Home
Microsoft

New guided workflow for deleting Microsoft 365 users

As an IT admin, there are certain tasks and process that happen almost daily. We’re using customer feedback to identify those common tasks and make them easier and faster to perform with repeatable results. Deleting a user when they leave an organization is one of those common tasks. From the IT side, it can take multiple steps to offboard a user. From the business side, it can be easy to lose valuable data stored in the user’s documents and email.

 

We’re combining the steps it takes to delete a user, retain their documents, and retain their email into a single workflow with in-context guidance. This guided workflow is available now to all Microsoft 365 admins.

 

Start the process and decide what to do with licenses

When a user leaves your organization, you should immediately block their access to your Microsoft 365 subscription. This gives you some time to decide what to do with their licenses, documents, and emails. The Microsoft 365 admin center will walk you through each of these choices when you start the delete process.

 

The first choice you’ll need to make it what to do with that user’s licenses. If you purchased their licenses from a partner or through a volume licensing agreement, their licenses will return to your available pool so that you can assign them to another user. If you purchased the licenses thorough a direct subscription and do not want to reallocate them to a different user, you can also choose to reduce your monthly spend.

 

1.png

 

 

Assign OneDrive access

The person leaving your organization may have stored important files on their OneDrive that you want to retain for later use. In the guided workflow for deleting a user, you have the option to assign access to those files to anyone in your organization. Previously, your only option was to assign access to their manager using Azure Active Directory, and it was a multi-step process that only applied to OneDrive.

 

Assign email access

It can also be helpful to retain access to a deleted user’s email. When a user leaves your organization, you can convert their mailbox to a shared mailbox and assign access to anyone within the organization. You can change the display name, turn on automatic replies, and disassociate aliases so that they can be used elsewhere. Automatic replies can be especially valuable for anyone that had regular interaction with people outside of your company, ensuring that you can maintain relationships with your clients and vendors.

 

 

3.png

 

Review your selections

Once you’ve decided what you want to do with your deleted user's licenses, files, and emails, you’ll have the opportunity to review those settings before you finalize the process.

 

4.png

 

 

After selecting “Assign access and convert user,” Microsoft 365 will perform the requested actions and notify any user who now has access to the emails and files.

 

5.png

  

More actionable insights built in

Our goal is to provide timely, concise help directly within the context of the admin center so that you can deliver the highest possible service quality to your end user. Look for more actionable intelligence and guided workflows as we continue to improve the Microsoft 365 admin experience. To stay up to date on the latest news and features for Microsoft 365, join the conversation in the Microsoft 365 Tech Communities and on Twitter.

 

 

89 Comments
Regular Visitor

Thank you! We've been grappling with this for months!

New Contributor

Great news! What's the least privilege someone needs to perform those actions?

Microsoft

@Jacob Schleappi- Thanks for taking the time to leave a note. We really do listen!

Microsoft

@James Downs- Glad you like it. It's hard to think of admin roles in terms of "least," but there are a few that can do this. Most notably, if you're doing a lot of this kind of thing, you can specifically assign a user management administrator. Check out the support docs for the different types of admins.

New Contributor

Adding actions to remove the user from any Teams, and if they're the only Owner to assign that role to another Team member?

Occasional Visitor

How do you initiate this process with a hybrid setup where you can only delete accounts from on-prem ADDS?

Regular Visitor

We are in the process of moving from GSuite to Microsoft.  There is a list of important features that don’t exist in MS that we have to come up with workarounds for.  I love seeing the continued progress on these, and makes me confident that we made the right choice to switch.

Valued Contributor

Hi @Brian Besand: how does removing the licenses work with giving access to OneDrive? Won't the OneDrive be deleted after 30 days upon removing the license?

Contributor

I had the same question as @Mark Dickson

Microsoft

@Barbara Pouliot- That's not currently on the roadmap, but we'll take it into consideration.

@Mark Dickson and @Navishkar Sadheo- Great question- let me look into that and get back to you.

@Charlie Rube- Thanks for the kind words! Stay tuned here for more announcements like this.

@Ivan UngerGreat question- let me look into that and get back to you.

Occasional Visitor

Similar question to @Mark Dickson

We work mainly with hybrid setups. Even the process of converting a user mailbox to shared mailbox using o365 admin sees some form of retention of the AD user object in on prem AD. Delete the user from on prem AD and the shared mailbox will disappear. 

Would be cool to have an option in the workflow that could truely convert a "leaver" mailbox to a pure cloud shared mailbox that could be assigned to an alternative user.

