Offboard a User: Disable Account and Remove M365 Licenses

When an employee leaves the organization or changes roles, two of the most time-sensitive offboarding actions are blocking sign-in and reclaiming their assigned licenses. Disabling the account immediately revokes interactive access to Microsoft 365 services, while removing the license frees up a paid seat that can be reassigned to another user — directly reducing wasted spend.

This recipe covers the minimal, safe offboarding path: locate the user, audit their current licenses, disable the account, and remove all assigned SKUs. The user object itself is retained so that mailbox content, OneDrive files, and audit history remain accessible for any later retrieval or legal hold.

Run this as soon as HR confirms a termination or last working day. For a full offboarding workflow (mailbox conversion to shared, OneDrive handoff, group cleanup, MFA method revocation), chain this recipe with related offboarding recipes.

• The target user's accountEnabled flag is set to false, blocking all interactive and token-based sign-ins.
• All Microsoft 365 SKUs assigned directly to the user are removed, returning seats to the available pool.
• The user object, mailbox, and OneDrive remain intact for data retention and retrieval.
• An auditable record of the disable + license removal actions is written to the Entra audit log.

Before you run this

• Do not delete the user. Deletion purges mailbox and OneDrive after 30 days. Disable + license removal is reversible and preserves data.
• Group-based licenses. If the user's license was assigned via a group (not directly), removing it with assignLicense will fail. Remove the user from the licensing group instead.
• Shared mailbox conversion. Removing an Exchange license deletes the mailbox after 30 days. If you need to retain email access for a manager, convert to a shared mailbox before removing the license, or place the mailbox on Litigation Hold.
• Active sessions. Disabling the account does not immediately kill existing OAuth tokens. Run revokeSignInSessions as a follow-up to force re-authentication within ~1 hour.
• OneDrive retention. OneDrive content is retained for 30 days by default after license removal unless you transfer ownership or extend retention via the SharePoint admin center.