Your ex-employee still has access to everything. Here's how to fix it in 15 minutes.

Pull up your Microsoft 365 admin center right now. Look at your active users list. Count how many of those people still work for you.

For most small businesses I audit, that number is wrong. Sometimes wildly wrong.

I onboarded a 12-person law firm in Brookfield last year. Their active M365 user list had 19 accounts. Seven of those people had left the firm. One had been gone since 2022. He still had access to the shared client files drive, the firm's password manager, and his old mailbox was quietly forwarding copies of incoming mail to a Gmail address nobody currently at the firm recognized.

That's the default state of a small business that doesn't have someone watching this stuff. When someone leaves, the obvious things get handled - laptop returned, keys collected, payroll updated, alarm code changed if anyone remembers. The digital access trails behind, often for years.

Here's the part that matters: it doesn't really matter whether the ex-employee is malicious or whether you just have messy IT. Active access is active access. If that account gets compromised, or if the person ever decides to log in and look around, you have the same problem either way.

You can check the biggest items in about 15 minutes per former employee.

The 15-minute employee offboarding checklist

Work through these in order. Most of them take less than two minutes each once you know where to click.

1. Block the account, but think before you delete

Admin center, Users, Active users. Find the person, click their name, reset their password, sign out of all sessions, then block sign-in. All three steps. Blocking sign-in alone can take time to fully apply, and it doesn't kill active sessions, so doing only that leaves a window open.

Don't delete the account yet. You probably still need the mailbox, the OneDrive contents, or both. Decide what happens to the data first:

• Convert the mailbox to a shared mailbox so the team can still reach old emails
• Reassign their OneDrive to their manager so files don't get orphaned
• Pull anything HR or legal needs to keep

Once that's handled, you can decide on deletion. Deleted user data only sticks around for 30 days, so deletion-first is how small businesses lose things they later need.

2. Check mail forwarding rules

This is where it gets ugly.

Forwarding can live in two places, and people miss the second one constantly. First check the mailbox-level forwarding setting (Users, click the user, Mail tab, Manage email forwarding). Then open the mailbox itself and check the user's own inbox rules.

External forwarding is the dangerous one. A rule that ships everything to a Gmail address, or just everything containing "invoice" or "quote," is invisible until someone goes looking for it. I have seen a disgruntled former employee set one of these up that ran for nine months before anyone noticed. Their new employer happened to be a competitor.

Microsoft has tenant-level controls to block external auto-forwarding by default. If you have not turned that on, do it today. (We covered the broader pattern of these inbox-based attacks in why email scams are costing Wisconsin small businesses more than ransomware.)

3. Audit shared mailbox permissions

If you have a sales@, info@, accounting@, or hr@ shared mailbox, the former employee probably had Full Access or Send As permissions on it. Disabling their user account does not remove those permissions.

Microsoft 365 admin center, Teams & groups, Shared mailboxes. Open each one and check members, Read and manage, Send as, and Send on behalf permissions. Remove the ex-employee everywhere they appear.

4. Pull them out of SharePoint and OneDrive

This one is annoying because permissions get sprinkled around. Things to check:

• SharePoint site memberships (SharePoint admin center)
• Teams that have file libraries attached
• The user's OneDrive, which often has business files that should not be locked inside one person's personal drive
• External sharing links they created - those can keep working for the recipient even after the user is disabled

Reassign OneDrive ownership to their manager before you eventually delete the account. And run a sharing report to find external links that should be killed.

Simple rule: company data shouldn't live forever in a former employee's OneDrive. Move it to a proper SharePoint or Teams location while you still have access.

5. Change the shared passwords

This is the part Microsoft 365 won't fix for you, and it's where the real risk usually is.

Every small business has shared credentials somewhere. Wi-Fi. Alarm code. The vendor portal where five people share one login because the vendor charges per seat. The QuickBooks login that gets passed around. The domain registrar. The hosting account. The copier admin password. The shared browser passwords nobody remembers saving.

If you can name three accounts your team shares credentials on, you have at least three passwords to change.

This is the most-skipped step on the list, and the one with the worst downside. A Microsoft 365 account can be blocked in 30 seconds. A vendor portal that five employees still log into with the same password is a process problem, not a technical one.

While you're at it: replace shared logins with individual accounts wherever the vendor lets you. Then you never have to do this again when the next person leaves.

6. Recover the license cost

A Microsoft 365 Business Standard license is $12.50 per user per month. Three forgotten ex-employee licenses costs you $450 a year to host email nobody reads.

Once you've converted the mailbox to a shared mailbox (free under 50 GB) or extracted what you need, strip the license off the account. Keep the disabled user account itself, because it anchors the shared mailbox. Just remove the paid license. The credit shows up on your next invoice.

One forgotten license is rounding error. Ten forgotten licenses across a few years is real money. If you want a sanity check on what you're paying for, our Microsoft 365 management service handles tenant hygiene like this on a recurring basis.

The "did we do this when Jake left?" test

Forward this to your business partner or your office manager. Pick the last three people who left your company. Go through the list for each one.

If you find anything still active, you have a small problem to clean up. If you find a forwarding rule, you have a bigger problem.

But the real question isn't whether you missed something this time. It's who's supposed to catch it next time.

When the next employee leaves, who disables the account? Who checks for forwarding rules? Who removes them from shared mailboxes? Who changes the Wi-Fi password? Who confirms the license was removed and the mailbox converted?

If the answer to any of those is "we figure it out when it comes up," you're going to be reading an article like this again in two years.

If you're in Southeast Wisconsin and you want a second set of eyes on what's still active in your tenant, that's something we do. No charge for a quick audit. Get in touch or call us at (262) 912-6404.