Am I terminating employees correctly in Office365?

[thecomputerguy]

When an employee is terminated typically I will

Reset Password
Block sign in
Convert the mailbox into a shared mailbox
Setup forwarding if necessary
Remove License

The issue I'm running into is it seems that if I delete the unlicensed user from Active Users in the Admin center ... it also deletes the shared mailbox with it? Is this intended?

I tried to do some cleanup on a clients tenant last week and started removing old unlicensed employees and found out shortly thereafter that it was also deleting the shared mailbox.

This is a problem because I'm pretty sure even if the user is unlicensed they still show up in the Global Address Book.

What am I doing wrong here?

 

[YeOldeStonecat]

So the steps I do....
*Disconnect the smart phones from users mailbox (Done in EAC)
*Sign user out of all apps ..if it's an urgent termination and they're going to have a "talk" to fire them at a specified time, I'll sign user out a few minutes before that (like when the boss texts me "OK we're calling her in"
*Hide user from Global Address Book (it's a checkbox in users account props)
Convert mailbox to shared mailbox..apply appropriate dismembership and forwarding if applicable. Yes the users actual "user account" must stay for this
*Remove user from any groups they are a member of. Distie groups, security groups, Teams, etc
*Triple check users roles...ensure no elevated roles
*I archive users OneDrive. Can do this...sorta painfully/tediuous...via the webUI. But it (the webUI) can only move 500 megs at a time. I prefer to do this via the users workstation. Back in the old days of on prem servers, I always had an "Archive" folder on the server, where I would copy the users library folders to...for management to sort through, disperse, etc. Well..Sharepoint (Teams)....is still the file server, so I always create an Archive team...that management are members of. I will temp add this user as a member...and use the OneDrive sync to "copy over" their Docs/Desktop/Pics...once done...remove them from that team.
*Block sign in. If I will be logging into the users computer and it's an urgent termination, I'll have changed their password when I "signed user out of all apps". If it's a friendly "retiring" or something like that...I don't find it urgent to change the password. Blocking sign in..well..that blocks it anyways once I'm done...
*Remove license from user
*Delete users profile on that computer

 

[Sky-Knight]

I have a bit shorter of a process.

Block Sign-in
Revoke authorization tokens
Copy user's onedrive contents to a Terminated Employees team
Forward mail, if required.
Remove from GAL.
Remove from groups.
Convert to shared mailbox.
Drop license.

 

[nlinecomputers]

The issue I'm running into is it seems that if I delete the unlicensed user from Active Users in the Admin center ... it also deletes the shared mailbox with it? Is this intended?

Yes. A shared mailbox is still user, just one without an ability to login and no license. You can’t delete a user and still have a mailbox for said user.

 

[Sky-Knight]

Yes. A shared mailbox is still user, just one without an ability to login and no license. You can’t delete a user and still have a mailbox for said user.

I must correct you here.

The user CAN still be used, it just cannot be used to access the mailbox that is associated. But it very much can be used to access other things! The identity requires the password to be reset prior to this, but because it can still potentially be used I always advocate disabling the sign-on for these identities.

This practice has the additional benefit of cleaning those users out of many reports to help streamline administration.