Step-by-Step Microsoft 365 Admin Offboarding Process

Welcome to the third article in this four-part series on roles and permissions in Microsoft 365. The first article covered the fundamentals of administrator roles and the principle of least privilege. The second article delved into creating dedicated administrator accounts and configuring emergency “break glass” accounts. Now, we shift to a critical operational aspect: managing transitions when administrators leave or change roles, and avoiding common errors in daily role management.

A guy says bye with his hand to a group of people by Jaime López using Designer

This guide is designed for IT professionals and Microsoft 365 administrators aiming to maintain a secure and resilient environment during personnel changes and ongoing operations. I’ll provide step-by-step processes, checklists, and case studies to address pitfalls, ensuring your organization’s Microsoft 365 tenant remains secure and compliant.

Why Administrator Transitions Matter

Administrator transitions—such as when an admin leaves the company, changes roles, or goes on extended leave—pose significant risks if not handled properly. These risks include:

• Security Vulnerabilities: Unrevoked admin access can allow former employees to access sensitive systems, intentionally or accidentally.

• Operational Disruptions: Failure to transfer roles or knowledge can lead to delays in managing services like Exchange, SharePoint, or Teams.

• Compliance Violations: Improperly managed transitions may violate regulations like GDPR or HIPAA, which require strict access controls.

For example, if a Global Administrator leaves without their access being revoked, they could still log in and modify tenant-wide settings, potentially causing data breaches or service outages. Proper offboarding and proactive error prevention are essential to mitigate these risks and maintain a secure tenant.

Offboarding Administrators: A Step-by-Step Process

When an administrator leaves or no longer requires elevated privileges, a structured offboarding process ensures security and continuity. Below is a detailed guide, broken into phases, to revoke access, transfer roles, and audit activities.

Phase 1: Immediate Actions (Day 1)

Taking immediate action on the first day of an administrator’s departure is critical to prevent security breaches and ensure compliance. Revoking admin roles, resetting passwords, and blocking sign-in eliminate the risk of unauthorized access, especially if credentials were compromised. For example, a former admin with lingering Global Administrator access could alter settings, leading to data leaks or service disruptions. Acting swiftly demonstrates adherence to compliance standards like GDPR, which mandates timely access revocation.

1. Revoke Admin Roles:

   • Log in to the Microsoft 365 Admin Center with a Global Administrator account.

   • Navigate to Users > Active Users, select the departing admin (e.g., alice.admin@company.com), and click Manage Roles.

   • Uncheck all assigned roles (e.g., Global Administrator) and save changes.

   • Verify in Roles > Role Assignments that the user no longer has admin privileges.

2. Reset Password:

   • In the user’s profile, select Reset Password to generate a new, temporary password.

   • This prevents unauthorized access if the departing admin’s credentials were compromised.

3. Disable Sign-In:

   • Go to Users > Active Users, select the admin, and set Sign-in status to Blocked.

   • This ensures the account cannot be used, even with valid credentials.

4. Notify Stakeholders:

   • Inform the IT team and relevant managers of the role revocation to coordinate replacements.

Example: Alice, a Global Administrator, resigns. On her last day, you remove her Global Admin role, reset her password, and block sign-in for alice.admin@company.com.

Phase 2: Role and Knowledge Transfer (Week 1)

Transferring roles and knowledge within the first week ensures operational continuity and minimizes disruptions to services like Exchange or Teams. Identifying a replacement and documenting the departing admin’s tasks prevent critical workflows from being overlooked. For instance, if a departing admin managed specific SharePoint sites, failure to transfer this knowledge could delay updates or access for end users. This phase also reinforces the principle of least privilege by ensuring only necessary roles are assigned to the new admin.

1. Identify Replacement:

   • Determine who will take over the departing admin’s responsibilities (e.g., Bob for Alice’s Global Admin tasks).

   • Create or update a dedicated admin account for the replacement (e.g., bob.admin@company.com), as outlined in the second article.

2. Assign New Roles:

   • In the Admin Center, assign the appropriate role to the replacement (e.g., Global Administrator for Bob).

   • Enable Multi-Factor Authentication (MFA) for the new account if not already configured.

3. Transfer Knowledge:

   • Document the departing admin’s tasks, such as specific SharePoint sites managed or Teams policies configured.

   • Use tools like Loop or a shared document to capture workflows, recurring tasks, and key contacts.

   • Conduct a handover meeting to ensure the replacement understands their new responsibilities.

4. Update Documentation:

   • Update the role assignment tracker (introduced in the first article) with the new admin’s details, role, MFA status, and review date.

Example: Bob is assigned bob.admin@company.com as a Global Administrator with MFA enabled. Alice shares a document detailing her tenant-wide configurations, and Bob tests his access by updating a security policy.

Phase 3: Audit and Cleanup (Month 1)

Auditing and cleaning up accounts within the first month mitigates long-term risks, such as undetected insider threats or compliance violations. Reviewing audit logs helps identify suspicious activity, while removing residual permissions (e.g., SharePoint access) ensures the departing admin has no lingering access. Archiving or deleting the account reduces costs and aligns with data retention policies, such as those required by HIPAA. This phase completes the offboarding process, ensuring a secure and compliant tenant.

1. Audit Account Activity:

   • Use Microsoft Purview Audit Logs to review the departing admin’s actions over the past 90 days (or longer with E5 licenses).

   • Search for activities like role assignments, policy changes, or data access to identify anomalies.

   • PowerShell example to export audit logs:

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) -UserIds alice.admin@company.com | Export-Csv -Path “AuditLog_Alice.csv”

2. Remove Associated Access:

   • Check for additional permissions, such as SharePoint site access or group memberships, and remove them via the Admin Center or PowerShell.

