When an employee leaves, proper Microsoft 365 offboarding is crucial to protect data. Failure to follow the correct procedure may result in the loss or exposure of OneDrive and mailbox data. This manual outlines the best ways to limit access, enforce retention policies, transfer files, and supervise mailboxes and OneDrive accounts to ensure compliance and continuous functionality.
Why Manage OneDrive and Mailbox Data?
OneDrive and Exchange mailboxes are tied to user accounts and are deleted once an employee leaves and their account is removed. While organizational data should ideally reside in SharePoint or Teams, employees frequently store critical files and communications in OneDrive and mailboxes.
Failure to properly offboard users can result in:
- Data loss – Important emails and files may be permanently deleted.
- Compliance risks – Legal and regulatory requirements may mandate data retention.
- Operational inefficiencies – Teams may lose access to essential information.
Scenario:
Imagine a situation where a team urgently needs access to an ex-employee’s emails or files, but their OneDrive and mailbox have already been deleted. Without a proactive approach, recovering this data could be difficult or impossible. How do you prevent this? By following a structured offboarding process.
Please be aware that this blog concentrates on securing Mailbox and OneDrive data during the employee offboarding process. Additional steps will be involved in your offboarding journey.
Step 1: Block User Access to Microsoft 365
The first step in the Microsoft 365 offboarding process is is to block the departing employee’s sign-in access while ensuring their data remains available for administrative actions. User access can be blocked from the Microsoft 365 Admin Center.
Developing a comprehensive Microsoft 365 offboarding strategy is essential for organisations to safeguard their data integrity.
At this stage:
- ✅ The user’s OneDrive and mailbox remain active.
- ✅ The employee can no longer access their account.
- ✅ Admins can still retrieve files and emails before deletion.
✅ No risk of data loss yet, as the content remains intact.
🔗 Refer to: Prevent a former employee from logging in and block access to Microsoft 365 services | Microsoft Learn
Step 2: Reassign Access to another User/Admin Before Deletion
The second step of the Microsoft 365 offboarding process is before removing the license or deleting the account, determine if access to the ex-employee’s data is needed for business continuity. Note that some privacy laws restrict employer access to personal emails and files.
Mailbox Options
The mailbox changes can be managed from the Microsoft 365 Admin Center.
- ✅ Export emails to a PST file before deletion.
- ✅ Convert to a Shared Mailbox (free if under 50GB; larger shared mailboxes require a license).
- ✅ Set up an auto-reply to inform contacts about the employee’s departure.
Screenshot of the mail settings for a user account in the Microsoft 365 Admin Center. Here, you can forward emails, set automatic replies, and convert the account to a shared mailbox.
OneDrive Options
The OneDrive can be reassigned from the Microsoft 365 Admin Center.
- ✅ Reassign access to another employee before deletion.
- ✅ Move/copy OneDrive files to SharePoint or another secure location.
⚠️ Risk of Data Loss: If the new OneDrive owner doesn’t act, files may be deleted 30 days after account deletion.
🔗 Refer to:
- Save the contents of a former employee’s mailbox | Microsoft Learn
- Forward a former employee’s email to another employee or convert to a shared mailbox | Microsoft Learn
- Create a shared mailbox – Microsoft 365 admin | Microsoft Learn
- Give another employee access to OneDrive and Outlook data | Microsoft Learn
Step 3: Apply Retention Policies or Holds
The third step in the Microsoft 365 offboarding process is to decide if the ex-employee’s mailbox or OneDrive data needs to be retained for compliance or legal purposes. Purview Retention policies and holds ensure that critical business data isn’t lost. Without them, OneDrive and mailbox data follow standard deletion timelines.
Retention impact
| Retention Policy/Hold | Mailbox Effect | OneDrive Effect |
|---|---|---|
| No Hold Applied | Mailbox follows standard deletion timeline (deleted 30 days after license removal). | OneDrive follows standard deletion timeline (deleted 30 days after license removal, but can be configured). |
| Litigation Hold/eDiscovery Hold | Becomes an Inactive Mailbox, retaining all data until the hold is removed. | OneDrive is not affected by Litigation Hold; an eDiscovery Hold is required. |
| Retention Policy (Retain & Delete) | Holds each email for a defined period, then permanently deletes it. *1 | Holds OneDrive file for a defined period, then permanently deletes it. |
| Retention Policy (Retain Only) | Retains mailbox content indefinitely until manually deleted.*1 | Retains OneDrive content indefinitely until manually deleted. |
| Searchability | Admins can search for mailbox content via Purview eDiscovery. | Admins can search for OneDrive content via Purview eDiscovery. |
⚠️ Retention policies and holds must be applied before license removal or account deletion. If the account has already been deleted, you can restore it within 30 days to apply retention settings.
