Microsoft 365 Offboarding Checklist for Small Businesses

Employee offboarding is one of the easiest places for a Microsoft 365 environment to become messy. If access is removed too quickly, important business data can become hard to reach. If access stays open too long, the business takes on avoidable security risk.

A good offboarding process should protect the business, preserve the information the team still needs, and leave a clear record of what was changed. This checklist is written for small and mid-sized businesses that use Microsoft 365, Teams, SharePoint, OneDrive, Outlook, and common cloud applications.

Before The Last Day

Before disabling anything, identify what the employee owns or touches. This usually includes mailbox data, OneDrive files, Teams memberships, SharePoint permissions, mobile devices, desktop devices, MFA methods, shared mailboxes, and third-party apps that use Microsoft sign-in.

• Confirm the final work date and exact access cutoff time
• Identify whether the departure is routine or sensitive
• List business-critical files, mailboxes, and applications
• Decide who should receive access to email and files after departure
• Confirm whether devices will be returned, wiped, reassigned, or retired

Block Sign-In At The Right Time

When the employee leaves, block sign-in for the Microsoft 365 account. For sensitive departures, this should happen before the employee is notified or before devices are returned. For normal departures, it can be scheduled around the agreed final working time.

After blocking sign-in, revoke active sessions so existing browser sessions and mobile app sessions cannot continue using the account. Also review MFA methods, recovery information, and alternate email addresses to make sure they cannot be used later.

Preserve Email Without Keeping The User Active

Do not delete the mailbox immediately unless there is a clear retention decision. In many cases, the mailbox should be converted to a shared mailbox, delegated to a manager, or preserved according to the business retention policy.

• Set an automatic reply if clients or vendors may still email the old address
• Delegate mailbox access only to the people who need it
• Review forwarding rules and inbox rules
• Remove mobile device access where appropriate
• Document who received access and why

Transfer OneDrive And SharePoint Data

OneDrive often contains working documents, drafts, client files, and files that should have lived in SharePoint. Review the user’s OneDrive before deletion and transfer ownership where needed. If files belong to a team, move them into the correct SharePoint site or Teams-connected library.

Also check SharePoint permissions. Former employees may have direct access to folders, Teams, private channels, or shared links. Removing the account from groups is helpful, but it does not always catch every permission that was granted manually.

Review Teams, Groups, And Shared Mailboxes

Microsoft 365 groups, Teams, shared mailboxes, distribution lists, and security groups all need review. This is where offboarding gaps often hide. A user might be removed from the main team but still have access through another group or delegated mailbox.

• Remove the user from Teams and Microsoft 365 groups
• Remove shared mailbox access
• Remove admin roles and privileged access
• Review distribution lists and external sharing
• Confirm line-of-business app access separately

Handle Devices And Local Data

If the business manages devices through Intune or another endpoint tool, confirm the device state before reassignment. For unmanaged devices, review whether business data was synced locally through OneDrive, Outlook, Teams, or browser profiles.

Returned laptops should be checked, backed up if needed, wiped or reset, patched, and reassigned only after the former user’s access has been removed. Mobile devices may need a selective wipe or full wipe depending on ownership and policy.

Clean Up Licenses Without Losing Data

Microsoft 365 licenses cost money, but removing a license too early can affect mailbox access, OneDrive retention, and service availability. First preserve the data. Then remove or reassign the license once you know the mailbox, files, and retention needs are handled.

Keep An Offboarding Record

Document the account disabled date, who approved the change, who received mailbox or file access, which devices were returned, and which third-party systems were updated. This record matters later if there are questions about access, files, invoices, or client communication.

A Practical Next Step

If offboarding is handled differently every time, create a repeatable checklist before the next employee leaves. OnlineV can help Calgary and remote teams clean up Microsoft 365 access, document offboarding steps, and make sure security and business continuity are both considered.