   • PowerShell example to remove Alice from a SharePoint site:

Remove-SPOUser -Site https://company.sharepoint.com -LoginName alice.admin@company.com

3. Delete or Archive the Account:

   • Delete unneeded accounts in the Admin Center under Users > Active Users > Delete User.

   • Alternatively, archive the account by converting it to a shared mailbox (for email retention) and removing licenses to reduce costs.

4. Review Compliance:

   • Ensure offboarding aligns with regulations (e.g., GDPR’s data minimization principle) by documenting all steps in a compliance report.

Example: A month after Alice’s departure, you audit her account’s activity, confirm no suspicious activity, remove her from SharePoint sites, and delete alice.admin@company.com after archiving her email.

---

I’ve created a step-by-step document that walks you through every phase—from immediate access revocation to audits and best practices.

Download it free from this link and safeguard your tenant today!

---

Common Errors in Role Management and How to Avoid Them

While proper offboarding mitigates immediate risks, ongoing role management requires vigilance to avoid common pitfalls that compromise security or efficiency. Below, we analyze frequent errors, their impacts, and prevention strategies, drawing on real-world scenarios and Microsoft best practices.

1. Over-Reliance on Global Administrators

Assigning Global Admin to multiple users for convenience increases the attack surface. A compromised Global Admin account can lead to tenant-wide damage, such as deleting users or altering security settings. To prevent this, limit Global Admins to 2-5 per tenant, as recommended by Microsoft, and use specific roles (e.g., Teams Administrator, User Administrator) for routine tasks.

Example: A medium-sized company had 10 Global Admins, including junior IT staff. A phishing attack compromised one account, leading to unauthorized data access. After auditing, they reduced Global Admins to 3 and reassigned specific roles, preventing further incidents.

2. Neglecting Role Reviews

Failing to periodically review role assignments leaves obsolete or unnecessary permissions active. Former admins or contractors may retain access, violating compliance or enabling insider threats. To address this, schedule quarterly role reviews in the Admin Center under Roles > Role Assignments and use Entra ID Access Reviews (requires Entra ID P2) to automate checks.

Example: A financial firm faced a GDPR audit failure because a former admin retained access for a year. Implementing quarterly reviews and Access Reviews resolved the issue.

3. Inconsistent Account Naming

Using ad-hoc naming for admin accounts (e.g., bob123@company.com instead of bob.teams@company.com) causes confusion. Unclear account purposes complicate audits and role assignments. Adopt a standard naming convention (e.g., [username].[role]@company.com or admin.[role]@company.com) and document it in the role tracker for consistency.

Example: An IT team struggled to track admin accounts due to random naming. Standardizing to admin.[role]@company.com streamlined audits and reduced errors.

4. Ignoring Break Glass Account Security

Using break glass accounts for routine tasks or failing to monitor them risks unauthorized access during crises. To prevent misuse or compromise, restrict break glass accounts to emergencies, as outlined in the second article, and monitor all logins via Microsoft Purview alerts. For example, set an alert for any login to breakglass@company.com to detect unauthorized use.

Example: A company used its break glass account for daily tasks, leading to a security breach. After restricting its use and enabling alerts, they regained control.

Mitigation Strategies

To prevent these errors, adopt proactive role management practices that enhance security and efficiency. Automating reviews, training admins, monitoring activity, and standardizing processes create a robust framework for Microsoft 365 administration. These strategies not only address immediate risks but also build long-term resilience against evolving threats and compliance requirements.

1. Automate Role Reviews: Use Entra ID Access Reviews or PowerShell scripts to flag stale roles.

2. Train Admins: Educate admins on role scopes and the importance of dedicated accounts.

3. Monitor Activity: Regularly check Purview Audit Logs for unusual role assignments or access patterns.

4. Standardize Processes: Use checklists and trackers for role assignments, transitions, and reviews.

Conclusion

This article has provided a comprehensive guide to managing administrator transitions and avoiding common role management errors in Microsoft 365. By following the step-by-step offboarding process—revoking access, transferring roles, and auditing activities—you can mitigate security risks, ensure operational continuity, and maintain compliance with regulations like GDPR and HIPAA. Additionally, addressing pitfalls such as over-reliance on Global Administrators, neglecting role reviews, inconsistent naming, and misusing break glass accounts strengthens your tenant’s security posture and reduces vulnerabilities.

Take action now to implement these strategies in your organization. Review your current role assignments, standardize account naming, and schedule regular audits to maintain a secure environment. Share your experiences or questions in the comments below, and join us next Tuesday for the final article in this series, where we’ll explore advanced techniques like Privileged Identity Management (PIM), custom role creation, periodic audits, and monitoring to further enhance your Microsoft 365 administration.

References

• Part 1 - Understanding Microsoft 365 Admin Roles A Beginner’s Guide: https://intranetfromthetrenches.substack.com/p/understanding-microsoft-365-admin-roles-a-beginners-guide

• Part 2 - Create Secure Microsoft 365 Admin and Break Glass Accounts: https://intranetfromthetrenches.substack.com/p/create-secure-microsoft-365-admin-and-break-glass-accounts

• Part 4 - Beyond Basics with PIM, Custom Roles, Audits, and Monitoring for M365 Accounts Management: https://intranetfromthetrenches.substack.com/p/beyond-basics-with-pim-custom-roles-audits-and-monitoring-for-m365-accounts-management

• Offboarding Administrators: A Step-by-Step Process PDF document: https://1drv.ms/b/c/64c5611b950bc10c/Eeozf-iOoB1Dm8KWyh6H-5YBCt_Jz0EnVX7QU3K33Fsfdw?e=TXWBAL

• Search the audit log: https://learn.microsoft.com/en-us/purview/audit-search

• What are access reviews?: https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview