What to do with former staff accounts in Office 365: changing the password

Staff leave organisations all the time for various reasons. In the olden days IT departments would simply disable the account upon exit time, perform some content migration tasks, and that was the end of it.

These days that’s not so simple as IT doesn’t necessarily have control of the systems, and there are more systems to work with. Obviously in the world of cloud we need some form of identity management to flow through so that the former staff member’s account can be disabled in Active Directory and have that action be replicated in services such as Office 365, Salesforce, Trello, and any others that may be in use.

In this three-part blog series I’ll be covering the impacts associated with the different approaches to handling former staff accounts, and how that impacts Office 365 services.

As mentioned earlier – in the olden days this was simpler as everything was behind the firewall so once the Active Directory account was disabled, generally everything else was disabled too.

From a communications perspective if someone emailed the former staff member their email was usually forwarded on to the manager, fellow team members, or replacement. Depending on the courtesy of the organisation they might set an auto-response on the mailbox informing senders that the recipient had left the organisation. The same would generally be done with their phone extension as well. If the organisation used Skype for Business (or its predecessors) and was federated with partners, the former staff member’s presence would display as “Presence unknown”.

From a content perspective, the contents of the former staff member’s home drive and operating system profile would be scoured for useful files that need to be retained.

In the world of Office 365 though a user identity is more than just access and content. How we treat that identity can impact other systems and people.

When looking at a former staff member account we have three actions available to us:

  • Disable: this stops the account from working, but still keeps the identity and resources available to the organisation
  • Delete: this deletes the account from the directory, and all resources associated will be deleted or triggered for deletion workflow (eg. mailbox, OneDrive for Business, Skype for Business, Yammer, etc.)
  • Change password: the account and resources still exist and function exactly as they did previously, the only difference is that the former employee can’t access the account

Let’s take a look at the most risk-averse approach of changing the password.

Benefits of this approach

The main benefit of only changing the password for a former staff member is that the account remains fully operational. It means that no linkages are broken, no services stop working, and in effect the account continues to operate as if the former employee was still there – they just don’t have access to this account.

By far it’s the quickest and simplest approach to stopping a former employee from accessing their account, and the reality is that’s the primary benefit.

There are no time limits on this approach, and managers can get access to staff resources like their mailbox and OneDrive – allowing them to respond and act on anything that continues to come in to the former staff member’s account.

Negatives of this approach

I believe that unfortunately there are more negatives than positives in this approach, more so for the former staff member – not just their peers and the organisation

  • The account still consumes an Office 365 license, however in the grand scheme of things this is not a great cost (unless it’s a large organisation and there are many accounts still active)
  • The former staff member’s profile and account are still active and visible in more social services such as Skype for Business, Yammer and Teams. People will still be able to “communicate” with what still appears to be the person, albeit they will never get a response – much like talking to a cardboard cut-out of the person. This can reflect negatively on the former staff member, because not everyone in the organisation knows that they have left (this is very subjective based on size of organisation and internal communications) and therefore someone might be left wondering why the former staff member is no longer responding. This can be flustering for the person attempting to communicate with the cardboard cut-out.
  • There will still be workflows running under the person’s account that could be performing actions, sending notifications or messages which can ultimately confuse people.

And this last point is probably one of the most dangerous ones. Any workflows set up under Microsoft Flow, or connectors in things such as Groups will make it appear that the former staff member’s account is still active. To those who don’t know that the person has left – they may still attempt to engage with them based on these actions, or to people who do know that the person has left they may be wondering why the former staff member is continuing to work in the company environment.

Recently I was involved in a discussion where a person was being legally pursued by their former employer for allegedly continuing to access company resources since leaving their employ. This was based on an Office 365 account activity log and unfortunately the lawyers didn’t speak technology, so took the log and fired off a warning to the former employee. The problem was that the log was made up of workflows and connectors continuing to operate, as well as the former employee’s manager accessing their resources – so there was no foul activity at all on behalf of the former employee. It didn’t stop the lawyer representing the former employer from attacking the former employee – not a positive experience at all. This results in egg on the face of the employer because it shows that either their technical staff don’t understand what the log file means (and therefore why are they touching the technology!?), or that they did know what it meant and were deliberately vexatious in their pursuit of the formerly employee.

Changing password can be good because the account is still active which makes it easy to access and operate, however still consumes a license. It also means that any existing workflows, activities, or access permissions still operate which can lead to confusion by people both inside and outside of the organisation.


Discover more from Loryan Strant, Microsoft 365 MVP

Subscribe to get the latest posts sent to your email.

Discover more from Loryan Strant, Microsoft 365 MVP

Subscribe now to keep reading and get access to the full archive.

Continue reading