Orphaned M365 accounts, accounts belonging to departed staff that remain active and licensed, are one of the most common security gaps Hamilton365 identifies when reviewing Microsoft 365 tenants for small and medium businesses in Brisbane.
An orphaned account is any user account in Microsoft 365 that is no longer actively managed, typically because the person has left the organisation, changed roles, or was a contractor whose engagement ended. Forms include: active user accounts with no active user; shared mailboxes with no owner; distribution lists with departed members; guest accounts from former contractors.
Disgruntled former employees, the majority of insider threat incidents occur within 30 days of departure. Credential stuffing attacks, if a former employee reused their work password on a breached service, attackers will try it against your M365 tenant. Licence waste, every active licence assigned to a departed user is $10–$60/month wasted. Compliance exposure under the Australian Privacy Act.
On the day of departure: convert the user account to a shared mailbox, remove from all M365 Groups and Teams, revoke all active sessions in Entra ID, remove SharePoint access, remove admin roles immediately. Within 30 days: decide on long-term account status and assign clear ownership to any shared mailboxes that remain active.
M365 Identity Lifecycle Review