*1 Workloads store in the user mailbox
The user’s mailbox stores compliance copies from these workloads in the user’s mailbox which have separate retention policies.
- Exchange email
- Teams chat messages.
- Copilot interactions.
- Teams private channel messages.
- Viva Engage user messages.
Considerations when creating retention polices
⚠️Risk: Data can remain in inactive Mailboxes and unlicensed OneDrive forever when the retention policy does not have a retain and delete action or some workloads in the mailbox are not subject to a retention policy.
✅Best practices: Create a retention policy with a retain and delete action for all workloads in the user mailbox.
🔗 Refer to Microsoft Learn:
- Learn about retention policies & labels to retain or delete | Microsoft Learn
- Learn about retention for Exchange | Microsoft Learn
- Learn about inactive mailboxes | Microsoft Learn
- Learn about retention for SharePoint and OneDrive | Microsoft Learn
Step 4: Remove the User’s License
The fourth step of the Microsoft 365 offboarding process is removing the Microsoft 365 license, allowing the organization to reallocate it, but this step impacts mailbox and OneDrive data. The user is still shown in the list of Active users but as Unlicensed.
Impact of License Removal
| License Removal | Mailbox Effect | OneDrive Effect |
|---|---|---|
| No Retention Policy | Becomes a Disabled Mailbox (deleted after 30 days). | Becomes an Unlicensed OneDrive (deleted after 93 days). |
| Retention Policy Applied | Mailbox remains as an Active Mailbox. Admins can search for mailbox content via Purview eDiscovery. | OneDrive becomes an Unlicensed OneDrive stored in Archive (cost $0.05/GB/month). Admins can search for OneDrive content via Purview eDiscovery. OneDrive must be restored to recover files (cost $0.60 GB) |
⚠️ Disabled mailboxes cannot be accessed via eDiscovery or admin tools. The only recovery option is to reassign a license within 30 days.
🔗 Refer to Microsoft Learn:
- Remove and delete the Microsoft 365 license from a former employee | Microsoft Learn
- Manage unlicensed OneDrive user accounts – SharePoint in Microsoft 365 | Microsoft Learn
Step 5: Delete the User Account
The final step of the Microsoft 365 offboarding process is to delete the user account in Microsoft 365, once the necessary retention policies and access reassignments are in place.
Impact of Account Deletion
| Account Deletion | Mailbox Effect | OneDrive Effect |
|---|---|---|
| No Retention Policy | Mailbox is deleted after 30 days. | OneDrive is deleted after 30 days (retention can be extended up to 3650 days). |
| Retention Policy Applied | Mailbox remains as an Inactive Mailbox. Admins can search for mailbox content via Purview eDiscovery. | OneDrive becomes an Unlicensed OneDrive stored in Archive (cost $0.05/GB/month). Admins can search for OneDrive content via Purview eDiscovery. OneDrive must be restored to recover files (cost $0.60 GB) |
🔗 Refer to Microsoft Learn:
- Delete a former employee’s user account | Microsoft Learn
- Delete a user from your organization – Microsoft 365 admin | Microsoft Learn
- Delete or restore user mailboxes in Exchange Online | Microsoft Learn
- Set the OneDrive retention for deleted users | Microsoft Learn
Impact to the User’s Mailbox and OneDrive data for each step
| Step | Mailbox | OneDrive | Notes |
|---|---|---|---|
| Step 1: Block User Access | Active (Licensed) Mailbox | Active (Licensed) OneDrive Account | User access is blocked. Data remains accessible to admins |
| Step 2: Reassign Access | Can be converted to a Shared Mailbox (if needed) | Can grant access to another user | ⚠️In some countries, privacy laws may block or limit the employer reassigning access to a user’s mailbox and OneDrive, as this is seen as personal data. |
| Step 3: Apply Retention or Hold | – eDiscovery hold on mailbox – Litigation hold on mailbox – Retention policy with a RETAIN and DELETE step for each workload in Mailbox. | – eDiscovery hold – Retention with a RETAIN and DELETE step for OneDrive location. | ⚠️Holds must be applied before license removal or account deletion to retain data. The mailbox is split into separate workloads for retention policies. ⚠️For retention policies, if you do not include the delete step the data will be retained forever. |
| Step 4: Remove License – No hold | Becomes a Disabled Mailbox. Deleted after 30 days | Becomes Unlicensed OneDrive. Deleted after 93 days | ⚠️Data will be deleted unless Holds or Retention policies are in place. |
| Step 5: Delete User Account – No Hold | Becomes a Soft Deleted Mailbox. Deleted after 30 days. | Becomes Unlicensed OneDrive. Deleted after 30 days by default, (can be changed). If period is longer than 93 days is moved to Archive 💰 | ⚠️Data will be deleted unless Holds or Retention policies are in place. |