Visitor

Hi Brian! I'd also be interested in the on prem hybrid scenario with AD. I have a client very interested in this workflow, a very needed addition!  

Microsoft

For all those interested in the hybrid scenarios- note that this new workflow doesn't apply, since the source of authority is the on-premises Active Directory. This is good feedback to think about those scenarios, though, and I've shared that with the product team. CC @Mark Dickson@Navishkar Sadheo@Colin Steen@Jim Falgout

 

@Ivan Unger- I haven't found a definitive answer for you yet, but I see no reason why the policy would change due to this workflow.

Occasional Visitor

I agree the hybrid setup is extremely common. Maybe we could get a Office365 AD module pack that adds a similar work flow to our on premise AD. Just have it as an installation option along with the Azure AD Synch tool. Then we could do this workflow from our AD's and have it update into the Azure AD which would then update the O365. 

On premise AD really needs to get a bit of a hybrid option pack to it. Much like MS has done with Hyper-V, and server. Where they reworked it to be hybrid friendly. Cause in reality all any of these tools do is run a ton of powershell scripts they are auto generating in the backend. Just pass the gui down to on premise AD. 

 

Occasional Contributor

With regards to hybrid configurations - we disable the on-prem AD account as well as removing licenses in O365 and converting to a shared mailbox. To "delete" the user, we move the disabled AD account to an OU that is outside of sync scope for Azure AD Connect. This has basically the same effect as deleting the user in Azure AD.

I will say we don't do any of this manually. We have a PowerShell script our Service Desk staff runs that basically does it all. (We also change a lot more than what's listed in this article, such as automatically setting an Autoreply message, disabling ActiveSync, resetting the password, removing their picture, hiding the user from Address Books, removing the user from distribution and Modern groups, etc., etc.)

Occasional Visitor

Does this apply to all Office 365 Subscriptions or Just Microsoft 365?

Occasional Contributor

We have an Office 365 subscription, but should work with Microsoft 365 as well since they have common user management methods.

I strongly recommend testing any new processes in a test environment, since AD/Azure AD is the last thing you want to mess up!

Occasional Visitor

I just tried using the "Delete User" option under "Active Users" and the interface doesn't look like the screen shots in this blog entry.  Is the guided delete operational yet?  Is there a different link to use in order to get to it?


@Brian Besand wrote:

As an IT admin, there are certain tasks and process that happen almost daily. We’re using customer feedback to identify those common tasks and make them easier and faster to perform with repeatable results. Deleting a user when they leave an organization is one of those common tasks. From the IT side, it can take multiple steps to offboard a user. From the business side, it can be easy to lose valuable data stored in the user’s documents and email.

 

We’re combining the steps it takes to delete a user, retain their documents, and retain their email into a single workflow with in-context guidance. This guided workflow is available now to all Microsoft 365 admins.

 

Start the process and decide what to do with licenses

When a user leaves your organization, you should immediately block their access to your Microsoft 365 subscription. This gives you some time to decide what to do with their licenses, documents, and emails. The Microsoft 365 admin center will walk you through each of these choices when you start the delete process.

 

The first choice you’ll need to make it what to do with that user’s licenses. If you purchased their licenses from a partner or through a volume licensing agreement, their licenses will return to your available pool so that you can assign them to another user. If you purchased the licenses thorough a direct subscription and do not want to reallocate them to a different user, you can also choose to reduce your monthly spend.

 

1.png

 

 

Assign OneDrive access

The person leaving your organization may have stored important files on their OneDrive that you want to retain for later use. In the guided workflow for deleting a user, you have the option to assign access to those files to anyone in your organization. Previously, your only option was to assign access to their manager using Azure Active Directory, and it was a multi-step process that only applied to OneDrive.

 

Assign email access

It can also be helpful to retain access to a deleted user’s email. When a user leaves your organization, you can convert their mailbox to a shared mailbox and assign access to anyone within the organization. You can change the display name, turn on automatic replies, and disassociate aliases so that they can be used elsewhere. Automatic replies can be especially valuable for anyone that had regular interaction with people outside of your company, ensuring that you can maintain relationships with your clients and vendors.

 

 

3.png

 

Review your selections

Once you’ve decided what you want to do with your deleted user's licenses, files, and emails, you’ll have the opportunity to review those settings before you finalize the process.

 

4.png

 

 

After selecting “Assign access and convert user,” Microsoft 365 will perform the requested actions and notify any user who now has access to the emails and files.

 

5.png

  

More actionable insights built in

Our goal is to provide timely, concise help directly within the context of the admin center so that you can deliver the highest possible service quality to your end user. Look for more actionable intelligence and guided workflows as we continue to improve the Microsoft 365 admin experience. To stay up to date on the latest news and features for Microsoft 365, join the conversation in the Microsoft 365 Tech Communities and on Twitter.

 

 


 

Senior Member
What do I do If I have an employee account that is selected in a Sharepoint People Column and I need to offboard them? Is there any scenario where I can discontinue paying for the license but retain their name within the list item?
New Contributor

Very cool.  Can we use powershell to do this?  We have manual scripts to disable accounts and other items when a person leaves and then another script we delete accounts after a year and we can easily prompt to have tech to input account to share data with. 

Occasional Visitor

🙏🏼 Thank you so much. This had made life so much easier

Occasional Visitor

Just what I have been looking for, however when I tried and get the below message about user has been placed on legal hold.  How do I remove "Legal hold"

 

What do you want to do with Murray McDonald's licenses, OneDrive files, and email? You can restore deleted users and their data up to 30 days after you delete them.
Product licenses
These licenses are assigned to Murray McDonald.
Office 365 Enterprise E3
This license can't be removed because it is part of an annual subscription. You can assign it to another user later.
Microsoft Flow Free
This license can't be removed. You can assign it to another user later.
 
OneDrive (optional)

Murray McDonald has been placed on legal hold. Data can't be assigned to other users until the legal hold is removed

 
Email (optional)

Murray McDonald has been placed on legal hold. Data can't be assigned to other users until the legal hold is removed

New Contributor

Will this be available to consume through GraphAPI somehow? 

Contributor

great work!

 

Is there intent to add the ability to export the users mailbox?

This is the biggest pain for us at the moment. Hybrid users, cloud mailbox. The only way we can do it is move the mailbox back on-prem and then export it. It would be great to have the workflow do this for us.

Occasional Visitor

Good step in the right direction!

 

+1 on the hybrid setup.

Another note: Currently we are putting an in-place hold/inactive state on all the mailboxes of users who left the company.

If we change them to a shared mailbox as suggested my Microsoft we are still not able to delete the user account on on-prem AD.

Resulting in a huge OU with users who left the company. We like to get rid of those too...

 

If this workflow can be made compatible with on-prem AD as suggested by others earlier that would be great! especially with the/an option to delete the on-prem user account entirely.

Regular Visitor

@Brian Besandas with others we have a Hybrid setup so would be really useful to know how we can perform some of these actions either through powershell cmd-lets manually or triggered on account disabled in on-premise AD.

Visitor

Does this apply to synced users from AD or just cloud users please. Great feature btw.

New Contributor

Any plans for making automatic triggers and actions? 

Example

User gets deleted on-prem or in Cloud, do these actions:

1. Send Email to manager
2. Give Email/ODFB Permissions to manager

 

Occasional Visitor
Can't see where to access this feature - not in delete active user ?
Occasional Contributor

Hi, does the mailbox need to be converted to a shared mailbox in order for automatic replies to work?

 

Occasional Contributor

Why the superfluous text "going forward" on the Licenses question?

Regular Visitor

@Jim Rinkenberger Would you be willing to share your powershell scripts for on prem account removal?

Senior Member

Hybrid option is key for this important activity but extremely welcoming to see at least a start on the workflow process, but role on Hybrid. Do we need t o vote for this somewhere

Regular Visitor

Certainly step forward, thanks. Although few more options would be nice.

1. option to modify text of email to assigned user (different language; for users that are not using outlook app...)

2. option to specify permissions for assigned user (read only, not grant send as rights automaticaly, maybe even specify rights by folders)

3. option to keep forwarded emails in or not

4. grant rights to more than one user.

Thanks for making o365 more admin friendly.

Senior Member

Timely update, as I have been struggling with a couple of personnel departures from our organization, and managing their data (emails and files on One Drive).  In addition, the previous people in the IT management role did not have an IT background, and I am finding issues and cleaning up behind them.

Occasional Contributor

Also would like to request some solution in an AD Connect (hybrid or non-hybrid) scenario.   Typically we convert a terminated employee to a shared mailbox but that brings up an issue with the AD sync part.  If you move the AD user account to a non-synced OU, then it deletes them from 365, even if they are converted to a shared mailbox.  So you either need to continue syncing your disabled users or you need to jump thru a few hoops and run a powershell command to set their ImmutableID to null in order to sever the link between AD and 365. Then they can continue to exist as an "In Cloud" account.  

 

If there was a button in this offboarding wizard to say "break the link from AD connect and leave them as a cloud shared mailbox" that would be incredibly useful!

 

Jason

 

Occasional Visitor

Thanks, Brian

Can we give access to the OneDrive files to more than one person?  When will this be in effect? (I tried it on 13 August 9AM EDT and didn't see the options outlined)

Occasional Contributor

Since a few have asked about the script I mentioned for terminating users synchronized with Azure AD Connect, I posted a copy of it in the TechNet Script Center.

https://gallery.technet.microsoft.com/scriptcenter/Office-365-User-Termination-f623825a

 

I want to mention that the script moves the local AD user object to a special "Disabled" OU. We run another PowerShell script that checks that OU for accounts with an expiration date >30 days and moves them into another OU that is outside of Azure AD Connect sync scope. Moving the user object o that excluded OU has a similar effect in Office 365 as deleting the user object.

 

The script is provided as-is and may need adjustment for your environment. PLEASE test before using!

Contributor

@Brian Besand Does the new process also send follow-ups to the persons that were granted access before the 30 days deadline?  We had already established a very similar workflow internally and sometimes people are too busy to finish the review of OneDrive files before 30 days.  Would be nice to have an extension option or a reminder sent to both the person that has been given access and the Global Admins.

And a BIG +1 to the thing about Teams Owners.  We still have not allowed Teams to be used because of chaotic Admin/management/control governance.

Needing to run PowerShell for the most basic Global Admin functions should not be required.

Senior Member

This is a great feature! Thank you!

Occasional Visitor

Thanks team this is very good feature which will guide admin what to do when he/she is new to office365

A huge hole in this workflow is that for any organizations that use AAD Connect, your changes will be disregarded at the next sync. We've had to jump through several hoops to gracefully de-provision a user. 

 

Our workflow is as follows:

  1. Deactivate user on-prem to block access to Office365 (portal will be overridden if set there. this is another point of frustration)
  2. Manual adjustment of security and distribution lists as appropriate
  3. When appropriate, delete user on-prem, which deletes the user on the portal
  4. Run a FULL sync via AAD Connect. If you don't the next steps wont work
  5. In O365 portal, restore the account. This will make it a "cloud" account.
  6. Wait approximately 1-2 hours for account to restore (this happens even if it's only deleted for a moment)
  7. Proceed with the new user deletion workflow.

 

I do love this workflow as it is a HUGE improvement for OneDrive ownership and allows retention of the mailbox for audit and business continuity without chewing up a license. However writing the changes back to the on-prem AD accounts is a critical, and missing, piece.  Most Microsoft shops are in some state of hybrid configuration between on-prem and cloud, and the fact that these tools do not take that into account is incredibly frustrating. 

Occasional Visitor

@Theo EconomidesIn order for it to show what you see in the screenshot, go to Home, Active Users, and click on Delete a User. 

Occasional Visitor

You really need to add an option for easier export of mailbox to a .PST file, and export of OneDrive to a .zip archive or something similar.   

 

Also as others have pointed out there are gaps in this with regards to AAD Connect that need more consideration.

Regular Visitor
With the new Shared Mailbox behaviour, how does this affect large user mailbox with archives?
Senior Member

Thanks, this is something we were waiting for a long time. It is goin to help a lot.

Senior Member

This is a really great new feature, and will make it much easier for the helpdesk to take care of leavers! We're just starting out on our 365 journey so having more tools available at this point to ease the team in to things is definitely appreciated.

 

However I'm disappointed to read it can't be used by orgs in hybrid environments. We use Azure AD Sync with our on-prem AD, and assign licenses through AD group membership. Our leaver process therefore involves disabling the account/moving it to a non-Azure-aware OU to take care of removing the license assignment and releasing it back into the pool, but the OneDrive and Exchange mailbox portions of this workflow would be extremely helpful to us. @Brian Besand, if there's some way you can decouple the account/identity parts of the workflow from the OneDrive/Exchange parts so the latter could still be used by those of us in a hybrid configuration, that would be fantastic.

Regular Visitor

If all licenses are removed, how is the user able to keep OneDrive and Exchange access? Is the mailbox converted to a shared mailbox. 

 

Does anyone know what the instructions look like that are sent to the user? 

@Mikey Romero, the user does not retain access. Access to Exchange and OneDrive are delegated to the other accounts. In the case of OneDrive it's purged at a set time (configured globally and adjustable at the time of deletion). For Exchange the mailbox is converted to a shared mailbox.  You should note that it keeps a "user" in the active users list, but no license is required.

Visitor

The OneDrive radio button says to give access of the OneDrive to another user, the status page at the end though says "transfer to 'x'". What actually happens to the OneDrive, does it remain in place with new permissions or is it actually moved to the designated user's OneDrive?