming emails with the Set email forwarding address and Set out of office steps.
  5. Trigger another workflow to initiate offboarding for any apps that the person did not access via Microsoft 365.
  6. Create a task or Send a Teams/Slack message to ask your Microsoft 365 IT Admin to either export the mailbox or convert it to a shared mailbox, and transfer access to OneDrive files. 
  7. Wait for two weeks (or longer) while any incoming emails are forwarded to the new recipient. 
  8. Use Set user license to remove the terminated user's license. Alternatively, Delete the user to free up the license and remove the user and all their data.

These steps are discussed in more detail below.

If offboarding steps for Microsoft 365 or other Microsoft apps are not available from the workflow editor, open the settings for the relevant integration from Admin > Integrations and ensure Deprovisioning is enabled.

Block access to Entra ID and Microsoft 365

To prevent a terminated employee or contractor from logging in and withdraw their access to other apps that they can currently access via SSO, use the Entra ID Revoke access workflow step. This secures the user's account by:

  • Logging them out of any active sessions.
  • Revoking their OAuth tokens (used for SSO).
  • Resetting their password so that they cannot log back in. 
If your organization uses Microsoft 365 or Entra ID, revoking access is an essential part of offboarding terminated employees and contractors. We recommend including this step in your offboarding workflows even if you are not including any other Microsoft 365 offboarding actions. 

Wipe a mobile device

If you are using Trelica's Assets feature and have connected one of the MDM integrations (e.g. Intune, Kandji, Jamf, etc.) you can use the Wipe device workflow action to restore managed devices to their original factory settings. You can use the List current person's assets step to return all devices currently assigned to a given person to ensure that the wipe action runs for all their devices.

Should the MDM you use not currently support a device wipe action you can raise a feedback request to enquire about adding this. You may also wish to add the filtered list of devices assigned to the person to an email, Slack or Teams message to inform the responsible employee to secure and wipe these devices. 

Forward emails

If you have connected Microsoft 365 Email to Trellica, you can use the Set email forwarding address and/or Set out of office steps to manage any incoming emails to the terminated employee's mailbox. 

Forwarding emails or sending an out-of-office automatic reply requires an active user account and license. For this reason, we recommend using these options as a temporary measure while you hand over the the former employee's responsibilities.

To achieve this, you can add a Wait step of a few days or weeks to the workflow to allow incoming emails to be addressed before you suspend the license and terminate the account. You can also use the Turn off email forwarding and Disable out of office steps to revert these actions at a later point in the workflow. 

Save the contents of a mailbox and transfer access to OneDrive files

When you remove a user's license, their OneDrive files remain accessible but their emails, contacts and calendar are only retained for 30 days, after which they are permanently deleted. When you delete a user, both their One Drive files and their mailbox are permanently deleted 30 days later. You can retain access to this data by saving the contents of their mailbox and transferring access to their OneDrive files to another user. 

Unfortunately Microsoft's APIs do not support exporting or migrating a former employee's emails or transferring access to their OneDrive files (steps 2 and 5 in Microsoft's recommendations). However, you can add a task, email, Teams or Slack message step to the offboarding workflow to ensure that these matters are handled manually. For more information, refer to Microsoft's advice on this step.

We recommend assigning the task or sending the message to someone with access to the Microsoft 365 Admin UI, such as your IT Admin for Microsoft 365.

  • Create task: By default, the workflow only continues to the next step once the task is marked as complete. To proceed to the next step without waiting for the task to be completed, select Transition immediately.
  • Send email, Teams or Slack message: You can add buttons to the message to ask the recipient to confirm that the relevant action has been taken. The workflow proceeds to the next step when the response is received or after the time limit you have set for a response. For more information, see Send a Slack message or Send email notifications.

Alternatively you can user Powershell to script these offboarding actions. You can learn more about using Powershell via Trelica workflows in the following articles:

Remove the user's license

Removing licenses from terminated employees' accounts makes the license available to assign to another user while retaining their OneDrive files. When you remove a user's license, their email, contacts and calendar items are only retained for 30 days, after which they are permanently deleted. 

To remove the license from a terminated employee's account, use the Entra ID Set user license step, select the relevant app and then select the relevant license from the Licenses to remove list. Note that once you have removed the user's license, email forwarding and out-of-office replies will cease to work. 

Delete the user

Once you have completed any business continuity steps and recovered any data you need from the terminated employee's account, you can use the Entra ID Delete user step to delete their account. Any licenses that are currently assigned to the account are automatically unassigned. If the user is not restored within the retention period (30 days by default), the user's data (including OneDrive ) is permanently deleted.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.