Nowadays I started concentrating more on compliance for an organization, I often come across with situation that the employee leaves the organization & we need to back up their data for compliance. But just taking back up not going to meet the compliance requirement. What if User:
- Has mobile device connected?
- Multiple Outlook Profile configured at home?
- What if he is deleting the data from the day he started serving notice?
There are lot more things concern administrator and management when user leaves organization. So we should be more careful when we deal with this situation. So how to deal with this situation? How about saving the license? How to save the data without losing them? For all your question this article might shed some light.
Below are the few steps to be followed:
- When the user starts serving notice enable LitigationHold for their mailbox? 1 (Requires Enterprise License)
- Reset their password
- Disable OWA (Only to terminate access immediately)
- Disable all protocols (MAPI, IMAP, POP, Mobile Devices)
- Gain access to their mailbox and take a PST data.
- As an optional, you can also export their PST using discovery search
- Remote wipe all devices
- Convert into Shared Mailbox
- Enable Automatic reply to that mailbox
- Delete the Mailbox
- Assign license to other users.
- Mail redirect can also be enabled to ensure we don’t miss out future mails
Note: Not all points above are mandatory, it is based on your requirement. You can skip some of them based on requirement.
LitigationHold, Disable Protocols & Enable FullAccess & Forwarding:
Enabling this feature will ensure that the items are preserved, Deleted & Modified items are preserved for a specific period or until it is removed from hold. It holds the data with original and modified versions.
How to enable using ECP?
- Login to ECP
- Recipients -> Mailboxes
- Locate left user Mailbox
- Click on Edit (
Icon)
- Mailbox Features -> Click on Enable under LitigationHold.
Leave this window open here you can also disable all other protocols, and forwarding so that (Step 3,4 & 12 is achieved)
Disable:
- OWA
- IMAP
- POP
- MAPI
- Exchange ActiveSync
- Disable OWA for devices
Under Mobile Devices click on View Details, this will show up all devices connected for this account. Wipe it completely.
Note: Remote wipe will reset the mobile to factory settings, hence personal & corporate data will be wiped.
Later if required we can enable OWA to see the emails, this is to ensure that user should lose an access immediately, because Outlook and other sessions will still be alive for 72 hours after Reset Password
Same screen click on “Delivery Options” and enable forwarding if required. So that all new mails will be forwarded.
Note : How long the session can be alive in Office 365, Please refer to Session timeouts for Office 365
In the same window, Click on Mailbox Delegation & Provide FullAccess permission to yourself or any other user as per requirement.
Convert into Shared Mailbox
Since Microsoft doesn’t charge for Shared Mailbox, So to save license and to assign to new user, also to enable automatic reply for the left user account we can use shared mailbox.
Note: Mailbox should be smaller than 10GB to convert into shared.
In the ECP Portal, after click on Left user mailbox on right hand side this option can be changed:
After enabling FullAccess to Shared Mailbox, simply access it from OWA (If enabled) and enable Automatic reply. Else it can be enabled using Powershell.
Delete user Mailbox
- Logon on User Page
- Locate left user
- Right Pane -> Click on delete
You can use this script to check to which Distribution user is member of.
Assign the License to new User
This is simple process as while creating new user the revoked license can be assigned to new user.
Additonally, You can assign this email address to other user or create distribution group with same email address and forward it to multiple users. If there are any other requirement or questions feel free to comment below.
Other references:
LitigationHold & Discovery Search