Employee offboarding is one of the most common — and most underestimated — security gaps in small and medium‑sized businesses. In Microsoft 365, simply disabling a user account does not automatically remove access to company data. Active sessions, shared files, synced devices, and delegated permissions can all persist longer than most organizations expect.

This guide explains how to fully remove access to company data when an employee leaves, based on how Microsoft 365 actually works — not assumptions.

Step 1: Block Sign‑In Immediately

The first action should always be to block the user from signing in. This prevents new authentication attempts but does not instantly terminate existing access.

Blocking sign‑in is necessary, but on its own it does not invalidate existing sessions or remove previously granted access to data.

Step 2: Revoke Active Sessions and Tokens

Microsoft 365 uses access tokens that can remain valid even after sign‑in is blocked or a password is reset. Without revoking sessions, a user who is already signed in may continue accessing data until the token expires.

To fully cut access, active sessions must be revoked so Microsoft stops trusting existing authentications. This step is frequently missed in SMB environments and is one of the main reasons offboarded users retain access longer than expected.

Step 3: Convert the User Mailbox to a Shared Mailbox to Retain Email Data

Before removing licenses or deleting the user account, the user mailbox should be converted to a shared mailbox.

Converting the mailbox allows the organization to:

• Retain all existing email data

• Remove the Microsoft 365 license from the account

• Grant access to the mailbox to another user or team, if required

• Prevent the mailbox from being deleted when the user account is removed

If this step is skipped and the user account is deleted while licensed, mailbox data may be permanently lost after Microsoft’s retention window.

For SMBs, converting the mailbox to a shared mailbox is the safest way to preserve business‑critical communications without continuing to pay for a license.

Step 4: Secure and Review File Access

After email data is preserved, file access must be addressed. OneDrive files should be reviewed for external sharing links and reassigned if the content is still needed by the business.

Files shared via links can remain accessible even after offboarding if they are not reviewed explicitly. This is one of the most common sources of unintended continued access.

Step 5: Address Devices — Especially Personal Ones

Personal and unmanaged devices require special handling during offboarding. If employees accessed Microsoft 365 from their own phones or computers, company data may still be cached locally in Outlook, Teams, or OneDrive. For personal (BYOD) devices, the correct action is to retire the device or remove corporate app access, which relies on Microsoft Intune app protection (MAM) policies to selectively remove company data without affecting personal content. For company‑owned devices, the device should be fully wiped to remove all user data and credentials and prepare it safely for reuse by a new employee.

Step 6: Remove Licenses at the Right Time

Only after access is blocked, sessions are revoked, the mailbox is converted, file access is reviewed, and devices are addressed should licenses be removed.

Offboarding is not just an administrative task — it is an identity and data security process. When done correctly, Microsoft 365 offboarding protects company data while cleanly removing access. When done incompletely, it leaves silent risk behind.

As a Microsoft cloud security MSSP, we help SMBs assess, improve, and validate Microsoft 365 security and access controls across the entire user lifecycle. This includes identity and access configuration, device and app access, mailbox and data protection, and ongoing security posture reviews to ensure Microsoft 365 is configured and operating as intended.

If you’re unsure whether your current setup fully protects company data — during offboarding or day‑to‑day operations — we can help identify gaps and provide practical, Microsoft‑aligned recommendations.