Microsoft 365 offboarding checklist for stale users, access, and ownership

Practical offboarding checklist

Start with a known departure or role-change list from HR, finance, or operations. Then compare that list against what still exists in Microsoft 365 and Entra ID.

• Confirm the user account is disabled or blocked from sign-in when the person no longer needs access.
• Check whether the account still has an assigned Microsoft 365 license and whether that license can be reclaimed.
• Review direct group memberships, Teams access, SharePoint access, and security groups tied to the old role.
• Review shared mailbox delegates, Send As, Send on Behalf, and Full Access permissions left behind after the handoff.
• Transfer or document ownership for OneDrive files, SharePoint content, Teams, groups, Power Automate flows, and operational documents.
• Check whether the former user still owns guest relationships, shared folders, distribution lists, or collaboration spaces.
• Remove admin roles and privileged assignments that were tied to the old job function.
• Review guest users and external collaborators sponsored by the departing person.
• Confirm forwarding, mailbox conversion, retention, and legal hold decisions before deleting or changing mailboxes.
• Document who approved each removal, transfer, or exception so the same question does not return later.

When to get help

Get help when the departure list does not match the tenant, when former users still own important files or shared mailboxes, when nobody can explain guest access, or when admin roles and licenses have not been reviewed in months. Those are signs that offboarding has become an access cleanup project, not a one-user task.

VXSec's Microsoft 365 offboarding audit and broader Microsoft 365 access and admin audit turn those unknowns into a prioritized cleanup report.