Office 365 Offboarding Best Practices with PowerShell Follow Up

It is starting to get late and I am randomly surfing the internet. After reading some of my favorite bloggers, I stumbled across a random post, Office 365 Offboarding Best Practices, by Robert. The post covers a lot of great material. With that said, I am a strong believer in automation. While Robert shared how to do this graphically, I am sharing how to do the steps via PowerShell. After all, I love PowerShell. With that said, I’m only sharing the one-liner commands (if possible).

1. Logout User from All Office 365 Sessions

Get-AzureADUser -Filter "userPrincipalName eq 'PrevEmployeeUPN@company.com'" | Revoke-AzureADUserAllRefreshToken 

Microsoft documentation may be found here:

• Revoke-AzureADUserAllRefreshToken
• Get-AzureADUser

2. Block Account Sign-in and Reset Password

To block the account from authentication:

Set-AzureADUser -ObjectID PrevEmployeeUPN@company.com -AccountEnabled $false

Resetting an account password can be done via PS:

Set-MsolUserPassword –UserPrincipalName "PrevEmployeeUPN@company.com" –NewPassword "Considering-Doing-A-Very-Secure-Passphrase-100#" -ForceChangePassword $False

Microsoft documentation:

• Set-AzureADUser
• Set-MsolUserPassword

3. Setup Email Forwarding

Set-Mailbox -Identity "PrevEmployeeUPN@company.com" -ForwardingAddress "Manager@company.com"  

Microsoft docs:

• Set-Mailbox

4. Convert User Mailbox to Shared Mailbox

Set-Mailbox PrevEmployeeUPN@company.com -Type Shared

Important: Please keep in mind that this does not remove the license. At the time this post was published, shared mailboxes do not require a license. See step 10 to remove license.

Microsoft docs:

• Set-Mailbox

5. Preserve former employees’ mailbox data

In the blog post, three options were provided to preserve mailbox data.

For option one, scripting to convert a mailbox to download a PST file is beyond a simple command.

For option two, to set a Litigation hold on the mailbox:

set-mailbox -Identity PrevEmployeeUPN@company.com -LitigationHoldEnabled $true 

To transition to option three, inactive mailbox, you have to wait for the retention policy to take affect on the mailbox (generally about four hours). After this stage, delete the mailbox (see step 11).

Microsoft docs:

• Set-Mailbox
• Create and manage inactive mailboxes

6. Transfer email alias

As per the blog, the assumption is the account no longer exists in the tenant. To add the email address to another employee, you would add it as an alias.

Set-Mailbox -Identity manager@company.com -Emailaddresses @{Add='PrevEmployeeEmail@company.com'}  

Microsoft docs:

• Set-Mailbox

7. Move leavers’ OneDrive data to other location

For this one, no one-liner exists. Elliot Munro has us covered with his solution, Transfer all OneDrive files to another user via PowerShell.

8. Wipe and block the user’s mobile device

Once again, a full script would have to be established. With that said, you could use the Graph API.

Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/$ManagedDeviceID/wipe" -Method Post -Headers $AuthorizationToken 

Microsoft Docs:

• Graph API - wipe action
• Invoke-RestMethod

9. Remove user from all groups

I’ll leave a reference to Salaudeen Rajack post, How to Remove a User from Office 365 Group using PowerShell?.

10. Remove license

Honestly, PowerShell is not always the best option. In my opinion, this is one of those cases. If you have a P1 and Microsoft E3 license, then you can leverage group based licensing.

With group based licensing, the removal of the User from the group (that happened in #9) means you already removed the license!

If you must use PowerShell then checkout Microsoft Docs: Remove Microsoft 365 licenses from user accounts with PowerShell.

Microsoft Docs:

• What is group-based licensing in Azure Active Directory?

11. Delete account

Remove-AzureADUser -ObjectID PrevEmployeeUPN@company.com

Or you can also do through the Microsoft Azure Active Directory Module for Windows PowerShell:

Remove-Msoluser -UserPrincipalName PrevEmployeeUPN@company.com

Microsoft Docs:

• Remove-AzureADUser
• Remove-MsolUser

Final Thoughts

A lot is missing in this post. The basics of a full featured PowerShell script exist somewhere in the missing details.

If you create this script and post it on Github (or create a blog post), please drop a link in the comments.

Also, are you doing the steps Robert outlined? Can you think of anymore? A big shoutout to Robert for a concise and important post on a subject matter that warrants attention for any size business.

Anyways, time to hit the sack (I mean watch the Season One finale of The Last of Us).

Cheers,
Jeremiah