When a team member leaves your organization, it’s critical to offboard them securely and efficiently. Here’s a step-by-step PowerShell-based offboarding process that covers:
✅ Disabling the user in Local Active Directory
✅ Disabling the Azure AD account
✅ Removing all licenses
✅ Disabling MFA
✅ Converting the mailbox to a shared mailbox
✅ Granting full mailbox access to the supervisor
Step 1 – Disable the User in Local Active Directory
powershellCopyEditDisable-ADAccount -Identity jdoe
Step 2 – Disable Azure AD User Account
powershellCopyEditConnect-AzAccount
Set-AzureADUser -ObjectId [email protected] -AccountEnabled $false
Step 3 – Remove Microsoft 365 Licenses
powershellCopyEditConnect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All"
$UserId = (Get-MgUser -UserId [email protected]).Id
Set-MgUserLicense -UserId $UserId -AddLicenses @() -RemoveLicenses @("tenant:licenseGUID")
📝 Replace
tenant:licenseGUIDwith the appropriate license GUID assigned to your tenant.
Step 4 – Disable MFA
powershellCopyEditConnect-MsolService
Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements @()
Step 5 – Convert Mailbox to Shared
powershellCopyEditConnect-ExchangeOnline
Set-Mailbox -Identity [email protected] -Type Shared
Step 6 – Grant Supervisor Full Access to the Shared Mailbox
powershellCopyEditAdd-MailboxPermission -Identity [email protected] -User [email protected] -AccessRights FullAccess -InheritanceType All
Summary
Using PowerShell for offboarding saves time and ensures consistency. Always document changes and communicate them to HR or management for final closure.
© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.