When a staff member leaves unexpectedly, the Microsoft 365 account actions need to happen quickly. The window between departure and access removal is a real security risk, the majority of insider threat incidents occur within 30 days of someone leaving. Hamilton365 provides this step-by-step checklist for business owners and managers.
M365 Admin Centre → Users → Active Users → Block sign-in. Prevents new sign-ins while preserving the account and its data. Do not delete the account yet.
Entra ID portal → find the user → Revoke sessions. This step is frequently missed, blocking sign-in doesn't terminate sessions already in progress.
Ensures old credentials cannot be used even if session revocation takes a moment to propagate.
Forwarding rules continue to operate even after sign-in is blocked. Check mailbox settings and Exchange Admin Centre for forwarding rules and auto-forward configuration. Remove immediately.
Assign a new owner to any Groups or SharePoint sites where the departing person was the sole owner before removing them.
Check Entra ID → Users → Assigned Roles. Remove all role assignments without exception.
Preserves historical email and allows colleague monitoring without consuming a paid licence.
Microsoft Defender portal and Microsoft Purview provide audit log access for file downloads, email exports, and access activity. Conduct promptly, audit logs have retention limits.
Hamilton365 is available after hours to assist with urgent M365 offboarding when departures happen outside business hours.
After-Hours M365 Support