Deprovisioning options for Office 365

Early Access release

Deactivating or deprovisioning an Office 365 user occurs when they're unassigned in Okta or their Okta account is deactivated. If the app is reassigned in Okta, the user can be reassigned. Enhanced deprovisioning only works with provisioned Office 365 instances and provides a more granular off-boarding workflow.

The options under the Microsoft Office 365 user status on deactivation menu allow for granular deactivation and deprovisioning of end users.

Okta recommends including a three-day grace period for any action that deletes users. This can reduce the necessity to restore deleted users and their data in Office 365.

Info

Caution

Once Microsoft has removed data during deprovisioning, it can't be recovered.

Option What it does

Block sign-in
  • Blocks the Office 365 end user from signing in, but retains license and user data on the user account.

Block sign-in and remove licenses
  • Blocks the Office 365 end user from signing in and immediately removes any licenses assigned to them.
  • This also triggers the deletion of stored data from the user’s personal folders within other Office 365.
  • Currently, Microsoft retains the data for 30 days. After that, this data is irrecoverable.

Block sign-in and remove licenses after grace period
  • Blocks the Office 365 end user from signing in and waits for a specified number of days before removing the end-user licenses.
  • The grace period allows admins time to temporarily retain the user data and licensing to back up information or to enable others to gain access and review the account.
  • Once the grace period expires, data stored in personal folders within other Office 365 apps goes through the Microsoft deletion process.
  • Currently, Microsoft retains the data for 30 days. After that, this data is irrecoverable.
  • If the user is reassigned to Office 365 before the grace period expires, the licenses aren't removed and the user is restored back to their original state.
Block sign-in, remove licenses, and delete user
  • Blocks the Office 365 end users from signing in, immediately removes any licenses assigned to them, and deletes their Office 365 account.
  • This also triggers the deletion of stored data from the user’s personal folders within other Office 365 apps (for example, OneDrive or SharePoint).
  • Currently, Microsoft retains the data for 30 days. After that, this data is irrecoverable.
Block sign-in, remove licenses, and delete user after grace period
  • Blocks the Office 365 end user from signing in and waits for a specified number of days before removing the end-user licenses and deleting their Office 365 accounts.
  • The grace period allows admins time to temporarily retain the user data, licensing, and the account for backing up information or allowing others to gain access and review the account.
  • Once the grace period expires, data stored in personal folders within other Office 365 apps goes through the Microsoft deletion process, and the user's Office 365 account is deleted.
  • Currently, Microsoft retains the data for 30 days. After that, this data is irrecoverable.
  • If the user is reassigned to Office 365 before the grace period expires, the licenses aren't removed and the user is restored back to their original state.