Take Care When Deleting Users in Office 365

Today's blog post will be a quick one. Over the past few months, we've had several help requests from Office 365 customers, and I want to make sure that we get this information out there to the public. I am sure these issues are probably happening for folks all over the place.

Microsoft does not make it plainly obvious what will happen when a user's account is decommissioned. There are several ways to do this, so before you delete a user, please consider the following alternatives.

Changing the user's password and/or denying their ability to log in is certainly the easiest way to make sure that they can no longer access their account. Certainly, Active Directory admins will tell you this is standard practice in on-premises Windows networks.

Why? Because you just never really know what that user has access to that might be needed after they are gone.

Also, suppose the user is laid off today and re-hired in a few months; AD accounts have weird behavior when it comes to re-creating an account later on that has the same user name but a different SID. This can also be true in Office 365, which uses Windows Azure AD in the background to authenticate users.

So, the best policy for your sanity is don't delete users.

But, what about the license that user is consuming? Wouldn't it be best to unassign it so that you can stop paying for that extra E3 plan you no longer need?

Stop right there. Think about what you are doing for a moment. Firstly, you're commited to have that license for a full year term, so there is certainly no rush. When you take away the user's license, it means their e-mail box is going to be de-provisioned exactly as if they had been deleted.

Our experience is that the user's email is the most likely thing that other people in the company are going to want/need access to after they are gone, so consider carefully if it can be safely deleted. A good alternative is to lock the user out, then delegate the mailbox to someone else and have them move the user's mail into a subfolder of their own mailbox. Don't forget to grab send mail as well as received mail.

If you don't like the idea of filling up your mailbox, you can move the mail into a new Shared Mailbox which doesn't consume a license, or download it to a PST instead. Once you have all the mail backed up and go ahead and delete the user's account permanently, don't forget to put an alias on some other mailbox so that incoming mail for the user will be redirected to their supervisor or whatever you want to do with it.

Fortunately, Microsoft will hold the e-mail account in limbo for 30 days. So, if you have accidentally taken away the Exchange license you can add it back again. There is a risk that the mailbox might get permanently deleted during this limbo period, so if you're reading this now and are in this situation, stop reading our blog and go re-license the user immediately!

Okay, so that covers what happens when you remove the Exchange Online subscription from the user. If you deleted the user, things are a bit different. The user goes to the users and groups recycle bin and lives there for 30 days. You can safely undelete the user and everything will come back, but again there is a risk that the e-mail account would be permanently deleted at some point and Microsoft hasn't been 100% clear on what conditions increase that risk.

While your user is in the Deleted Users bin, it's kind of like that one episode of classic Star Trek where the villain turns the crew of the enterprise into styrofoam dodecahedrons. (I suppose you ST-TNG fans might be more familliar with Q's "penalty box", but either metaphor works well if you ignore the fact that in Office 365 you can put everyone in the penalty box all at once.) Anyway, someone might come along and crush your users into powder using PowerShell, and if that happens you will never be able to rehydrate them again. No backup to restore from, nada, zilch, zippers, nuthin.

So, be careful how and when you delete, unlicense, or deprovision users. Hopefully you can avoid getting fired by someone who will come along and disable your Office 365 login. ;-)