microsoft-365-docs
microsoft-365-docs copied to clipboard
MicrosoftDocs
Offboarding best practice
Steps 4-7 are misleading and don't give the full picture. When users are deleted from AAD, their manager, by default, is granted access to their OneDrive data for the 30 day period. In addition, removing the O365 license prior to deletion is unnecessary and could result in data loss if retention policies do not apply as intended. Deleting the account, either directly in AAD or by moving the AD object to a non-syncing OU, should be the default at Step 4/5 with no additional steps required, unless mailbox data is required and no 3rd party backup solution has been engaged. After deletion the license becomes available for re-use and, if mailbox data is required, this can be achieved by using the Restore Inactive Mailbox process or 3rd party solution or converting to shared as at Step 4.
Current offboarding best practice would be useful to be provided and updated which makes reference to current enterprise solutions.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 4e366b9c-0d35-83c6-f509-1774dd351504
- Version Independent ID: 702f2dc1-46f8-508a-68bc-b5d033c56a9a
- Content: Remove a former employee - Overview - Microsoft 365 admin
- Content Source: microsoft-365/admin/add-users/remove-former-employee.md
- Service: o365-administration
- GitHub Login: @KwekuA
- Microsoft Alias: kwekua
@davidkench Thank you for your feedback. These are Microsoft recommended steps to Remove a former employee and secure data. I understand that Step 4 might not be needed in case the users do not need Mailbox data. However, These are recommended steps to avoid data loss. Requesting access to one drive is not always to the manager so we wanted to make sure that the information in the document can be helpful if the organization wants to grant access to someone that replaces the former employee.
CC : @kwekuako
Hope this helps!
Thanks Sri
Hi Sri,
My point is that the Microsoft steps are wrong and need reviewing. If you remove licenses before the account is deleted from AzureAD, the account will not be eligible for Retention Policies. Also the mailbox will go into an error state as when you remove the license, the mailbox will try to delete, which it won't be able to if Retention Policies/Lit Hold is set.
Kind regards,
David
From: Sriraman M S @.> Sent: Monday, 27 June 2022 8:52 PM To: MicrosoftDocs/microsoft-365-docs @.> Cc: David Kench @.>; Mention @.> Subject: Re: [MicrosoftDocs/microsoft-365-docs] Offboarding best practice (Issue #8892)
@davidkenchhttps://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdavidkench&data=05%7C01%7Cdavid.kench%40datacom.com.au%7C9fddb121ddff4759964008da582b1e62%7C866c7a4c8a594bd3ad9f8512a581efc0%7C0%7C0%7C637919239474174588%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=x686Jfd9PyJiRY9KAEsnhq%2BFW4bB%2BAWsgSoEvPK1t34%3D&reserved=0 Thank you for your feedback. These are Microsoft recommended steps to Remove a former employee and secure data. I understand that Step 4 might not be needed in case the users do not need Mailbox data. However, These are recommended steps to avoid data loss. Requesting access to one drive is not always to the manager so we wanted to make sure that the information in the document can be helpful if the organization wants to grant access to someone that replaces the former employee.
Hope this helps!
Thanks Sri
Reply to this email directly, view it on GitHubhttps://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fmicrosoft-365-docs%2Fissues%2F8892%23issuecomment-1167199590&data=05%7C01%7Cdavid.kench%40datacom.com.au%7C9fddb121ddff4759964008da582b1e62%7C866c7a4c8a594bd3ad9f8512a581efc0%7C0%7C0%7C637919239474174588%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FMMCsvEUpOJZxKt%2B5TiLXyo4zDkbhgUK5tLWNjcBjBA%3D&reserved=0, or unsubscribehttps://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FASNZJXGO3WSD4VXJI7SPX6TVRGBWNANCNFSM5YTFGCVQ&data=05%7C01%7Cdavid.kench%40datacom.com.au%7C9fddb121ddff4759964008da582b1e62%7C866c7a4c8a594bd3ad9f8512a581efc0%7C0%7C0%7C637919239474174588%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=re%2FYPlKlH0C12KKlnaD3P8PlVaGT%2Bbz4OHhqLserLUo%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.@.>>
@davidkench Thank you for you feedback. If you only remove a user's license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days. Also, if the account is deleted the shared mailbox (that was converted) will also get purged.
If you remove the license and if a retention policy or litigation hold is set the mailbox will not get deleted and will be available via Ediscovery search.
CC: @kwekuako the author of this document to confirm.
Thanks Sri
Hi Sri,
"Also, if the account is deleted the shared mailbox (that was converted) will also get purged." Converting a user mailbox to shared as a method of retaining access seems to me to be a very legacy way of achieving the goal and will lead to a very untidy AD/AAD over time compared with deleting the user object, allowing the mailbox to become Inactive and then restoring/recovering it if required.
"If you remove the license and if a retention policy or litigation hold is set the mailbox will not get deleted" but it will show in an error state in AADConnect / AAD when you do eventually unsync the user object, which again is not ideal.
"and will be available via Ediscovery search." Whilst currently technically true, this is not supported under the EULAs which specify that the account must be licensed at the time the user object is deleted from AAD.
Thanks,
David
From: Sriraman M S @.> Sent: Thursday, 14 July 2022 8:46 PM To: MicrosoftDocs/microsoft-365-docs @.> Cc: David Kench @.>; Mention @.> Subject: Re: [MicrosoftDocs/microsoft-365-docs] Offboarding best practice (Issue #8892)
@davidkenchhttps://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdavidkench&data=05%7C01%7Cdavid.kench%40datacom.com.au%7C50dcea2a03554dac91df08da65861c38%7C866c7a4c8a594bd3ad9f8512a581efc0%7C0%7C0%7C637933923924488808%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ME2jkPZnoPAeBAzkipO%2FYpm%2B2txEkt2Dn28c3Oyijb0%3D&reserved=0 Thank you for you feedback. If you only remove a user's license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days. Also, if the account is deleted the shared mailbox (that was converted) will also get purged.
If you remove the license and if a retention policy or litigation hold is set the mailbox will not get deleted and will be available via Ediscovery search.
CC: @kwekuakohttps://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkwekuako&data=05%7C01%7Cdavid.kench%40datacom.com.au%7C50dcea2a03554dac91df08da65861c38%7C866c7a4c8a594bd3ad9f8512a581efc0%7C0%7C0%7C637933923924488808%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fy4UrPGB6QApAMzpeiJz11C6jsyYdeQC%2F7CeeqH58sE%3D&reserved=0 the author of this document to confirm.
Thanks Sri
Reply to this email directly, view it on GitHubhttps://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fmicrosoft-365-docs%2Fissues%2F8892%23issuecomment-1184289924&data=05%7C01%7Cdavid.kench%40datacom.com.au%7C50dcea2a03554dac91df08da65861c38%7C866c7a4c8a594bd3ad9f8512a581efc0%7C0%7C0%7C637933923924488808%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=cjyNmRDpSfmzw9%2BQVMQxH250EDrEruS2QAzfla%2BRgOk%3D&reserved=0, or unsubscribehttps://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FASNZJXE6O2QEGSO4XF2XQQDVT7VYHANCNFSM5YTFGCVQ&data=05%7C01%7Cdavid.kench%40datacom.com.au%7C50dcea2a03554dac91df08da65861c38%7C866c7a4c8a594bd3ad9f8512a581efc0%7C0%7C0%7C637933923924488808%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SDj%2F9Ct5mn8F%2BkjCyN5UG57GBTxPJVOSwQOSLMAKNcQ%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.@.>>
@davidkench I will discuss with the author internally and provide you an update.
Thanks Sri