Somebody quit on Friday. Or got let go. Either way, it's Monday now and you're not 100% sure their access has been fully revoked. Their Entra ID account is disabled, probably. But what about that shared mailbox? The Teams channels? That Azure resource group they had contributor access to?
This is how security incidents start. Not with sophisticated hackers, but with a forgotten account that still has access to things it shouldn't.
Let's walk through a proper offboarding process in Entra ID, step by step. Think of this as the checklist you can actually use, not the theoretical framework your security policy describes.
Step 1: Disable the account (immediately)
This one's obvious, but the timing matters. The moment someone's departure is confirmed, their account should be disabled. Not tomorrow. Not after their exit interview. Now.
In the Entra ID portal, go to Users, find the person, and flip "Account enabled" to No. This blocks sign-in immediately without deleting anything.
If you're using an HR system connected to Entra ID, this can happen automatically when the employee's status changes. That's the ideal scenario, because it takes the "someone needs to remember to do this" variable out of the equation.
Step 2: Revoke active sessions
Here's something a lot of IT teams miss. Disabling an account doesn't kill active sessions. If the person is already logged in, they can keep working until their token expires. Depending on your token lifetime settings, that could be an hour or it could be a whole day.
Go to the user's profile and click "Revoke sessions." This forces reauthentication on all devices. Any active session in Outlook, Teams, SharePoint, or third-party apps using Entra ID SSO will stop working.
Do this at the same time you disable the account. Don't skip it.
Step 3: Reset the password
Some teams skip this because the account is already disabled. But consider this: if the user had their password stored in a browser on a personal device, and you later re-enable the account for any reason (transferring data, for instance), that stored password would work.
Reset it. Takes ten seconds and closes a gap you don't want to leave open.
Step 4: Remove group memberships
This is where things get tedious manually. The departing user might be in a dozen security groups, Microsoft 365 groups, distribution lists, and Teams. Each one is a potential access point.
In Entra ID, you can see all group memberships on the user's profile under "Groups." Go through them and remove the user from each one.
Pay special attention to:
- Security groups that grant access to Azure resources
- Groups connected to third-party SaaS apps (Salesforce, Slack, whatever you've integrated)
- Privileged role groups (Global Admin, User Admin, anything with elevated permissions)
If you're using dynamic groups based on attributes, these memberships will clean themselves up once the user's attributes change. But any manually assigned groups need manual removal.
Step 5: Remove application assignments and licenses
Check the user's "Enterprise applications" tab. This shows every app they were assigned access to through Entra ID. Remove these assignments.
Then pull their licenses. Microsoft 365, any add-ons, third-party licenses managed through Entra. You're paying for these, and there's no reason to keep them assigned to a disabled account.
Pro tip: if license availability is tight, do this on day one so the license is free for the next hire.
Step 6: Check for Conditional Access policy exceptions
This one bites people. If the departing user was ever added to a Conditional Access exclusion group (maybe during troubleshooting, maybe as a temporary workaround), they might still be in it. Remove them.
While you're at it, check if they were registered for MFA and remove their authentication methods. You don't want their phone number sitting in the system indefinitely.
Step 7: Handle the mailbox
You've got a few options here, depending on your organization's needs:
- Convert to shared mailbox: The most common approach. It preserves the email history without requiring a license. Assign access to the person's manager or team.
- Set up forwarding: If someone needs to receive the departed employee's email temporarily, set up mail forwarding.
- Export and archive: Download the mailbox contents to PST and store them according to your retention policy.
Whatever you do, don't just leave it sitting there as a fully licensed, inactive mailbox. That's money walking out the door every month.
Step 8: Transfer ownership of files and resources
Check OneDrive. The user probably has files that other people need. Entra ID gives the manager access to a departed employee's OneDrive for a period after the account is deleted, but it's better to proactively transfer important files.
Also check for:
- SharePoint sites they owned
- Power BI reports and dashboards
- Power Automate flows
- Azure resources where they were the sole owner
That last one is critical. If someone was the only owner of an Azure subscription or resource group, and you delete their account, you might lose administrative access entirely. Check this before you do anything irreversible.
Step 9: Document everything
For compliance purposes (SOC 2, ISO 27001, NIS2), you need to prove that offboarding happened in a timely and complete manner. That means logging:
- When the account was disabled
- When sessions were revoked
- What groups and apps were removed
- What happened to their data
- Who approved the offboarding
If your auditor asks "what happened when Emma left in October?" and you can hand them a complete record, you're in great shape. If you have to reconstruct the timeline from memory and email threads, you're going to have a bad time.
Step 10: Delete the account (after the retention period)
Most organizations keep disabled accounts around for 30 to 90 days before permanent deletion. This gives you a window to recover anything you missed and satisfies most data retention policies.
After that period, delete the account. Entra ID moves it to "Deleted users" where it sits for another 30 days before permanent removal.
The real problem with doing this manually
This checklist has ten steps. For one person. If you're offboarding five people a month, that's 50 manual steps, every single one of which is a chance for human error. And every missed step is a potential security risk or compliance gap.
The fix isn't hiring more people to click more buttons. It's automating the process so that when someone's status changes, everything on this checklist happens automatically, with a full audit log.
If this sounds like your situation, Adcyma is free for up to 25 users. For larger teams, you can start a free 14-day trial. No credit card, no consultants.