Offboarding in a Small Office: The 15-Minute Access Cleanup

An employee gives notice — or is let go — and the workday keeps moving. By the time you get around to their accounts, they may still have active access to your email, client files, and every system connected to their Microsoft 365 login. That window is where most small-office access problems start.

If you are running Microsoft 365 Business Premium, you can close that window in about 15 minutes without calling anyone. Here is exactly how.

The short answer: Blocking a departing employee's Microsoft 365 sign-in immediately cuts off email, Teams, SharePoint, and most connected apps in one step. A complete cleanup — shared password resets, device retrieval, and license removal included — takes roughly 15 minutes in the Microsoft 365 Admin Center.

What you need before you start

You need admin access to your Microsoft 365 tenant. If you manage it yourself, you already have it. If an IT provider manages it, confirm now — before anyone gives notice — that you have a delegated admin account set up for offboarding. Finding out you lack access on the day you need it is a common, avoidable problem.

The 15-minute checklist

Work through these steps in order. The first two matter most; the rest each take under a minute.

1. Block sign-in. In the Microsoft 365 Admin Center, go to Users > Active Users, open the employee's account, and select Block sign-in. This cuts off email, Teams, SharePoint, OneDrive, and any app using their Microsoft identity. Do this first, before anything else.
2. Revoke active sessions. Blocking sign-in stops new logins but does not immediately disconnect live sessions already open on their devices. On the same screen, select Revoke sign-in sessions. This forces a sign-out across every device where they are currently logged in.
3. Reset the password. Even with sign-in blocked, reset the password. It takes two seconds and invalidates any saved or shared credentials tied to that account.
4. Remove or reassign the license. Under Licenses and apps on the user's profile, remove the Microsoft 365 license. This stops billing for that seat and disables the full app suite. If you need to keep their mailbox data accessible first, handle the next step before removing the license.
5. Handle the email. Decide now: forward incoming mail to a manager, or convert the account to a shared mailbox. A shared mailbox is usually the right call for a small office — it keeps the full message history accessible to authorized staff at no additional seat cost once the license is removed.
6. Remove them from groups and distribution lists. In the Admin Center under Groups, remove the employee from every distribution list and Microsoft 365 group they belonged to.
7. Check Teams and SharePoint. Remove them from any Teams channels and review SharePoint sites where they had individual permissions beyond the defaults.
8. Retrieve or wipe the device. Collect any company-issued laptop, phone, or tablet before they leave. If the device is enrolled in Microsoft Intune — included with Business Premium — you can trigger a remote wipe from Devices in the Admin Center when in-person retrieval is not possible.

Shared passwords are not covered by any of this

Blocking a Microsoft 365 account does nothing to credentials outside that system. If the departing employee had access to a billing portal, a shipping account, a social media login, or any other service with its own username and password, change those now. Make a written list of every shared account your office uses and keep it somewhere only current staff can reach. Offboarding is the right moment to build that habit if you have not already.

Physical access takes two minutes and often gets skipped

Collect any keys, key cards, or door codes before the employee leaves. If your office uses a shared door code rather than individual credentials, change the code. It is a small step that is easy to forget when the rest of the day is busy.

When to call IT instead of doing this yourself

This checklist covers the standard case. If the departure is involuntary, if the employee held admin-level access, or if there is any reason to think data was copied or deleted before they left, stop and call your IT provider before clicking through the Admin Center. Acting without guidance in those situations can overwrite evidence that may matter later — with clients, regulators, or in a legal dispute.

A dedicated team that knows your environment can run a controlled offboarding in sensitive cases and document every step in a way that holds up if questions arise.

Frequently asked questions

What is the single most important step when an employee leaves?

Block their Microsoft 365 sign-in first. It immediately cuts off email, Teams, SharePoint, OneDrive, and any app connected to their Microsoft identity. Everything else follows from there.

Do I need to delete the account right away?

No. Blocking sign-in and removing the license is enough to stop access. Most offices wait 30 to 90 days before permanently deleting the account to make sure nothing important is lost. Deletion is irreversible once the grace period ends.

What if the employee used a personal phone for company email?

Revoking sessions and blocking sign-in will sign them out on personal devices as long as they used the Microsoft Outlook app or a browser. Devices configured with basic IMAP or POP settings may not disconnect automatically — which is one more reason to reset the account password in the same sitting.

When should I call IT instead of handling this myself?

Call your IT provider if the departure is involuntary, if the employee had admin access, or if you suspect data was taken. Acting without guidance in those situations can overwrite evidence you may need later.