When an employee departs from a company, it’s part of the procedures to flush the account and take necessary actions on the content associated based on the company policies.
Associated Content Might be Crucial to your Organization:
OneDrive content stored by the target user shall remain for 30 days as per the default retention period. You can restore the account within 30 days or the data will be permanently flushed off. If the target user’s data is critical, you can move it to a different location (this can be performed within 30 days of account deletion).
Nevertheless, this doesnt matter if the user has a Manager defined because, by default OneDrive content of deleted users are automatically delegated to the Line Manager so that he may have the access to the content up until the end of retention period.
This is how the whole process would roll:
- An account is deleted from AD Sync or Office 365 User list
- The deletion activity is Synchronized to SPO (SharePoint Online)
- OneDrive will then be marked for deletion through Cleanup jobs and the deleted identity shall remain appearing in Office 365 for 30 days (or whatever the period defined in the retention)
- If this user has an Manager defined in his profile, the Manager will receive a an email with the access details to OneDrive of the deleted user and the Manager will have access until the retention period. At the end of the retention period, OneDrive jobs will run and execute to delete.
- There will be reminder emails to the relevant manager 7 days prior to the end of the retention period and after 7 days, OneDrive of this user is sent to Site Collection Recycle bin. Site Collection Recycle bin will hold it for 93 days by default (3 Months) During this period, no one has access to Shared Content of this OneDrive and you can only restore it using PowerShell.
- Content in the Site Collection Recycle bin will not appear in search results and eDiscovery hold also can’t locate any content resides in the bin too.
However, you can customize the retention policy to reflect your needs and set your own duration so that OneDrive will hold deleted user’s data for longer time than the default 30 days. Go ahead and check this post for changing the “Retention Policy” of OneDrive.
Up on removal of the user identity, you can detach the licenses associated with the account to stop unnecessarily paying for them. This option will automatically remove licenses from the target subscription. You can’t remove licenses from a subscription which has ongoing commitments (such as annual commitments and you bought it from a license partner). You will not be able to remove the licenses unless your commitment period completed.
Mailbox and Associated Aliases:
By default a deleted mailbox is recoverable for 30 days, yet it depends on your retention policy. To understand more on this, read the article – Delete or restore user mailboxes in Exchange Online.
You can delegate the mailbox of a deleted account to someone else (in most cases, the Manager) and it will make the mailbox a Shared one. New owner of the mailbox shall then access it and monitor for new messages. Shared Mailbox object will appear under the Active Users list in Office 365.
Addition to that, you also can change the display name (This is recommended to do so you can easily identity the Shared Mailbox among the other identities in the Active user list of Office 365). And you may turn on “Automatic Replies“. There is a default automatic reply comes out of the box when you enable it as well. but it’s up to you if you want to have a custom one.
If Active Directory is Hybrid, you have to perform the deletion from your local AD. Synchronized identities cannot be deleted from Office 365 accounts.
To remove an account:
- Sign in to Office 365 portal from your Admin account
- From the Admin Center, go to the Active user section and choose Users –> Active
- Select the target user and delete
Notes: There can be exceptions such as those who have downloaded OneDrive or SharePoint content to their personal devices. There is no way to remove these type of content if user has already done it before the removal of the account so ensure you take necessary compliance actions across all formal and BYOD devices to avoid such compliance breaches. Microsoft Intune and associated EMS tools can help you meet your need on this perspective.
For detailed steps of configuring automatic access delegation, refer to this article
DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor.