What to do with former staff accounts in Office 365: changing the password

Staff leave organisations all the time for various reasons. In the olden days IT departments would simply disable the account upon exit time, perform some content migration tasks, and that was the end of it.

These days that’s not so simple as IT doesn’t necessarily have control of the systems, and there are more systems to work with. Obviously in the world of cloud we need some form of identity management to flow through so that the former staff member’s account can be disabled in Active Directory and have that action be replicated in services such as Office 365, Salesforce, Trello, and any others that may be in use.

In this three-part blog series I’ll be covering the impacts associated with the different approaches to handling former staff accounts, and how that impacts Office 365 services.

As mentioned earlier – in the olden days this was simpler as everything was behind the firewall so once the Active Directory account was disabled, generally everything else was disabled too.

From a communications perspective if someone emailed the former staff member their email was usually forwarded on to the manager, fellow team members, or replacement. Depending on the courtesy of the organisation they might set an auto-response on the mailbox informing senders that the recipient had left the organisation. The same would generally be done with their phone extension as well. If the organisation used Skype for Business (or its predecessors) and was federated with partners, the former staff member’s presence would display as “Presence unknown”.

From a content perspective, the contents of the former staff member’s home drive and operating system profile would be scoured for useful files that need to be retained.

In the world of Office 365 though a user identity is more than just access and content. How we treat that identity can impact other systems and people.

When looking at a former staff member account we have three actions available to us:

  • Disable: this stops the account from working, but still keeps the identity and resources available to the organisation
  • Delete: this deletes the account from the directory, and all resources associated will be deleted or triggered for deletion workflow (eg. mailbox, OneDrive for Business, Skype for Business, Yammer, etc.)
  • Change password: the account and resources still exist and function exactly as they did previously, the only difference is that the former employee can’t access the account

Let’s take a look at the most risk-averse approach of changing the password.

Benefits of this approach

The main benefit of only changing the password for a former staff member is that the account remains fully operational. It means that no linkages are broken, no services stop working, and in effect the account continues to operate as if the former employee was still there – they just don’t have access to this account.

By far it’s the quickest and simplest approach to stopping a former employee from accessing their account, and the reality is that’s the primary benefit.

There are no time limits on this approach, and managers can get access to staff resources like their mailbox and OneDrive – allowing them to respond and act on anything that continues to come in to the former staff member’s account.

Negatives of this approach

I believe that unfortunately there are more negatives than positives in this approach, more so for the former staff member – not just their peers and the organisation

  • The account still consumes an Office 365 license, however in the grand scheme of things this is not a great cost (unless it’s a large organisation and there are many accounts still active)
  • The former staff member’s profile and account are still active and visible in more social services such as Skype for Business, Yammer and Teams. People will still be able to “communicate” with what still appears to be the person, albeit they will never get a response – much like talking to a cardboard cut-out of the person. This can reflect negatively on the former staff member, because not everyone in the organisation knows that they have left (this is very subjective based on size of organisation and internal communications) and therefore someone might be left wondering why the former staff member is no longer responding. This can be flustering for the person attempting to communicate with the cardboard cut-out.
  • There will still be workflows running under the person’s account that could be performing actions, sending notifications or messages which can ultimately confuse people.

And this last point is probably one of the most dangerous ones. Any workflows set up under Microsoft Flow, or connectors in things such as Groups will make it appear that the former staff member’s account is still active. To those who don’t know that the person has left – they may still attempt to engage with them based on these actions, or to people who do know that the person has left they may be wondering why the former staff member is continuing to work in the company environment.

Recently I was involved in a discussion where a person was being legally pursued by their former employer for allegedly continuing to access company resources since leaving their employ. This was based on an Office 365 account activity log and unfortunately the lawyers didn’t speak technology, so took the log and fired off a warning to the former employee. The problem was that the log was made up of workflows and connectors continuing to operate, as well as the former employee’s manager accessing their resources – so there was no foul activity at all on behalf of the former employee. It didn’t stop the lawyer representing the former employer from attacking the former employee – not a positive experience at all. This results in egg on the face of the employer because it shows that either their technical staff don’t understand what the log file means (and therefore why are they touching the technology!?), or that they did know what it meant and were deliberately vexatious in their pursuit of the formerly employee.

Changing password can be good because the account is still active which makes it easy to access and operate, however still consumes a license. It also means that any existing workflows, activities, or access permissions still operate which can lead to confusion by people both inside and outside of the organisation.

Simplifying profile pictures in Office 365 with Hyperfish

An important component of humanising collaboration and communication are profile pictures as they literally give a face to a name.

Profile pictures are displayed in Office 365 in almost all areas where a person’s name is shown:

  • Office 365 portal
  • Office apps on the desktop (eg. Outlook, Word, Excel, etc.)
  • Office apps on mobiles & tablets
  • SharePoint Online
  • Delve
  • Office 365 Groups
  • Planner
  • Teams
  • And so on and so forth…

Knowledge base article 3185286 from Microsoft explains how profile picture synchronisation occurs in Office 365 and the flow between SharePoint Online and Exchange Online – the primary storage locations for profile pictures that all other services depend on.

SharePoint Online picture synchronisation for users who have an Exchange Online mailbox SharePoint Online picture synchronisation for users without an Exchange Online mailbox


In Office 365 there are a number of areas where profile pictures are stored, all with different size limitations:

Location File size limit Pixel size limit
Active Directory 100kb 200 x 200
Azure Active Directory 10kb 96 x 96
Exchange Online
SharePoint Online
Skype for Business Online
500kb 648 x 648
Yammer 10mb 5000 x 5000


The frustration many admins experience is that they may have set up a great system for new employees to have their picture stored in the on-premises Active Directory with a decent resolution, but when it is synchronised to Azure Active Directory for Office 365 the file is crunched down to the 10kb limit. This picture then flows through to all other features of Office 365. As a thumbnail in Outlook or Delve this is ok, but when doing a Skype for Business call without video the profile picture gets stretched out and looks pixelated:

Over the years there have been a number of scripts and apps written to work around the challenges of thumbnail pictures and hi-res pictures, but these are more for administrators to use and are not always effective – especially when a user updates the picture themselves in one location but not another.

Enter Hyperfish – an end-user driven solution for ensuring that Office 365 has the right quality & sized picture in all relevant locations. While it may appear dangerous to put this into the hands of end users, Hyperfish provides administrators with a number of key controls around the quality and appropriateness of picture:

Hyperfish utilises the Azure Face API so if the administrator has chosen to not enabled the “Allow no faces” (as seen in the previous screenshot) and a user uploads a picture of their dog they will be politely declined:

Similarly, if a user uploads a picture of themselves making a face then again they will see the relevant message to indicate that the picture is not appropriate:

Administrators also have the ability to review picture before they are published to the profile:

Hyperfish works with on-premises, hybrid, and pure-cloud scenarios and is charged in bands of users on an annual level.

A free analysis is available for organisations to understand the level of completion across their user profiles which is a great way to start improving the quality of user experiences and interactions.