When an employee or contractor with access to email leaves your agency, you will likely perform a number of actions to restrict that individual's future access to agency systems. This document briefly outlines some of the common tasks that will be performed in this regard.
When you disable an Active Directory user object, if you leave it in the AD Sync global security group, the change will propagate to CPSM and prevent access to the user's mailbox in Exchange Online.
If the user object has been removed from the AD Sync global security group before being disabled, the change will not be reflected in CPSM. You will need to manually disable the user in CPSM. To do so, follow the instructions for disabling users here.
When you delete an Active Directory user object, if you leave it in the AD Sync global security group, the user account in CPSM (and any associated mailbox) will also be deleted.
If the user object has been removed from the AD Sync global security group before being deleted, the user object will still be in CPSM. You will need to manually deprovision and delete the user account from CPSM.
If you remove a user object from the AD Sync global security group, no further actions will occur. The account will continue in its current state in Exchange Online. It will not be disabled, deprovisioned, or deleted.
If a user object was not brought in via AD Sync or was removed from the AD Sync global security group before the Active Directory user object was deleted, you will need to manually deprovision and delete the user object from CPSM. To do so, follow the instructions here.
If a user is a member of any distribution groups, only deprovisioning and deleting the user will remove them automatically. Just disabling an account is insufficient. In that case, you will need to manually remove users from distribution groups (or modify user object attributes to remove from a query-based distribution group). Some instructions are provided in the Modifying Services article.
If a user leaves and a manager or associate needs access to his or her email data, you will need to assign mailbox permissions. This is discussed in the Mailbox Permissions article for Exchange Online users.
You may also wish to forward new e-mail to a manager or associates. This can be accomlished in Nuvolex.
Data associated with terminated users is still subject to Omnicom's Records Management policy. As such, you must extract any necessary business records from the mailbox and store them in the appropriate data store with correct classification. Once this is complete, the mailbox should be removed.
You must not export the mailbox to a PST file as this constitutes a breach of the Omnicom Records Management policy. It can expose your agency to additional discovery costs in the event of litigation.
You may reclaim the assigned Office 365 license by either: