Dealing with terminated employees in Office 365

So an employee is leaving your company. It happens all the time, no big deal. But what do we do about their Office 365 account? This guide aims to answer that question. We’ll go through the following steps:

Change the Users Password
Remotely Wipe their Mobile Device
Give yourself access to the Users Mailbox and Archive
Export the Mailbox to PST for Archiving
Delete the Employee’s mailbox
Assign the Employee’s Email Address to Another Person
Set up an Auto-Responder/Out-Of-Office for the Employee
Free up or Remove the Office 365 Licence

Many of our Office 365 reports can be used to determine if the employee was a member of particular distribution groups or have a mobile device assigned to them.

Change the Users Password

When a user leaves, the first thing you want to do is reset the password on their account. Resetting their password means you can still access their mailbox but prevents them from accessing business information once they have left.

Reset a Users Password in Office 365:

Remotely Wipe their Mobile Device

If the employee has been terminated under less favorable circumstances, you may need to remotely wipe the users mobile phone to prevent them from accessing corporate information.

This needs to be done before you delete their account:

  • Log in to Office 365 as an Administrator and open the Exchange Control Panel
  • In the Exchange Control Panel, in the Select what to manage field, select Another User.
  • In the Select Mailbox dialog box, select the employee’s account, and then click OK. At the top of the page you should see which mailbox you are administering.
  • Select Phone > Mobile Phones.
  • Select the device that you want to wipe, and then click Wipe Device.
  • Double check that you’re wiping the correct user and click OK to the “Are you sure” window.
  • After the remote device wipe is complete, you can remove it from the mobile phones list.

More information about wiping a mobile device for an employee:

Give yourself access to the Users Mailbox and Archive

Before you can export the users mailbox, you need to give your account full access to the employee’s mailbox. This has to be done in Powershell.

First, connect to Office 365 using Powershell.

Then, you need to run the following command. This example gives full access to the mailbox of Obviously you need to replace these two login names with those of your own company.

Add-MailboxPermission -identity -user -AccessRights FullAccess

Export the Mailbox to PST for Archiving

Many industries and companies are required to keep employee records for a period of many years. There is no easy way to do this in Office 365 and this frustrates many people. If you want to delete the user account eventually, you’ll need to export the mailbox to a PST file and store it somewhere safe.

If you use an Enterprise version of Office 365 you can now keep the mailbox on Office 365 indefinitely.

Otherwise, you need to export the mailbox to a PST file.

Remember: PST files are notoriously unstable. So once you have a working PST file, you should back it up immediately. If you need to work on a users PST file later, do so on a copy not the original file. If the PST copy becomes corrupt you can always make another one.

To Export the mailbox using Outlook
First you need to set up a new Outlook profile and connect to the employee’s mailbox on your PC.
Then, export the mailbox to a PST file. Don’t forget to also export the Archive Mailbox if the user has one.

Alternatively, you can use a PST export tool.

Make sure you test the PST file works properly before you delete the source mailbox!

Delete the Employee’s mailbox

This is how you delete a user in Office 365:

  1. Log into the Office 365 Portal as an Administrator
  2. In the header, click Admin.
  3. On the Admin page, in the left pane, under Management, click Users.
  4. On the Users page, select the check box next to the user or users that you want to delete, and then click Delete.
  5. In the Delete confirmation message, click Yes.

Assign the Employee’s Email Address to Another Person

Once you’ve deleted the employee’s user account, you can assign their email address to another person to make sure you don’t miss any important emails. This is relatively easy, and this TechNet blog describes it much better than I ever could:

Set up an Auto-Responder/Out-Of-Office for the Employee

This is an alternative to assigning the users email address to another person. You can create an Auto-Responder, or Out Of Office message, that replies to any emails sent to the departing employee’s email address with a custom message.

The way I do this is with a Shared Mailbox. You are not charged by Microsoft for Shared Mailboxes.

Firstly, Create a Shared Mailbox with the name “Ex Employees” or something similar and give yourself permission to it. This guide explains how.

Now you need to create an Out Of Office message for the Shared Mailbox.

  1. Log into Outlook Web Access for Office 365
  2. Click your name at the top right of the screen and select Open other mailbox
  3. Type the name of the Shared Mailbox you created and click Open
  4. Click the Options button in the top right of the OWA window and select Set up automatic replies
  5. Type in the message you want people to receive when they email a person who has left the company. Make sure you paste the message into both boxes, and check the Send replies to all external senders option.
  6. Click Save

The last thing to do is add the email address for the employee to this new autoresponder mailbox. This is an easy step, and is explained here:

If you make the auto responder email a generic message, you can use this same mailbox for all future employees that leave the company. Simply add their email address to this existing mailbox.

Note: As this is effectively an Out Of Office message, each person who email’s this mailbox will only receive the auto responder message once.

Free up or Remove the Office 365 Licence

Once you’ve deleted a user, their licence becomes free for another user to user. You will still be charged for this licence until you remove it from your subscription. This is done in the Office 365 Administrator Portal.

  1. On the Admin page, in the left pane, under Subscriptions, click Manage.
  2. On the Billing and subscription management page, click a subscription name.
  3. On the Subscription details page, click Change Quantity next to Licence count.
  4. Follow the steps in the wizard.

Related Posts

These other blog posts may be of interest to you:

Understand how your employees are using Office 365

Sign up for our free trial to get Office 365 Reports for your company.

10 thoughts on “Dealing with terminated employees in Office 365

  1. A very important point that MS either hopes you don’t find out about, or doesn’t seem to think is important, is that changing the user’s password, and even setting the user to BLOCKED in the admin portal, has no effect on that user’s ability to send and receive emails as long as they have an active session before having their account blocked or password changed.

    I have confirmed this and even had a MS support employee witness me do it on Logmein. He told me the only way that you can actually block a user’s access is by removing the user’s license. I’m waiting for some official comment from MS on this. This is a hole as wide as the Grand Canyon, IMO. Especially that it appears that all’s well, the user is locked out, the password is changed, so there’s no way in right? WRONG:

  2. What if you only want to remove the Office 365 email and not wipe the entire Phone. It needs to be realized that smart phones of these days not only servers as a phone but individuals life’s revolve around them. Not everyone backs their info all the time.
    Is there a way only to wipe the Office365 information and not anything else.

  3. I’m very keen to get Microsoft to reveal some answers on this. Last week a client had to terminate someone, so I changed the users password. Unfortunately we did not have access to the users phone, and SEVERAL HOURS later this person was still getting work emails on that phone. This is the sort of thing that can result in lawsuits, client obviously very unhappy.

    How can we prevent this from happening? Do we need to disable the entire account for 72 hours? Disable Activesync? Any other method?

    1. Yank their license, the mailbox is stable for 30 days according to MS. Then after changing the password, etc. Reassign it and go about the other steps.

  4. what if the user deletes all / some of his emails before leaving the company. is there an easy way of restoring those mails. Lastly can all users be blocked from deleting any emails or archiving emails.

    1. You can restore deleted items in Outlook – there’s a ‘recover deleted items’ function. A knowledgeable user would know to purge this too though.

      If you want further protection that that, you’d need to look at some of the legal hold style options available in the enterprise version.

  5. How do you deal with Exchange Online leaving a person’s mailbox in any dist. groups they were part of, even after the mailbox/office 365 account was completely deleted?

    Obviously I could remove them before deleting but when you only have Exchange Online that’s a real pain as you have to go into each group one by one and perform the deletion.

    I’ve tried setting the mailbox to ‘hide from address books’ before deleting the office 365 account, but this doesn’t seem to help.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>