| Remove license/Delete User Account – eDiscovery/Litigation hold | Retained as an Inactive Mailbox until the data is released from Hold. Then the Inactive Mailbox is deleted | Retained as an Unlicensed OneDrive in Archive until the data is released from Hold. Then Unlicensed OneDrive is deleted. Storage costs if you need to access data💰($0.05/GB/month). | ⚠️The Hold impact the whole mailbox or OneDrive. Once the Hold is remove the data is deleted unless subject to other Holds or Retention policies |
| Remove license/Delete User Account– Retention policy Retain + Delete | Retained as an Inactive Mailbox. As items are released from Hold they are deleted. Once the Inactive Mailbox is empty it is deleted. | Retained as an Unlicensed OneDrive in Archive. As items are released from Hold they are deleted. Once the Unlicensed OneDrive is empty it is deleted. Storage costs if you need to access data💰($0.05/GB/month). | ⚠️The Retention policy holds are calculated for each item based on the created date or last modified date(files only) |
| Remove license/Delete User Account – Retention policy Retain only | Retained as an Inactive Mailbox . As items are released from Hold there is no deletion action so the items remain in the Inactive Mailbox forever. An admin can manually delete the Inactive Mailbox once free of all retention on the content. | Retained as an Unlicensed OneDrive in Archive. As items are released from Hold there is no deletion action so the items remain in the Unlicensed OneDrive forever. An admin can manually delete the Unlicensed OneDrive once free of all retention on the content. | ⚠️You are at risk of retaining data forever.💰($0.05/GB/month). ⚠️Unlicensed OneDrive Storage costs apply to all Unlicensed OneDrives as soon as you need to search for or restore or restore an Unlicensed OneDrive. in any if you need to access data. |
Summary
A well-defined offboarding process in Microsoft 365 is essential for protecting sensitive data, minimizing storage costs, and ensuring compliance. Properly managing departing users helps secure business-critical information stored in mailboxes and OneDrive for Business before departure, while also aligning with data retention policies. This approach reduces the risk of unauthorized access and helps control unlicensed OneDrive storage costs by retaining only necessary data and deleting what is no longer required.
Key steps include:
- Block User Access – Immediately prevent unauthorized sign-ins while preserving admin access to data.
- Reassign Access – Transfer important emails and files to another user before data is deleted.
- Apply Retention Policies or Holds – Use retention policies with retain and delete actions to meet legal or business requirements.
- Remove Microsoft 365 License – Unlicensed mailboxes and OneDrive accounts follow automatic deletion timelines.
- Delete User Account – Deleted accounts can be restored within 30 days, while retention policies ensure long-term data preservation.
By proactively managing offboarding, organizations can reduce storage costs, minimize data loss, maintain compliance, and strengthen overall data security.
FAQ
Q: What happens to the mailbox when a user’s Microsoft 365 license is removed?
A: The mailbox becomes a Disabled Mailbox and deleted after 30 days, unless a hold is applied.
Q: How long is the mailbox data kept after the user account is deleted?
A: 30 days, unless a retention policy is applied.
Q: What happens to an inactive mailbox?
A: It retains data per the applied retention policy. Admins can search for mailbox content via Purview eDiscovery.
Q: What happens to OneDrive when a user’s Microsoft 365 license is removed?
A: The OneDrive becomes unlicensed and is moved to the recycle bin after 93 days for deletion, unless a hold is applied.
Q: How long is the user’s OneDrive data kept after an employee leaves?
A: 30 days, unless a retention policy is applied. Note the deleted user retention policy is configurable.
Q: What is the impact of an archived OneDrive?
A: It retains data per policy but incurs a storage cost of $0.05/GB/month. Admins can search for OneDrive content via Purview eDiscovery. Restoration costs $0.60/GB for 30 days.
Q: What is the impact of retention policies and holds on mailbox and OneDrive data?
A: Holds can be applied to user mailboxes and OneDrives to retain data for compliance or legal reasons. If a hold is applied before deletion, the mailbox becomes Inactive and retains data until the hold is lifted. For OneDrive, data is retained even if OneDrive is archived.
Q: What is the impact of a retention policy with just a retain action on mailbox and OneDrive data?
A: When a retention policy with just a retain action is applied, the data remains indefinitely, even after the hold is released.
Q: What happens if I do not apply retention policies to all workloads stored in the user’s mailbox?
A: The data not subject to a retention policy are retained indefinitely.
Need more insights on Microsoft 365 Compliance?
📢 Watch or Listen to our podcast: