M365Corner
PowerShell

Offboarding Microsoft 365 Users

When an employee leaves the organization, it's essential to offboard them efficiently to prevent unauthorized access to company resources. Offboarding in Microsoft 365 involves tasks like disabling the user account, revoking licenses, and ensuring that data like email and files are either archived or transferred. In this guide, we’ll show you how to offboard users using both the Microsoft 365 Admin Center and Graph PowerShell, keeping things straightforward and user-friendly.

Why Automate the Offboarding Process?

Automating the offboarding process ensures consistency and security. By automating steps like disabling user accounts and revoking access, you reduce the risk of data breaches and human error. Graph PowerShell offers a more scalable option, especially for organizations with high employee turnover, while the Admin Center provides a more manual but still effective approach for smaller operations.

Step-by-Step Solution

Step 1: Preparing the Environment

Before you can begin offboarding users, ensure you have the correct permissions:

  • Admin Center: You need the "User Administrator" or "Global Administrator" role in Microsoft 365.
  • Graph PowerShell: Install the Graph PowerShell module (and connect to it with the necessary permission) by running the following command in PowerShell
    • 
    Install-Module Microsoft.Graph
    Connect-MgGraph -Scopes "User.ReadWrite.All"

Step 2: Offboarding Users in Microsoft 365

Option 1: Using the Admin Center

  1. Login to Microsoft 365 Admin Center: Go to admin.microsoft.com and log in using your admin credentials.
  2. Navigate to the 'Users' Section: From the left-hand panel, click on Show all > Users > Active Users.
  3. Disable the User Account: Select the user you wish to offboard and click Block sign-in. This immediately disables the user’s ability to access Microsoft 365 services.
  4. Revoke Licenses: In the user's settings, navigate to the Licenses and Apps section. Uncheck all the licenses and click Save to revoke their access to Microsoft 365 products.

    5. Note: Removing the license does not immediately remove their data; the mailbox and OneDrive data are retained for a grace period of 30 days by default.

  5. Transfer or Archive Data
    • Email: You can convert the user's mailbox to a shared mailbox or forward their email to a colleague. After the conversion, the mailbox will become a shared mailbox, and it can retain the data without requiring a license. You can also assign permissions to other users to access the mailbox.

      • How to convert user's mailbox to shared mailbox?

      • Go to Exchange Admin Center, click Recipients > Mailboxes option, select the user, and click Convert to shared mailbox option.
    • Files: Ensure that any files stored in OneDrive are transferred to their manager or another responsible person.
  6. Remove the User from Groups: Scroll down to the Groups section and manually remove the user from any groups they may be associated with.
  7. Delete the Account (Optional): If needed, you can delete the user account entirely. However, it’s often better to keep the account disabled for a period for compliance or auditing reasons.

Option 2: Using Graph PowerShell

For organizations with many employees, PowerShell can help offboard users quickly and efficiently. Here’s how:

  1. Disable the User Account: Disable the user by running:
    2. 
    $params = @{
        accountEnabled = $false                                     
    }
    Update-MgUser -UserId "john.doe@contoso.com" -BodyParameter $params
  2. Revoke Licenses: Revoke all assigned licenses:
    3. 
    $User = Get-MgUser -UserId "john.doe@contoso.com"
    $Licenses = Get-MgUserLicenseDetail -UserId $User.Id
    Set-MgUserLicense -UserId $User.Id -RemoveLicenses @($Licenses.SkuId)
  3. Transfer or Archive Data

    4. Convert Mailbox to Shared Mailbox

    
    Set-MgUserMailboxSettings -UserId $User.Id -MailboxType "Shared"

    Transfer OneDrive Files:

    
    Invoke-MgSharePointSiteDriveItemMove -SiteId "" -ItemId "" -TargetId ""
  4. Remove the User from Groups: To remove the user from all groups:
    5. 
    Get-MgUserMemberOf -UserId $User.Id | ForEach-Object {
        Remove-MgGroupMember -GroupId $_.Id -UserId $User.Id
    }
  5. Delete the Account (Optional): To delete the user account, run:
    6. 
    Remove-MgUser -UserId $User.Id

Step 3: Verifying the Results

Option 1: Using the Admin Center:

  1. Login to Microsoft 365 Admin Center: Go to admin.microsoft.com and log in using your admin credentials.
  2. Check User Status: Navigate to Users > Active Users and search for the user. You should see that the account is either disabled or deleted based on your actions.
  3. Verify License Removal: In the user’s profile, check the Licenses and Apps section to ensure that all licenses have been revoked.
  4. Confirm Group Removal: Under the Groups section, verify that the user has been removed from all associated groups.

Option 2: Using Graph PowerShell:

  1. Verify User Account Status: Run the following command to check if the account is disabled:
    2. $disabledUsers = Get-MgUser -All -Filter "accountEnabled eq false"
$disabledUsers
  2. Verify License Removal To check if licenses have been revoked: 
    3. Get-MgUserLicenseDetail -UserId $User.Id
  3. Verify Group Removal Confirm that the user is no longer part of any groups: 
    Get-MgUserMemberOf -UserId $User.Id

Advanced Tips (Optional)

  • Automate OneDrive Data Transfer: Use Graph PowerShell scripts to automate the transfer of OneDrive files to another employee’s drive.
  • Create Offboarding Templates: Pre-build PowerShell scripts to make offboarding faster for different user roles (e.g., temporary contractors vs. full-time employees).

Common Errors & Troubleshooting

  • Error: License Removal Failed
    • Cause: The license SKU ID may not be valid.
    • Solution: Verify the license SKU ID with Get-MgSubscribedSku and retry.
  • Error: Unable to Disable User
    • Cause: Insufficient permissions.
    • Solution: Ensure that you have the proper admin rights to disable user accounts.
  • Error: OneDrive File Transfer Failed
    • Cause: Incorrect OneDrive site or item ID.
    • Solution: Use Get-MgUserDriveItem to confirm the correct IDs before running the transfer script..

Conclusion

Offboarding users efficiently in Microsoft 365 is vital for maintaining security and preventing unauthorized access. Whether you're using the Admin Center for smaller operations or Graph PowerShell for larger-scale tasks, automation can make the process smoother and reduce the likelihood of errors. The combination of disabling accounts, revoking licenses, and transferring data ensures a complete offboarding process.


FAQs

  • What happens to the user's data after offboarding?
  • The user's OneDrive and email data can be transferred or archived before their account is fully disabled or deleted.
  • Can I automate offboarding for multiple users?
  • Yes, using Graph PowerShell, you can create scripts to offboard multiple users in bulk.

Additional Resources

Table of Contents

X

Table of Contents

© m365corner.com. All Rights Reserved. Design by HTML Codex